Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Group Permissions #48

Open
faustobranco opened this issue Mar 21, 2024 · 3 comments
Open

Group Permissions #48

faustobranco opened this issue Mar 21, 2024 · 3 comments

Comments

@faustobranco
Copy link

faustobranco commented Mar 21, 2024

Is it possible to work with groups? My login is part of a group, as in the example below.
The group has permissions, so any other user in the group inherits the permissions?

cassandra@cqlsh> Select * from system_auth.roles;

 role                                                                             | can_login | is_superuser | member_of | salted_hash
----------------------------------------------------------------------------------+-----------+--------------+-----------+--------------------------------------------------------------
 CN=cassandra-admins,OU=UserSecurityGroups,OU=SecurityGroups,DC=mydomain,DC=local |      True |         True |      null |                                                         null
                                                                        cassandra |      True |         True |      null | $2a$10$p.Skn4WmhbRK84Q1CgJyUuMxh907.4lJEx.OqZiczvbtyruoIzsD.
                            CN=Fausto Branco,OU=UserAccounts,DC=mydomain,DC=local |      True |        False |      null |                                                         null
                                 CN=servicedn,OU=AppAccounts,DC=mydomain,DC=local |      True |         True |      null |                                                         null


Filter: sAMAccountName=fausto.branco
requesting: (memberof=CN=cassandra-admins,OU=UserSecurityGroups,OU=SecurityGroups,DC=mydomain,DC=local)
# extended LDIF
#
# LDAPv3
# base <OU=UserAccounts,DC=mydomain,DC=local> with scope subtree
# filter: sAMAccountName=fausto.branco
# requesting: (memberof=CN=cassandra-admins,OU=UserSecurityGroups,OU=SecurityGroups,DC=mydomain,DC=local)
#

# Fausto Branco, UserAccounts, mydomain.local
dn: CN=Fausto Branco,OU=UserAccounts,DC=mydomain,DC=local

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

What version of Cassandra are you using?

Cassandra 4.0.4

What version of Cassandra LDAP are you using?

LDAP v4.0.7-1.0.0

What did you do?

I created a Role with the group I'm part of

What did you expect to see?

Permissions inherited from the group or login, as I am part of the group


@smiklosovic
Copy link
Collaborator

You can set default role a user will be assigned to by default_role_membership property as described in the readme, otherwise I do not understand your question.

@goakgun
Copy link

goakgun commented Oct 1, 2024

instead of using default role membership for all the ldap users, can we use ldap group(s) for authorization ?
for instance:
can we create all the roles in advance with different grants ( cn=cass-admin,ou=People,dc=test,dc=com : superuser, cn=developers,ou=People,dc=test,dc=com : only select privileges ) and based on given filter_template ( or anything ) , user will be a memberOf one these two roles automatically.

@smiklosovic
Copy link
Collaborator

@goakgun you are welcome to create a patch for that

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants