[ https://issues.apache.org/jira/browse/CASSANDRA-8650?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14285363#comment-14285363 ]
Sam Tunnicliffe commented on CASSANDRA-8650: -------------------------------------------- Syntactically, this is similar to the way Oracle does things. There, creation/modification/deletion of roles are system privileges which are conferred using {{GRANT}} syntax. http://docs.oracle.com/cd/E11882_01/server.112/e41084/statements_9013.htm#i2062318 http://docs.oracle.com/cd/E11882_01/network.112/e36292/authorization.htm#DBSEG004 In Postgres {{CREATEROLE}} is top level role attribute like {{SUPERUSER}} and {{LOGIN}}, which covers all role management functions: {code} CREATE ROLE foo NOSUPERUSER LOGIN CREATEROLE; ALTER ROLE foo NOCREATEROLE; {code} http://www.postgresql.org/docs/9.4/static/role-attributes.html We could certainly implement this alternative in Cassandra, either by adding another role attribute (and a corresponding method to IRoleManager) or by just adopting the syntax and having it work with permissions under the hood. > Creation and maintenance of roles should not require superuser status > --------------------------------------------------------------------- > > Key: CASSANDRA-8650 > URL: https://issues.apache.org/jira/browse/CASSANDRA-8650 > Project: Cassandra > Issue Type: Improvement > Components: Core > Reporter: Sam Tunnicliffe > Assignee: Sam Tunnicliffe > Labels: cql, security > Fix For: 3.0 > > Attachments: 8650.txt > > > Currently, only roles with superuser status are permitted to > create/drop/grant/revoke roles, which violates the principal of least > privilege. In addition, in order to run {{ALTER ROLE}} statements a user must > log in directly as that role or else be a superuser. This requirement > increases the (ab)use of superuser privileges, especially where roles are > created without {{LOGIN}} privileges to model groups of permissions granted > to individual db users. In this scenario, a superuser is always required if > such roles are to be granted and modified. > We should add more granular permissions to allow administration of roles > without requiring superuser status. -- This message was sent by Atlassian JIRA (v6.3.4#6332)