Authorization in action
Now that we know how to create user accounts and grant and revoke permissions to them, let's see how a non-superuser account behaves in practice. To do this, let's open up a new cqlsh session logged in with our data analytics team's account:
$ cqlsh -u data_analytics -p verystrongpassword -k my_status
The -k my_status option simply tells cqlsh that we want to interact with the my_status keyspace, saving us the effort of issuing a USE statement.
Now let's see what we can do. First, we expect to be able to read data with no problem; let's have a look at the user_status_updates table:
SELECT * FROM user_status_updates;
As expected, we have permission to read the contents of that table:
Now let's try making a change to some data. Though our analytics team certainly would have no malicious intent, perhaps at some point the analytics cat may sit on a keyboard, producing the following statement:
DELETE FROM "users" WHERE "username" = 'alice';
That's quite an alarming query, but happily our authorization setup has saved us:
Recall that the MODIFY permission is needed to make any changes to existing data, including insertion and deletion. Since the data_analytics account only has the SELECT permission, our accidental attempt to delete alice's account is rejected. alice's data is safe.
Authorization as a hedge against mistakes
We generally think of authentication and authorization as a mechanism to prevent intentional access to our data by nefarious actors. However, authorization can also be a powerful insurance policy against unintentional mistakes by well-intentioned people. In the preceding example, the data analytics team did not intend to do any harm, but without authorization in place, that pesky cat would have unwittingly caused data loss.
While the odds of a feline posterior producing a perfectly-formed CQL query are quite long, mistakes do happen. Using authorization to give each user the minimum level of access they strictly need, we can reduce the chance of a mistake turning into an emergency.
Of course, authentication and authorization are also an important tool to secure your data from those seeking unauthorized access. As it turns out, these are only part of the entire security picture; we also need to make sure our data is secure on disk and in transit.
