The purpose of this small script is to create a Cassandra-User which has limited access to a given number of tables in the same keyspace.
The reason is the following architectural requirement:
To goal is to separate the OAuth-AuthZ-Server part from the API-Manager runtime for security reasons to avoid someone who has access to the API-Manager can then also generate access token.
AuthZ-Server and API-Manager will use distinct unique groups.
But, this separation only makes sense, if both API-Gateway-Instances are using a different cassandra-users with restricted access permissions.
- The Authorization-Server will have write permission to modify entries in the OAuth-Tables: oauth_....
- The API-Manager will have read permission ONLY to just load access tokens.
As Cassandra doesn't support it to restrict permissions on a per table basis, this script is creating these two kind of users and grant individual permission on each table.
Usage: ./create_restricted_user.sh -m <apim|authz> -k <your-keyspace> -u <user_to_be_created> -p <password_to_use> -au cassandra -ap cassandra
-m, --mode Mode: apim: Read-Only access to OAuth-Tables | authz: Write access to OAuth-Tables
-k, --keyspace Cassandra keyspace which is used by API-Manager & AuthZ-Server
-u, --username A new Cassandra user with this username will be created.
-p, --password A new Cassandra user with this password will be created.
-au, --adminUser Username having admin-permissions to create new users.
-ap, --adminPassword Password of user having admin-permissions to create new users.
-cqlsh Path to cqlsh - Optional if cqlsh is in the path and executable
Examples:
./create_restricted_user.sh -m apim -k x65cd4036_751f_433e_acde_a8008b89444c_group_2 -u apim_user -p changeme -au cassandra -ap cassandra
./create_restricted_user.sh -m authz -k x65cd4036_751f_433e_acde_a8008b89444c_group_2 -u oauth_user -p somedifferent -au cassandra -ap cassandra -cqlsh ./bin/cqlsh
Just clone this project or download the Shell-Script.
- 1.0.0 - 29.03.2019
- Initial version
- it is not possible to delete a token using the API-Manager Admin-UI
Please read Contributing.md for details on our code of conduct, and the process for submitting pull requests to us.