DSEFS authorization
DSEFS authorization verifies user and group permissions on files and directories stored in DSEFS.
DSEFS authorization verifies user and group permissions on files and directories stored in DSEFS.
DSEFS authorization is disabled by default. It requires no configuration, it is automatically enabled along with DSE authorization.
Owners, groups, and permissions
In unsecured clusters with DSEFS authentication disabled all newly created files and
directories are created with the owner set to none
, group set to
none
. In unsecured clusters every DSEFS user has full access to every
file and directory.
dsefs dsefs://127.0.0.1:5598/ > ls -l Type Permission Owner Group Length Modified Name dir rwxrwxrwx none none - 2016-12-01 15:50:49+0100 some_dir
In secured clusters with DSEFS authentication enabled all newly created files and
directories are created with owner set the authenticated user’s username and group set to
authenticated user primary role. See the CQL roles documentation for detailed information on user
roles. File and directory permissions can be specified during creation as a parameter for
the put
and mkdir
commands. Please use help
put
or help mkdir
for details.
dsefs dsefs://127.0.0.1:5598/ > ls -l Type Permission Owner Group Length Modified Name dir rwxr-x--- john admin - 2016-12-02 15:52:54+0100 other_dir
To change the owner or group of an existing file or directory use chown
or
chgrp
commands. Please use help chown
or help
chgrp
for details.
DSEFS by default creates directories with rwxr-xr-x
(octal 755)
permissions and files with rw-r-r-
(octal 644). To change the permissions
of an existing file or directory use the chmod
command. Please use
help chmod
for details.
DSEFS superusers
A DSEFS user is a superuser if and only if the user is a database superuser. Superusers are
allowed to read and write every file and directory stored in DSEFS. Only superusers are
allowed to execute DSEFS maintenance operations like fsck
and
umount
.
DSEFS users
User access is verified against:
- Owner permissions if the file or directory owner name is equal to the authenticated user’s username.
- Group permissions if the file or directory group belongs to the authenticated user’s groups. Groups are mapped from the database's user role names.
- Other permissions if the above conditions are false.
Each DSEFS command requires it’s own set of permissions. For a given path a/b/c, c is a leaf and a/b is a parent path. The following table shows what permissions must be present for the given operation to succeed. R indicates read, W indicates write, and X indicates execute privileges.
Command | Path checked for permissions | Parent path permissions | Leaf permissions |
---|---|---|---|
append a/b/c |
a/b/c |
X | W |
cat a/b/c |
a/b/c |
X | R |
cd a/b/c |
a/b/c |
X | |
chgrp |
same as in chown for group |
||
chmod a/b/c |
a/b/c |
X | The user must be the owner. |
chown a/b/c |
a/b/c |
X | Only superusers can change the owner. To change the group the user needs to be a member of the target group or be a superuser. |
cp |
same as in get and than put |
||
expand a/?/c |
a/?/c |
X | X |
get a/b/c |
a/b/c |
X | R |
ls a/b/c |
a/b/c |
X | RX if c is a directory. |
mkdir a/b/c |
a/b |
X | WX |
mv a/b/c d/e/f |
a/b and d/e |
X | WX |
put a/b/c |
a/b |
X | WX |
realpath a/b/c |
a/b/c |
X | |
rename a/b/c d |
a/b |
X | WX |
rm a/b/c |
a/b |
X | WX |
rmdir a/b/c |
a/b |
X | WX |
stat a/b/c |
a/b/c |
X | |
truncate a/b/c |
a/b/c |
X | W |
Authorization transitional mode
DSEFS authorization supports transitional mode provided by DSEAuthorizer
. Legacy authorizers,
like TransitionalAuthorizer
, are not supported. DSE will not start if
unsupported authorizer is configured and error is reported in log messages.