Difference between revisions of "Trove/better-user-privileges"
Ed Cranford (talk | contribs) (Created page with "Trove's API at present has no way to grant or revoke specific privileges to or from users. Right now it's all or nothing, either 'ALL' or 'ACCESS'. I propose the following ame...") |
Ed Cranford (talk | contribs) |
||
| Line 127: | Line 127: | ||
"host": "%", | "host": "%", | ||
"name": "dbuser1", | "name": "dbuser1", | ||
| − | "privileges": | + | "privileges": { |
| − | "SELECT" | + | "testdb1": [ "SELECT" ] |
| + | } | ||
] | ] | ||
} | } | ||
} | } | ||
Latest revision as of 17:42, 4 December 2013
Trove's API at present has no way to grant or revoke specific privileges to or from users. Right now it's all or nothing, either 'ALL' or 'ACCESS'. I propose the following amendments to the API methods to facilitate more complete control over user grants and such. This approach maintains the list of databases to which a user has more than 'ACCESS' (no privileges) to, and adds a dictionary mapping each of those databases to a list of permissions. In keeping with the established contract, it is to be assumed that no mention in this "privileges" mapping means the default of 'ALL'.
Present-day create user request
POST /v1.0/1234/instances/dcc5c518-73c7-4471-83e1-15fae67a98eb/users HTTP/1.1
{
"users": [
{
"database": "databaseA",
"name": "dbuser1",
"password": "password"
},
{
"databases": [
{
"name": "databaseB"
},
{
"name": "databaseC"
}
],
"host": "10.0.0.1",
"name": "dbuser2",
"password": "password"
},
{
"database": "databaseD",
"name": "dbuser3",
"password": "password"
}
]
}
Proposed create user request
POST /v1.0/1234/instances/dcc5c518-73c7-4471-83e1-15fae67a98eb/users HTTP/1.1
{
"users": [
{
"database": "databaseA",
"name": "dbuser1",
"password": "password"
},
{
"databases": [
{
"name": "databaseB"
},
{
"name": "databaseC"
}
],
"host": "10.0.0.1",
"name": "dbuser2",
"password": "password",
"privileges": {
"databaseB": [
"SELECT"
]
}
},
{
"database": "databaseD",
"name": "dbuser3",
"password": "password"
}
]
}
Present-day modify user (grant) request
PUT /v1.0/1234/instances/dcc5c518-73c7-4471-83e1-15fae67a98eb/users/dbuser1/databases HTTP/1.1
{
"databases": [
{
"name": "databaseE"
}
]
}
Proposed modify user (grant) request
PUT /v1.0/1234/instances/dcc5c518-73c7-4471-83e1-15fae67a98eb/users/dbuser1/databases HTTP/1.1
{
"databases": [
{
"name": "databaseE"
}
],
"privileges": {
"databaseE": [
"ALTER",
"CREATE",
"DROP",
"SELECT"
]
}
}
Present-day list user response
{
"user": {
"databases": [
"testdb1"
],
"host": "%",
"name": "dbuser1"
}
}
Proposed list user response
{
"user": {
"databases": [
"testdb1"
],
"host": "%",
"name": "dbuser1",
"privileges": {
"testdb1": [ "SELECT" ]
}
]
}
}
