cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sam Tunnicliffe (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-7216) Restricted superuser account request
Date Tue, 24 Mar 2015 11:59:53 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-7216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14377751#comment-14377751
] 

Sam Tunnicliffe commented on CASSANDRA-7216:
--------------------------------------------

Out of the box, you can't do exactly what you're describing as the provisioning user needs
to have CREATE permission on all keyspaces so that it can create each tenant keyspace. Creating
the tenant keyspace automatically grants all permissions on the keyspace to the creator, but
these can simply be revoked immediately. Also, we only need to grant CREATE on the tenant
keyspace to the tenant user as it will automatically be granted full permissions on any tables
it creates.

So the recipe would be:

During installation:
1. "superuser" creates "provisioning_user" with permissions to create users and to create
keyspaces.
"provisioning_user" does not have SELECT permissions on any external keyspaces.
2. Delete "superuser". For security reasons we don't want a superuser in the system.

Provision a new tenant:
1. "provisioning_user" creates a keyspace and "tenant_user" for every new tenant, e.g. create
keyspace "acme" and "acme_user".
2. "provisioning_user" grants permissions to "tenant_user" to create tables in the tenant
keyspace.
3. "provisioning_user" revokes all of its own permissions on the tenant keyspace.
4. "tenant_user" creates the tables and indexes for application use.

The only Cassandra user that can drop/alter/query/modify tables in the tenant keyspace is
"tenant_user", however "provisioning_user" is still able to create new tables in any tenant
keyspace, by virtue of it's CREATE permission on all keyspaces.

The full solution you're looking for could be easily implemented with a custom IRolemanager
which extends CassandraRoleManager. When creating a new tenant role, it could automatically
create the tenant keyspace and grant the new tenant role the appropriate permissions. That
way, the provisioning user never needs any keyspace permissions, only the ability to create
roles.

> Restricted superuser account request
> ------------------------------------
>
>                 Key: CASSANDRA-7216
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-7216
>             Project: Cassandra
>          Issue Type: Sub-task
>            Reporter: Oded Peer
>            Assignee: Sam Tunnicliffe
>            Priority: Minor
>             Fix For: 3.0
>
>         Attachments: 7216-8650.txt, 7216-POC.txt, 7216.txt
>
>
> I am developing a multi-tenant service.
> Every tenant has its own user, keyspace and can access only his keyspace.
> As new tenants are provisioned there is a need to create new users and keyspaces.
> Only a superuser can issue CREATE USER requests, so we must have a super user account
in the system. On the other hand super users have access to all the keyspaces, which poses
a security risk.
> For tenant provisioning I would like to have a restricted account which can only create
new users, without read access to keyspaces.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message