What I am trying to achieve is similar to what DSE Cassandra provide here, but on Apache Cassandra: Setting up Row Level Access Control (RLAC)
I've tried using Materialized View and grant SELECT permission on the created view to a specific role, but when I'm trying to access the view it returns an unauthorized error asking me to grant SELECT permission on the origin table.
Is there really no way to achieve this?
Related
We have a requirement in Kusto/ADX where we need to provide access to only one table and for certain records if conditions are met for a group or a User.
I have explored RLS and Restricted view Access on this, however below is my stands
RLS & Restricted view access can not be applied together on a same table
RLS can restrict user only on records basis and not table level
Restricted View access can restrict table level but not records. Also this has a pain point, I should apply restrict view policy to all other table and add restricted viewer access role to those users whom we don't restrict. For a single group/user to access one table, doing all these change seems to be painful.
Do we have any other best approach to handle this scenario?
Thank you.
Bharath Kumar B
You need to split the tables into multiple databases, and each database will have a different set of users who can view the data.
On top of that, you'll need to apply RLS (Row Level Security) on tables, where you want some users to get only some of the records.
I have a question regarding Spark privileges with Sentry on Hadoop cluster.
First, some background -
I'm using CDH version 5.13.2
ACL sync on HDFS is enabled
Impersonation disabled
Grant on database level and for specific cases gants on URI
Scenario
There are two databases, db_a and db_b. In db_a there is a view which selects from table which is defined in db_b.
I granted privilege for a specific user with read access (grant select) on db_a.
In Beeline/Impala/Hue the behavior is as expected:
show databases shows only db_a
when user's query the view in db_a it works perfect even the user don't have any privilege on db_b.
The problem with Spark SQL:
When the same user is trying to access the view in db_a, it's failed as user don't have access to db_b.
Again, same query with same user works fine in Hive/Impala.
Is there any configuration or workaround to resolve the problem?
While exploring cassandra, Is it possible in cassandra that if I created an user "test" and I have multiple keypsaces so if I am logging cqlsh with "test" then I can see only selected keyspaces not others.admin can view or switch all keypsaces. please help if any idea or correct me.
Thanks in advance.
Permissions (Data Control)
https://docs.scylladb.com/operating-scylla/security/authorization/#data-control
Permission Resource Operations
AUTHORIZE ALL KEYSPACES GRANT PERMISSION and REVOKE PERMISSION on any table
AUTHORIZE KEYSPACE GRANT PERMISSION and REVOKE PERMISSION on any table in specified keyspace
AUTHORIZE TABLE GRANT PERMISSION and REVOKE PERMISSION on specified table
GRANT permissions
https://docs.scylladb.com/operating-scylla/security/authorization/#grant-permission
AND / OR
RBAC (Role Based Access Control)
https://docs.scylladb.com/operating-scylla/security/authorization/#database-roles
Will be a good way of accomplishing what you are aiming for
GRANT command should work.
Though test user will be able to see other keyspaces, operation will not be possible unless given permission.
If test user has SELECT grant on particular keyspace it will be able to only issue select query on tables in that keyspace.
https://docs.datastax.com/en/cql/3.3/cql/cql_reference/cqlGrant.html
Small question about Cassandra 3.0.8. Not datastax.
is it possible to grant/revoke permissions for users, who use sstableloader? For now, user only authenticate in Cassandra and can update any table...
There is no specific authentication for just sstableloader. However you can
Create separate set of users/roles for each and every table within the keyspace.
In other words, there could be different users with different set of permissions on each and every table.
Here is an example on how to create user and define permission at table level
GRANT SELECT PERMISSIONS ON keyspace1.table1 TO USER1;
GRANT MODIFY PERMISSIONS ON keyspace1.table2 TO USER1;
So in the above example USER1 has select permission on table1 while update permission on table2. So you can authorize who gets to have update access on table1 but not if it comes from sstableloader or cql or application code.
Here is the reference for roles and permissions https://docs.datastax.com/en/cql/3.1/cql/cql_reference/grant_r.html
Background
We have a WinForms application with Entity Framework 4.2 code-first / FluentAPI using SQL Server 2008 R2.
The security is a custom implementation of IPrincipal and IIdentity with the roles for the user. These roles are checked when a Form/menu/button is displayed and it will be disabled/removed based on the user role.
Users are authenticated against the database so there is no "master" user for the connection: it's created using the username/password provided on the login screen.
So, access to data (general) is working.
The problem
But some cases might require me to disable access to a specific table or to a column inside the table.
Some tests have shown here that IGenericRepository.Find<MyCustomType>(_idToFind) (which returns the complete entity) will fail because there is no access to a single column and SQL server will prevent the whole select statement.
I've found, however, that create a query like
IGenericRepository.All<MyCustomType>().Select(_c => _c.JustASingleField)
will work because the generated query will look only for a specific field for which I have access.
Question
Is there a way for me to create queries that will be role-aware to the database?
For instance: Find<MyCustomType>(id) will return the object as usual but with the field that the user does not have access set to NULL or with no value?
Or I'll just have to write "generic" queries for every single item that does not require protection and rely on the security system to completely block access to a resource?
Another example would be to fill a grid but the column for which the user does not have access will be blank.
Is it possible at all using Entity Framework?
Is it possible at all using EntityFramework?
No. EF is not aware of security configuration on SQL server and it is not able to react to any security demands expected by SQL server except providing credentials for connection string.
If you require this type of security you should use database views providing only accessible items to specific role and let EF to use model mapping only views the user role has access to - it can result in quite big set of different "models" due to many roles.