[
https://issues.apache.org/jira/browse/CASSANDRA-17502?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tibor Repasi updated CASSANDRA-17502:
-------------------------------------
Description:
Inspired by the
[discussion|https://lists.apache.org/thread/4p92o2obvztkl12hvnrrmlw0cgtl391k]
about improving security administration the idea came up to enforce "two-person
concept" (a.k.a. two-man rule, four-eyes principle) grant of roles.
Explanation from [Wikipedia|https://en.wikipedia.org/wiki/Two-man_rule]:
{quote}The two-man rule is a control mechanism designed to achieve a high level
of security for especially critical material or operations. Under this rule
access and actions require the presence of two or more authorized people at all
times.{quote}
The idea summarise as having an option - e.g. GRANTORS - on roles to define how
many grantors does it need for a user to have a specific role granted.
Think about a keyspace containing highly sensitive data (e.g. patientdata) and
a role - patientdata_access - allowing its grantees to access the data.
{code}
CREATE KEYSPACE patientdata …;
CREATE ROLE r_patientdata_access WITH GRANTORS=2;
GRANT SELECT, MODIFY ON patientdata TO r_patientdata_access;
CREATE ROLE r_security_admin;
GRANT AUTHORIZE r_patientdata_access TO r_security_admin;
GRANT r_security_admin TO security_admin_1;
GRANT r_security_admin TO security_admin_2;
GRANT r_security_admin TO security_admin_3;
{code}
Security admins are allowed to grant the role, but it would need at least two
of them (as defined by GRANTORS) to do so to allow the user to actually access
the data.
Thus,
{code}
GRANT r_patientdata_access TO doctor_house;
{code}
must be conducted by at least two different security admins of the available
ones above.
When GRANTORS defaults to 1, the default behaviour of roles doesn't change.
was:
Inspired by the
[discussion|https://lists.apache.org/thread/4p92o2obvztkl12hvnrrmlw0cgtl391k]
about improving security administration the idea came up to enforce "two-person
concept" (a.k.a. two-man rule) grant of roles.
Explanation from [Wikipedia|https://en.wikipedia.org/wiki/Two-man_rule]:
{quote}The two-man rule is a control mechanism designed to achieve a high level
of security for especially critical material or operations. Under this rule
access and actions require the presence of two or more authorized people at all
times.{quote}
The idea summarise as having an option - e.g. GRANTORS - on roles to define how
many grantors does it need for a user to have a specific role granted.
Think about a keyspace containing highly sensitive data (e.g. patientdata) and
a role - patientdata_access - allowing its grantees to access the data.
{code}
CREATE KEYSPACE patientdata …;
CREATE ROLE r_patientdata_access WITH GRANTORS=2;
GRANT SELECT, MODIFY ON patientdata TO r_patientdata_access;
CREATE ROLE r_security_admin;
GRANT AUTHORIZE r_patientdata_access TO r_security_admin;
GRANT r_security_admin TO security_admin_1;
GRANT r_security_admin TO security_admin_2;
GRANT r_security_admin TO security_admin_3;
{code}
Security admins are allowed to grant the role, but it would need at least two
of them (as defined by GRANTORS) to do so to allow the user to actually access
the data.
Thus,
{code}
GRANT r_patientdata_access TO doctor_house;
{code}
must be conducted by at least two different security admins of the available
ones above.
When GRANTORS defaults to 1, the default behaviour of roles doesn't change.
> Security enforcement by enabling "two-person concept" authorization
> -------------------------------------------------------------------
>
> Key: CASSANDRA-17502
> URL: https://issues.apache.org/jira/browse/CASSANDRA-17502
> Project: Cassandra
> Issue Type: New Feature
> Reporter: Tibor Repasi
> Priority: Normal
>
> Inspired by the
> [discussion|https://lists.apache.org/thread/4p92o2obvztkl12hvnrrmlw0cgtl391k]
> about improving security administration the idea came up to enforce
> "two-person concept" (a.k.a. two-man rule, four-eyes principle) grant of
> roles.
> Explanation from [Wikipedia|https://en.wikipedia.org/wiki/Two-man_rule]:
> {quote}The two-man rule is a control mechanism designed to achieve a high
> level of security for especially critical material or operations. Under this
> rule access and actions require the presence of two or more authorized people
> at all times.{quote}
> The idea summarise as having an option - e.g. GRANTORS - on roles to define
> how many grantors does it need for a user to have a specific role granted.
> Think about a keyspace containing highly sensitive data (e.g. patientdata)
> and a role - patientdata_access - allowing its grantees to access the data.
> {code}
> CREATE KEYSPACE patientdata …;
> CREATE ROLE r_patientdata_access WITH GRANTORS=2;
> GRANT SELECT, MODIFY ON patientdata TO r_patientdata_access;
> CREATE ROLE r_security_admin;
> GRANT AUTHORIZE r_patientdata_access TO r_security_admin;
> GRANT r_security_admin TO security_admin_1;
> GRANT r_security_admin TO security_admin_2;
> GRANT r_security_admin TO security_admin_3;
> {code}
> Security admins are allowed to grant the role, but it would need at least two
> of them (as defined by GRANTORS) to do so to allow the user to actually
> access the data.
> Thus,
> {code}
> GRANT r_patientdata_access TO doctor_house;
> {code}
> must be conducted by at least two different security admins of the available
> ones above.
> When GRANTORS defaults to 1, the default behaviour of roles doesn't change.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
