Jump to: navigation, search

Trove/better-user-privileges

Trove's API at present has no way to grant or revoke specific privileges to or from users. Right now it's all or nothing, either 'ALL' or 'ACCESS'. I propose the following amendments to the API methods to facilitate more complete control over user grants and such. This approach maintains the list of databases to which a user has more than 'ACCESS' (no privileges) to, and adds a dictionary mapping each of those databases to a list of permissions. In keeping with the established contract, it is to be assumed that no mention in this "privileges" mapping means the default of 'ALL'.

Present-day create user request 

   POST /v1.0/1234/instances/dcc5c518-73c7-4471-83e1-15fae67a98eb/users HTTP/1.1
   {
       "users": [
           {
               "database": "databaseA", 
               "name": "dbuser1", 
               "password": "password"
           }, 
           {
               "databases": [
                   {
                       "name": "databaseB"
                   }, 
                   {
                       "name": "databaseC"
                   }
               ], 
               "host": "10.0.0.1", 
               "name": "dbuser2", 
               "password": "password"
           }, 
           {
               "database": "databaseD", 
               "name": "dbuser3", 
               "password": "password"
           }
       ]
   }


Proposed create user request 

   POST /v1.0/1234/instances/dcc5c518-73c7-4471-83e1-15fae67a98eb/users HTTP/1.1
   {
       "users": [
           {
               "database": "databaseA", 
               "name": "dbuser1", 
               "password": "password"
           }, 
           {
               "databases": [
                   {
                       "name": "databaseB"
                   }, 
                   {
                       "name": "databaseC"
                   }
               ], 
               "host": "10.0.0.1", 
               "name": "dbuser2", 
               "password": "password",
               "privileges": {
                   "databaseB": [
                       "SELECT"
                   ]
               }
           }, 
           {
               "database": "databaseD", 
               "name": "dbuser3", 
               "password": "password"
           }
       ]
   }


Present-day modify user (grant) request 

   PUT /v1.0/1234/instances/dcc5c518-73c7-4471-83e1-15fae67a98eb/users/dbuser1/databases HTTP/1.1
   {
       "databases": [
           {
               "name": "databaseE"
           }
       ]
   }


Proposed modify user (grant) request 

   PUT /v1.0/1234/instances/dcc5c518-73c7-4471-83e1-15fae67a98eb/users/dbuser1/databases HTTP/1.1
   {
       "databases": [
           {
               "name": "databaseE"
           }
       ],
       "privileges": {
           "databaseE": [
               "ALTER",
               "CREATE",
               "DROP",
               "SELECT"
           ]
       }
   }


Present-day list user response 

   {
       "user": {
           "databases": [
               "testdb1"
               ], 
           "host": "%", 
           "name": "dbuser1"
       }
   }


Proposed list user response 

   {
       "user": {
           "databases": [
               "testdb1"
               ], 
           "host": "%", 
           "name": "dbuser1",
           "privileges": {
               "testdb1": [ "SELECT" ]
               }
           ]
       }
   }
Retrieved from "https://wiki.openstack.org/w/index.php?title=Trove/better-user-privileges&oldid=37185"