Hi Team,
Currently LIST ROLES command doesn’t indicate if a role has superuser
privilege, if acquired through a grant in roles hierarchy (LIST ROLES has super
column true only if the role is created with SUPERUSER=true). For example, in
the below example, super1 is a superuser, role1 acquired superuser status
through grant of super1 and role11 acquired superuser status through grant of
role1. LIST ROLES output has super column true only for super1.
cassandra@cqlsh> create role super1 WITH SUPERUSER = true;
cassandra@cqlsh> create role role1;
cassandra@cqlsh> create role role11;
cassandra@cqlsh> create role role2;
cassandra@cqlsh> grant super1 to role1;
cassandra@cqlsh> grant role1 to role11;
cassandra@cqlsh> list roles;
role | super | login | options | datacenters
-----------+-------+-------+---------+-------------
role1 | False | False | {} | ALL
role11 | False | False | {} | ALL
role2 | False | False | {} | ALL
super1 | True | False | {} | ALL
One way to check has a role acquired superuser status is by running LIST ROLES
of <rolename> and looking for at least one row with super column true. This
works fine to check superuser status of a given role.
cassandra@cqlsh> list roles of role11;
role | super | login | options | datacenters
--------+-------+-------+---------+-------------
role1 | False | False | {} | ALL
role11 | False | False | {} | ALL
super1 | True | False | {} | ALL
But if we need to get list of all roles having superuser status (acquired
through grant as well), there is no easy way to retrieve this from C*. This can
be a requirement for an external service interacting with C* and performing
their own checks (for example, Sidecar). So I am proposing a new CQL command
LIST SUPERUSERS, which lists all roles having superuser status (acquired as
well). We will ensure that the user running this command has DESCRIBE
permission on root roles resource, i.e, to run this command user must be either
a superuser or granted DESCRIBE permission on ALL ROLES. Here is the Jira
<https://issues.apache.org/jira/browse/CASSANDRA-19417> and sample output for
the above example.
cassandra@cqlsh> list superusers;
role
-----------
role1
role11
super1
Alternatives thought of so far,
- LIST ROLES SUPERUSERSONLY
- LIST ROLES superuseronly=true
- LIST USERS superuseronly=true command : I have a question here, is LIST
USERS command deprecated? I see this link saying that
https://docs.datastax.com/en/cql-oss/3.3/cql/cql_reference/cqlListUsers.html.
if LIST USERS and LISR ROLES commands are same, why don’t we just pick one so
we don’t have to maintain two different commands ?
- LIST ROLES command default i.e, without NORECURSIVE clause : to print super
column true for acquired superusers as well, but this may break existing
tools/scripts of customers as we are changing the default behavior
I prefer LIST SUPERUSERS command because - This command looks neat and simple
and we don’t have to worry about handling/breaking other options/columns
supported by these existing commands. For example we don’t have to worry about
handling/breaking OF clause of LIST ROLES command. And any new options we add
to these commands in the future, don’t have to worry about handling/breaking of
SUPERUSERS option. Please let me know your thoughts on this.
Thanks,
Shailaja
