cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aleksey Yeschenko (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-8650) Creation and maintenance of roles should not require superuser status
Date Tue, 03 Feb 2015 22:03:35 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-8650?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14304100#comment-14304100
] 

Aleksey Yeschenko commented on CASSANDRA-8650:
----------------------------------------------

Some nits and notes:
- CA#resourceFromName() seems useful in a generic way. Should go into a shared helper class
(o.a.c.auth.Resources?)
- CA#convertLegacyData() shouldn’t just copy permissions verbatim now, but filter out CREATE
on table resources, too
- Permission#filterForResource() - would be cleaner to have boolean IResource#isValidPermission(Permission),
or just Set<Permission> IResource#applicablePermissions() (not married to the names.
instanceof/isinstance is a code smell tho)
- with that in, and our new limitations on CREATE, we can get rid of Permission.{ALL_DATA|ALL_ROLE},
and just use IResource#applicablePermissions() instead in all places
- I’d rather use DESCRIBE than SELECT for LIST ROLES, given that DESCRIBE is going to happen
anyway (CASSANDRA-8163)
- RoleResource#toString() needs an @Override annotation
- does it make any sense to have IAuthorizer#revokeAll(String role) and IAuthorizer#revokeAll(IResource
resource), now that roles are resources themselves?
- the superuser check in GrantRoleStatement#checkAccess feels redundant to me. Just having
AUTHORIZE there should be enough. Am I missing something? Same question w/ RevokeRoleStatement
- for clarity, would be nice to rename GrantStatement to GrantPermissionStatement (to match
GrantRoleStatement)
- likewise with RevokeStatement. Neither of these two things have been introduced in the patch,
but renaming them here kinda makes sense
- similarly, either PermissionAlteringStatement should become PermissionManagementStatement,
or RoleManagementStatement should become RoleAlteringStatement

> Creation and maintenance of roles should not require superuser status
> ---------------------------------------------------------------------
>
>                 Key: CASSANDRA-8650
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-8650
>             Project: Cassandra
>          Issue Type: Sub-task
>          Components: Core
>            Reporter: Sam Tunnicliffe
>            Assignee: Sam Tunnicliffe
>              Labels: cql, security
>             Fix For: 3.0
>
>         Attachments: 8650-v2.txt, 8650-v3.txt, 8650.txt
>
>
> Currently, only roles with superuser status are permitted to create/drop/grant/revoke
roles, which violates the principal of least privilege. In addition, in order to run {{ALTER
ROLE}} statements a user must log in directly as that role or else be a superuser. This requirement
increases the (ab)use of superuser privileges, especially where roles are created without
{{LOGIN}} privileges to model groups of permissions granted to individual db users. In this
scenario, a superuser is always required if such roles are to be granted and modified.
> We should add more granular permissions to allow administration of roles without requiring
superuser status.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message