I'm not afraid to admit that I LOVE this feature. Exactly what a data engine should be able to do - stop bad behavior.
Sean R. Durity From: Aaron Ploetz <aaronplo...@gmail.com> Sent: Thursday, June 23, 2022 3:22 PM To: user@cassandra.apache.org Subject: [EXTERNAL] Re: Guardrails in Cassandra 4.1 Alpha Ahh...yes, my default "aaron" user is indeed a SUPERUSER. Ok, so I created a new, non-superuser and tried again... > SELECT * FROm stackoverflow.movies WHERE title='Sneakers (1992)' ALLOW > FILTERING; InvalidRequest: Error from server: code=2200 [Invalid query] message="Guardrail allow_filtering violated: Querying with ALLOW FILTERING is not allowed" Thank you for the quick response, Andres! On Thu, Jun 23, 2022 at 2:14 PM Andrés de la Peña <adelap...@apache.org<mailto:adelap...@apache.org>> wrote: Hi Aaron, Guardrails are not applied to superusers. The default user is a superuser, so to see guardrails in action you need to create and use a user that is not a superuser. You can do that by setting, for example, these properties on cassandra.yaml: authenticator: PasswordAuthenticator authorizer: CassandraAuthorizer Then you can login with cqlsh using the default superuser and create a regular user with the adequate permissions. For example: bin/cqlsh -u cassandra -p cassandra > CREATE USER test WITH PASSWORD 'test'; > GRANT SELECT ON ALL KEYSPACES TO test; bin/cqlsh -u test -p test > SELECT * FROM stackoverflow.movies WHERE title='Sneakers (1992)' ALLOW > FILTERING; InvalidRequest: Error from server: code=2200 [Invalid query] message="Guardrail allow_filtering violated: Querying with ALLOW FILTERING is not allowed" Finally, that particular guardrail isn't applied to system tables, so it would still allow filtering on the system.local and system_views.settings tables, but not in stackoverflow.movies. I hope this helps. On Thu, 23 Jun 2022 at 19:51, Aaron Ploetz <aaronplo...@gmail.com<mailto:aaronplo...@gmail.com>> wrote: So I'm trying to test out the guardrails in 4.1-alpha. I've set allow_filtering_enabled: false, but it doesn't seem to care (I can still use it). > SELECT release_version FROM system.local; release_version --------------------- 4.1-alpha1-SNAPSHOT (1 rows) > SELECT * FROM system_views.settings WHERE name='allow_filtering_enabled'; name | value -------------------------+------- allow_filtering_enabled | false (1 rows) > SELECT * FROm stackoverflow.movies WHERE title='Sneakers (1992)' ALLOW > FILTERING; id | genre | title ------+--------------------+----------------- 1396 | Crime|Drama|Sci-Fi | Sneakers (1992) (1 rows) Is there like some main "guardrails enabled" setting that I missed? Thanks, Aaron INTERNAL USE
