[jira] [Updated] (CASSANDRA-20171) Grant permission on keyspaces system_views and system_virtual_schema not possible

[Francisco Guerrero (Jira)]

     [ 
https://issues.apache.org/jira/browse/CASSANDRA-20171?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Francisco Guerrero updated CASSANDRA-20171:
-------------------------------------------
          Since Version: 4.0
    Source Control Link: 
https://github.com/apache/cassandra/commit/348ffb0ba09f10893e8dedfbd69c950fb129ec53
             Resolution: Fixed
                 Status: Resolved  (was: Ready to Commit)

> Grant permission on keyspaces system_views and system_virtual_schema not 
> possible
> ---------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-20171
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-20171
>             Project: Apache Cassandra
>          Issue Type: Bug
>          Components: Feature/Virtual Tables
>            Reporter: Tibor Repasi
>            Assignee: Tibor Repasi
>            Priority: Normal
>             Fix For: 4.0.x, 4.1.x, 5.0.x, 5.x
>
>         Attachments: ci_summary-1.html, ci_summary-2.html, ci_summary-3.html, 
> ci_summary-4.0.html, ci_summary-4.1.html, ci_summary-5.0.html, 
> ci_summary-trunk.html, ci_summary.html
>
>          Time Spent: 4h 50m
>  Remaining Estimate: 0h
>
> Trying to grant select permission on keyspace system_views or 
> system_virtual_schema fails with an error message stating that these 
> resources wouldn't exist.
> {code}
> cassandra@cqlsh> CREATE ROLE test WITH PASSWORD = 'test' AND LOGIN = true AND 
> SUPERUSER = false ;
> cassandra@cqlsh> LIST USERS ;
>  name      | super | datacenters
> -----------+-------+-------------
>  cassandra |  True |         ALL
>       test | False |         ALL
> (2 rows)
> cassandra@cqlsh> GRANT SELECT PERMISSION ON KEYSPACE system TO test;
> cassandra@cqlsh> GRANT SELECT PERMISSION ON KEYSPACE system_schema TO test;
> cassandra@cqlsh> GRANT SELECT PERMISSION ON KEYSPACE system_views TO test;
> InvalidRequest: Error from server: code=2200 [Invalid query] 
> message="Resource <keyspace system_views> doesn't exist"
> cassandra@cqlsh> GRANT SELECT PERMISSION ON KEYSPACE system_ TO test;
> system_auth           system_distributed    system_schema         
> system_traces         system_views          system_virtual_schema
> cassandra@cqlsh> GRANT SELECT PERMISSION ON KEYSPACE system_virtual_schema TO 
> test;
> InvalidRequest: Error from server: code=2200 [Invalid query] 
> message="Resource <keyspace system_virtual_schema> doesn't exist"
> {code}
> However, the above permission can be added by updating role_permissions 
> directly
> {code}
> cassandra@cqlsh> UPDATE system_auth.role_permissions SET permissions = 
> permissions + {'SELECT'} WHERE role = 'test' AND resource = 
> 'data/system_views';
> cassandra@cqlsh> LIST ALL PERMISSIONS OF test;
>  role | username | resource                 | permission
> ------+----------+--------------------------+------------
>  test |     test |        <keyspace system> |     SELECT
>  test |     test | <keyspace system_schema> |     SELECT
>  test |     test |  <keyspace system_views> |     SELECT
> (3 rows)
> {code}
> Reading the code unveiled, that {{system_schema.keyspaces}} doesn't list 
> those two keyspace, which causes the grant permission command to fail.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org