This feature should have been introduced long ago and ideally to 3.x .. Many times we spent a lot of time investigating the issue for slow cluster becoz some developer ran some adhoc bad query which caused the issue .
On Thu, Jun 23, 2022 at 8:56 PM Durity, Sean R <sean_r_dur...@homedepot.com> wrote: > I’m not afraid to admit that I LOVE this feature. Exactly what a data > engine should be able to do – stop bad behavior. > > > > Sean R. Durity > > > > *From:* Aaron Ploetz <aaronplo...@gmail.com> > *Sent:* Thursday, June 23, 2022 3:22 PM > *To:* user@cassandra.apache.org > *Subject:* [EXTERNAL] Re: Guardrails in Cassandra 4.1 Alpha > > > > Ahh...yes, my default "aaron" user is indeed a SUPERUSER. > > > > Ok, so I created a new, non-superuser and tried again... > > > > > SELECT * FROm stackoverflow.movies WHERE title='Sneakers (1992)' ALLOW > FILTERING; > InvalidRequest: Error from server: code=2200 [Invalid query] > message="Guardrail allow_filtering violated: Querying with ALLOW FILTERING > is not allowed" > > > > Thank you for the quick response, Andres! > > > > On Thu, Jun 23, 2022 at 2:14 PM Andrés de la Peña <adelap...@apache.org> > wrote: > > Hi Aaron, > > > > Guardrails are not applied to superusers. The default user is a superuser, > so to see guardrails in action you need to create and use a user that is > not a superuser. > > > > You can do that by setting, for example, these properties on > cassandra.yaml: > > > > authenticator: PasswordAuthenticator > > authorizer: CassandraAuthorizer > > > > Then you can login with cqlsh using the default superuser and create a > regular user with the adequate permissions. For example: > > > > bin/cqlsh -u cassandra -p cassandra > > CREATE USER test WITH PASSWORD 'test'; > > GRANT SELECT ON ALL KEYSPACES TO test; > bin/cqlsh -u test -p test > > > SELECT * FROM stackoverflow.movies WHERE title='Sneakers (1992)' ALLOW > FILTERING; > > InvalidRequest: Error from server: code=2200 [Invalid query] > message="Guardrail allow_filtering violated: Querying with ALLOW FILTERING > is not allowed" > > > > Finally, that particular guardrail isn't applied to system tables, so it > would still allow filtering on the system.local and system_views.settings > tables, but not in stackoverflow.movies. > > I hope this helps. > > > > On Thu, 23 Jun 2022 at 19:51, Aaron Ploetz <aaronplo...@gmail.com> wrote: > > So I'm trying to test out the guardrails in 4.1-alpha. I've set > allow_filtering_enabled: false, but it doesn't seem to care (I can still > use it). > > > > SELECT release_version FROM system.local; > release_version > --------------------- > 4.1-alpha1-SNAPSHOT > > (1 rows) > > > > > SELECT * FROM system_views.settings WHERE name='allow_filtering_enabled'; > name | value > -------------------------+------- > allow_filtering_enabled | false > > (1 rows) > > > SELECT * FROm stackoverflow.movies WHERE title='Sneakers (1992)' ALLOW > FILTERING; > id | genre | title > ------+--------------------+----------------- > 1396 | Crime|Drama|Sci-Fi | Sneakers (1992) > > (1 rows) > > Is there like some main "guardrails enabled" setting that I missed? > > > > Thanks, > > > Aaron > > > > > > INTERNAL USE > > -- regards, Laxmikant Upadhyay
