Why cassandra user need <all keyspaces> permission?

1

Hi Team,

I am using Kong 0.11 with datastax cassandra. Kong was working fine till we were using it with community edition cassandra but as we moved, we started seeing this error User <xyz> has no CREATE permission on <all keyspaces> or any of its parents. Why does kong need permission on ? I have given right permission to kong keyspace that should be enough, isn’t it?

1 Like
2

Let me start by saying that Kong 0.11 is a bit out of date and I recommend you upgrade your Kong version

Can you give us more context? Where are you seeing this error? Is it on the nginx error log, or is it while attempting to run kong migrate up?

3

@amolp Hi, and welcome!

Kong will attempt to create the keyspace itself if it does not already exist, in which case it does need the CREATE permission on <all keyspaces>.

However, you can create the keyspace manually form an account that has such permissions, and Kong will not attempt to create it itself, simply use it.

Let us know if that works for you.

Cheers

4

Hey @thibaultcha,

I already have a keyspace with all the permission on that keyspace except for CREATE on ALL KEYSPACES. So, does it need that permission or is there a way to avoid that too?

5

Hi, I am running Kong 1.1.2 with a cassandra database backend. I am seeing the same issue as amolp where it is trying to create the keyspace even though the keyspace already exists.

Centos 7
Kong version --> 1.1.2
kong migrations bootstrap --> results in unauthorized user kongadmin has no CREATE permision on or any of its parents.

kong.conf:
database=cassandra
cassandra_username = kongadmin
cassandra_keyspace = kong

from cassandra database connected as kongadmin
desc kong;
CREATE KEYSPACE kong with replication = {‘class’: ‘NetworkTopologyStrategy’,‘xx3’: ‘2’, ‘yy1’:‘1’} and durable_writes=true;

Is there a known fix, I don’t have superuser privs for this cluster.

6

Hi
i have same error and it worked just after giving grant create on all Keyspaces, While in prod i cant give. who know what to do?

role | username | resource | permission
----------±---------±-------------------±-----------
kong_usr | kong_usr | all keyspaces> | CREATE
kong_usr | kong_usr | keyspace kong> | CREATE
kong_usr | kong_usr | keyspace kong> | ALTER
kong_usr | kong_usr | keyspace kong> | DROP
kong_usr | kong_usr | keyspace kong> | SELECT
kong_usr | kong_usr | keyspace kong> | MODIFY
kong_usr | kong_usr | keyspace kong> | AUTHORIZE
kong_usr | kong_usr | keyspace wrapper> | CREATE
kong_usr | kong_usr | keyspace wrapper> | ALTER
kong_usr | kong_usr | keyspace wrapper> | DROP
kong_usr | kong_usr | keyspace wrapper> | SELECT
kong_usr | kong_usr | keyspace wrapper> | MODIFY
kong_usr | kong_usr | keyspace wrapper> | AUTHORIZE