Return-Path: 
 <commits-return-104579-apmail-cassandra-commits-archive=cassandra.apache.org@cassandra.apache.org>
X-Original-To: apmail-cassandra-commits-archive@www.apache.org
Delivered-To: apmail-cassandra-commits-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 3B01B110AD
	for <apmail-cassandra-commits-archive@www.apache.org>;
 Tue,  8 Jul 2014 20:06:05 +0000 (UTC)
Received: (qmail 21233 invoked by uid 500); 8 Jul 2014 20:06:05 -0000
Delivered-To: apmail-cassandra-commits-archive@cassandra.apache.org
Received: (qmail 21203 invoked by uid 500); 8 Jul 2014 20:06:05 -0000
Mailing-List: contact commits-help@cassandra.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@cassandra.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@cassandra.apache.org>
List-Post: <mailto:commits@cassandra.apache.org>
List-Id: <commits.cassandra.apache.org>
Reply-To: dev@cassandra.apache.org
Delivered-To: mailing list commits@cassandra.apache.org
Received: (qmail 21041 invoked by uid 99); 8 Jul 2014 20:06:04 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 08 Jul 2014 20:06:04 +0000
Date: Tue, 8 Jul 2014 20:06:04 +0000 (UTC)
From: "Michael Shuler (JIRA)" <jira@apache.org>
To: commits@cassandra.apache.org
Message-ID: <JIRA.12726050.1404818955741.3673.1404849964897@arcas>
In-Reply-To: <JIRA.12726050.1404818955741@arcas>
References: <JIRA.12726050.1404818955741@arcas>
Subject: [jira] [Commented] (CASSANDRA-7513) Non-superuser users should not
 be able to list users
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/CASSANDRA-7513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14055414#comment-14055414 ] 

Michael Shuler commented on CASSANDRA-7513:
-------------------------------------------

For the sake of the conversation, if I was a successfully logged in c* user, a) I have database access authentication, b) I need a superuser to do something beyond my own access, c) ListUserStatement will allow me to see who I might go ask to do something for me, or a superuser that I need to log in as to perform the needed action.

I already have, as a normal user, authentication to see things in the database. What's the harm in seeing who the superusers are?

> Non-superuser users should not be able to list users
> ----------------------------------------------------
>
>                 Key: CASSANDRA-7513
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-7513
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Core
>            Reporter: Mike Adamson
>             Fix For: 2.0.10
>
>
> ListUserStatement allows any logged in user to list all the users in the system. This is a security flaw as it allows non-superusers to get a list of superusers.
> There is no reason to allow non-superusers to get a list users because all the authentication functionality that manipulates users is only available to superusers.



--
This message was sent by Atlassian JIRA
(v6.2#6252)