DSEFS authorization

DSEFS authorization verifies user and group permissions on files and directories stored in DSEFS.

DSEFS authorization verifies user and group permissions on files and directories stored in DSEFS.

DSEFS authorization is disabled by default. It requires no configuration, it is automatically enabled along with DSE authorization.

Owners, groups, and permissions

In unsecured clusters with DSEFS authentication disabled all newly created files and directories are created with the owner set to none, group set to none. In unsecured clusters every DSEFS user has full access to every file and directory.

dsefs dsefs://127.0.0.1:5598/ > ls -l
Type  Permission  Owner      Group      Length   Modified                  Name                   
dir   rwxrwxrwx   none       none            -   2016-12-01 15:50:49+0100  some_dir  

In secured clusters with DSEFS authentication enabled all newly created files and directories are created with owner set the authenticated user’s username and group set to authenticated user primary role. See the CQL roles documentation for detailed information on user roles. File and directory permissions can be specified during creation as a parameter for the put and mkdir commands. Please use help put or help mkdir for details.

dsefs dsefs://127.0.0.1:5598/ > ls -l
Type  Permission  Owner      Group      Length   Modified                  Name                
dir   rwxr-x---   john       admin           -   2016-12-02 15:52:54+0100  other_dir 

To change the owner or group of an existing file or directory use chown or chgrp commands. Please use help chown or help chgrp for details.

DSEFS by default creates directories with rwxr-xr-x (octal 755) permissions and files with rw-r-r- (octal 644). To change the permissions of an existing file or directory use the chmod command. Please use help chmod for details.

DSEFS superusers

A DSEFS user is a superuser if and only if the user is a database superuser. Superusers are allowed to read and write every file and directory stored in DSEFS. Only superusers are allowed to execute DSEFS maintenance operations like fsck and umount.

DSEFS users

User access is verified against:

  • Owner permissions if the file or directory owner name is equal to the authenticated user’s username.
  • Group permissions if the file or directory group belongs to the authenticated user’s groups. Groups are mapped from the database's user role names.
  • Other permissions if the above conditions are false.

Each DSEFS command requires it’s own set of permissions. For a given path a/b/c, c is a leaf and a/b is a parent path. The following table shows what permissions must be present for the given operation to succeed. R indicates read, W indicates write, and X indicates execute privileges.

Table 1. Affect of permissions on files by DSEFS command
Command Path checked for permissions Parent path permissions Leaf permissions
append a/b/c a/b/c X W
cat a/b/c a/b/c X R
cd a/b/c a/b/c X
chgrp same as in chown for group
chmod a/b/c a/b/c X The user must be the owner.
chown a/b/c a/b/c X Only superusers can change the owner. To change the group the user needs to be a member of the target group or be a superuser.
cp same as in get and than put
expand a/?/c a/?/c X X
get a/b/c a/b/c X R
ls a/b/c a/b/c X RX if c is a directory.
mkdir a/b/c a/b X WX
mv a/b/c d/e/f a/b and d/e X WX
put a/b/c a/b X WX
realpath a/b/c a/b/c X
rename a/b/c d a/b X WX
rm a/b/c a/b X WX
rmdir a/b/c a/b X WX
stat a/b/c a/b/c X
truncate a/b/c a/b/c X W

Authorization transitional mode

DSEFS authorization supports transitional mode provided by DSEAuthorizer. Legacy authorizers, like TransitionalAuthorizer, are not supported. DSE will not start if unsupported authorizer is configured and error is reported in log messages.