mirror of
https://github.com/scylladb/scylladb.git
synced 2026-05-12 19:02:12 +00:00
741d215516
This is a large change, but it's a necessary evil. This change brings us to a minimally-functional implementation of roles. There are many additional changes that are necessary, including refined grammar, bug fixes, code hygiene, and internal code structure changes. In the interest of keeping this patch somewhat read-able, those changes will come in subsequent patches. Until that time, roles are still marked "unimplemented". IMPORTANT: This code does not include any mechanism for transitioning a cluster from user-based access-control to role-based access control. All existing access-control metadata will be ignored (though not deleted). Specific changes: - All user-specific CQL statements now delegate to their roles equivalent. The statements are effectively the same, but CREATE USER will include LOGIN automatically. Also, LIST USERS only lists roles with LOGIN. - A call to LIST PERMISSIONS will now also list permissions of roles that have been granted to the caller, in addition to permissions which have been granted directly. - Much of the logic of creating, altering, and deleting roles has been moved to `auth::service`, since these operations require cooperation between the authenticator, authorizer, and role-manager. - LIST USERS actually works as expected now (fixes #2968).