iamaleksey/permissions.md

## permissions.md

      
    Raw
  

              permissions.md
            
          
    CQL2 statements:


ALTER TABLE: P.ALTER on the CF [or P.FULL_ACCESS on either KS or CF]
BATCH: see INSERT/UPDATE/DELETE - there is a permission check for each nested statement
CREATE COLUMNFAMILY: P.CREATE or P.FULL_ACCESS on the KS
CREATE INDEX: P.ALTER on the CF [or P.FULL_ACCESS on either KS or CF]
CREATE KEYSPACE: P.CREATE or P.FULL_ACCESS on the KS
DELETE: P.DELETE on the CF [or P.FULL_ACCESS on either KS or CF]
DROP COLUMNFAMILY: P.DROP on the CF [or P.FULL_ACCESS on either KS or CF]
DROP INDEX: no permission checks
DROP KEYSPACE: P.DROP or P.FULL_ACCESS on the KS
INSERT: P.UPDATE on the CF [or P.FULL_ACCESS on either KS or CF]
SELECT: P.SELECT on the CF [or P.FULL_ACCESS on either KS or CF]
TRUNCATE: P.DELETE on the CF [or P.FULL_ACCESS on either KS or CF]
UPDATE: P.UPDATE on the CF [or P.FULL_ACCESS on either KS or CF]
USE: no permission checks

CQL3 statements:


ALTER KEYSPACE: P.ALTER or P.FULL_ACCESS on the KS
ALTER TABLE: P.ALTER on the CF [or P.FULL_ACCESS on either KS or CF]
BATCH: P.UPDATE [or P.FULL_ACCESS on either KS or CF] for each affected CF
CREATE COLUMNFAMILY: P.CREATE on the CF [or P.FULL_ACCESS on either KS or CF]
CREATE INDEX: P.ALTER on the CF [or P.FULL_ACCESS on either KS or CF]
CREATE KEYSPACE: P.CREATE or P.FULL_ACCESS on the KS
DELETE: P.UPDATE on the CF [or P.FULL_ACCESS on either KS or CF]
DROP COLUMNFAMILY: P.DROP on the CF [or P.FULL_ACCESS on either KS or CF]
DROP INDEX: P.ALTER on the CF [or P.FULL_ACCESS on either KS or CF]
DROP KEYSPACE: P.DROP or P.FULL_ACCESS on the KS
GRANT: no checks unless implemented in custom IAuthority2 impl
INSERT: P.UPDATE on the CF [or P.FULL_ACCESS on either KS or CF]
LIST GRANTS: no checks and can't be implemented in custom IAuthority2 impl
REVOKE: no checks unless implemented in custom IAuthority2 impl
SELECT: P.SELECT on the CF [or P.FULL_ACCESS on either KS or CF]
TRUNCATE: P.DELETE on the CF [or P.FULL_ACCESS on either KS or CF]
UPDATE: P.UPDATE on the CF [or P.FULL_ACCESS on either KS or CF]
USE: no permission checks

Thrift w/o CQL:


set_keyspace: no permission checks
get: P.SELECT on the CF [or P.FULL_ACCESS on either KS or CF]
get_slice: P.SELECT on the CF [or P.FULL_ACCESS on either KS or CF]
get_count: P.SELECT on the CF [or P.FULL_ACCESS on either KS or CF]
multiget_slice: P.SELECT on the CF [or P.FULL_ACCESS on either KS or CF]
multiget_count: P.SELECT on the CF [or P.FULL_ACCESS on either KS or CF]
get_range_slices: P.SELECT on the CF [or P.FULL_ACCESS on either KS or CF]
get_paged_slice: P.SELECT on the CF [or P.FULL_ACCESS on either KS or CF]
get_indexed_slices: P.SELECT on the CF [or P.FULL_ACCESS on either KS or CF]
insert: P.UPDATE on the CF [or P.FULL_ACCESS on either KS or CF]
add: P.UPDATE on the CF [or P.FULL_ACCESS on either KS or CF]
remove: P.DELETE on the CF [or P.FULL_ACCESS on either KS or CF]
remove_counter: P.DELETE on the CF [or P.FULL_ACCESS on either KS or CF]
batch_mutate: P.UPDATE on the CF [or P.FULL_ACCESS on either KS or CF]
truncate: P.DELETE on the CF [or P.FULL_ACCESS on either KS or CF]
describe_schema_versions: no permission checks
describe_keyspaces: P.DESCRIBE or P.FULL_ACCESS on the KS
describe_keyspace: P.DESCRIBE or P.FULL_ACCESS on the KS
system_add_column_family: P.CREATE on the CF [or P.FULL_ACCESS on either KS or CF]
system_drop_column_family: P.DROP on the CF [or P.FULL_ACCESS on either KS or CF]
system_add_keyspace: P.CREATE or P.FULL_ACCESS on the KS
system_drop_keyspace: P.DROP or P.FULL_ACCESS on the KS
system_update_keyspace: P.ALTER or P.FULL_ACCESS on the KS
system_update_column_family: P.ALTER on the CF [or P.FULL_ACCESS on either KS or CF]