cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aleksey Yeschenko (JIRA)" <>
Subject [jira] [Updated] (CASSANDRA-7216) Restricted superuser account request
Date Mon, 19 May 2014 21:09:38 GMT


Aleksey Yeschenko updated CASSANDRA-7216:

    Attachment: 7216-POC.txt

Attaching a POC-concept. Adds an overrideable AuthenticatedUser#canManageUsers(), the output
of which is used to decide if the logged in user is allowed to perform ALTER USER/CREATE USER/DROP
USER queries.

So now you can write a custom IAuthenticator that would return an AuthenticatedUser w/ an
overridden canManageUsers(), based on some config file or a hard-coded value. Coupled with
automatic keyspace pre-creation and granting all the rights, I think this pretty much covers
your use case.

[~odpeer] [] wdyt?

> Restricted superuser account request
> ------------------------------------
>                 Key: CASSANDRA-7216
>                 URL:
>             Project: Cassandra
>          Issue Type: Improvement
>            Reporter: Oded Peer
>            Assignee: Dave Brosius
>            Priority: Minor
>             Fix For: 3.0
>         Attachments: 7216-POC.txt, 7216.txt
> I am developing a multi-tenant service.
> Every tenant has its own user, keyspace and can access only his keyspace.
> As new tenants are provisioned there is a need to create new users and keyspaces.
> Only a superuser can issue CREATE USER requests, so we must have a super user account
in the system. On the other hand super users have access to all the keyspaces, which poses
a security risk.
> For tenant provisioning I would like to have a restricted account which can only create
new users, without read access to keyspaces.

This message was sent by Atlassian JIRA

View raw message