cassandra icon indicating copy to clipboard operation
cassandra copied to clipboard

Published 20 hours ago verified publisher icon datastax

HCD-23 Tighten up permissions on system keyspaces

Open tiagomlalves opened this issue 7 months ago • 7 comments
trafficstars

What is the issue

Improves permissions security.

What does this PR fix and why was it fixed

Backports CASSANDRA-20090:

  • Restrict which permissions can be granted on system keyspaces
  • Ensure that GRANT... ON ALL KEYSPACES excludes system keyspaces

tiagomlalves avatar Apr 01 '25 16:04 tiagomlalves

Checklist before you submit for review

  • [x] Make sure there is a PR in the CNDB project updating the Converged Cassandra version
  • [ ] Use NoSpamLogger for log lines that may appear frequently in the logs
  • [x] Verify test results on Butler
  • [ ] Test coverage for new/modified code is > 80%
  • [x] Proper code formatting
  • [x] Proper title for each commit staring with the project-issue number, like CNDB-1234
  • [x] Each commit has a meaningful description
  • [x] Each commit is not very long and contains related changes
  • [x] Renames, moves and reformatting are in distinct commits
  • [x] All new files should contain the DataStax copyright header instead of the Apache License one

github-actions[bot] avatar Apr 01 '25 16:04 github-actions[bot]

Triggered #993

tiagomlalves avatar Apr 01 '25 16:04 tiagomlalves

Quality Gate Passed Quality Gate passed

Issues
4 New issues
0 Accepted issues

Measures
0 Security Hotspots
90.6% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

sonarqubecloud[bot] avatar Apr 02 '25 09:04 sonarqubecloud[bot]

:x: Build ds-cassandra-pr-gate/PR-1667 rejected by Butler

1 new test failure(s) in 1 builds See build details here

Found 1 new test failures

Test Explanation Branch history Upstream history
o.a.c.u.b.BinLogTest.testTruncationReleasesLogS... regression :red_circle: :large_blue_circle::large_blue_circle::large_blue_circle::large_blue_circle::large_blue_circle::large_blue_circle::large_blue_circle:

Found 2 known test failures

cassci-bot avatar Apr 02 '25 09:04 cassci-bot

On this one you'd need a CNDB PR imo to make sure we don't break anything there?

bereng avatar Apr 03 '25 12:04 bereng

On this one you'd need a CNDB PR imo to make sure we don't break anything there?

done!

tiagomlalves avatar Apr 04 '25 10:04 tiagomlalves

I've went through the CNDB failures and they don't seem to be related with these changes. I still need to rework the PR to uncomment the tests and accept the exception messages.

tiagomlalves avatar Apr 11 '25 15:04 tiagomlalves