DSEFS authorization
DSEFS authorization verifies user and group permissions on files and directories stored in DSEFS.
DSEFS authorization is disabled by default. It requires no configuration, it is automatically enabled along with DSE authorization.
For related SSL details, see Enabling SSL encryption for DSEFS. |
Owners, groups, and permissions
In unsecured clusters with DSEFS authentication disabled all newly created files and directories are created with the owner set to none
, group set to none
.
In unsecured clusters every DSEFS user has full access to every file and directory.
$ dsefs dsefs://127.0.0.1:5598/ > ls -l
Type Permission Owner Group Length Modified Name
dir rwxrwxrwx none none - 2016-12-01 15:50:49+0100 some_dir
In secured clusters with DSEFS authentication enabled all newly created files and directories are created with owner set the authenticated user’s username and group set to authenticated user primary role.
See the CQL roles documentation for detailed information on user roles.
File and directory permissions can be specified during creation as a parameter for the put
and mkdir
commands.
Please use help put
or help mkdir
for details.
$ dsefs dsefs://127.0.0.1:5598/ > ls -l
Type Permission Owner Group Length Modified Name
dir rwxr-x--- john admin - 2016-12-02 15:52:54+0100 other_dir
To change the owner or group of an existing file or directory use chown
or chgrp
commands.
Please use help chown
or help chgrp
for details.
DSEFS by default creates directories with rwxr-xr-x
(octal 755) permissions and files with rw-r-r-
(octal 644).
To change the permissions of an existing file or directory use the chmod
command.
Please use help chmod
for details.
DSEFS superusers
A DSEFS user is a superuser if and only if the user is a database superuser.
Superusers are allowed to read and write every file and directory stored in DSEFS.
Only superusers are allowed to execute DSEFS maintenance operations like fsck
and umount
.
DSEFS users
User access is verified against:
-
Owner permissions if the file or directory owner name is equal to the authenticated user’s username.
-
Group permissions if the file or directory group belongs to the authenticated user’s groups. Groups are mapped from the database’s user role names.
-
Other permissions if the above conditions are false.
Each DSEFS command requires it’s own set of permissions. For a given path a/b/c, c is a leaf and a/b is a parent path. The following table shows what permissions must be present for the given operation to succeed. R indicates read, W indicates write, and X indicates execute privileges.
Command | Path checked for permissions | Parent path permissions | Leaf permissions |
---|---|---|---|
|
|
X |
W |
|
|
X |
R |
|
|
X |
|
|
same as in |
||
|
|
X |
The user must be the owner. |
|
|
X |
Only superusers can change the owner. To change the group the user needs to be a member of the target group or be a superuser. |
|
same as in |
||
|
|
X |
X |
|
|
X |
R |
|
|
X |
RX if |
|
|
X |
WX |
|
|
X |
WX |
|
|
X |
WX |
|
|
X |
|
|
|
X |
WX |
|
|
X |
WX |
|
|
X |
WX |
|
|
X |
|
|
|
X |
W |
Authorization transitional mode
DSEFS authorization supports transitional mode provided by DSEAuthorizer
.
Legacy authorizers, like TransitionalAuthorizer
, are not supported.
DSE does not start if unsupported authorizer is configured and error is reported in log messages.