[jira] [Updated] (CASSANDRA-8650) Creation and maintenance of roles should not require superuser status
[
https://issues.apache.org/jira/browse/CASSANDRA-8650?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sam Tunnicliffe updated CASSANDRA-8650:
---
Component/s: Distributed Metadata
CQL
> Creation and maintenance of roles should not require superuser status
> -
>
> Key: CASSANDRA-8650
> URL: https://issues.apache.org/jira/browse/CASSANDRA-8650
> Project: Cassandra
> Issue Type: Sub-task
> Components: CQL, Distributed Metadata
>Reporter: Sam Tunnicliffe
>Assignee: Sam Tunnicliffe
> Labels: cql, security
> Fix For: 2.2.0 beta 1
>
> Attachments: 8650-v2.txt, 8650-v3.txt, 8650.txt
>
>
> Currently, only roles with superuser status are permitted to
> create/drop/grant/revoke roles, which violates the principal of least
> privilege. In addition, in order to run {{ALTER ROLE}} statements a user must
> log in directly as that role or else be a superuser. This requirement
> increases the (ab)use of superuser privileges, especially where roles are
> created without {{LOGIN}} privileges to model groups of permissions granted
> to individual db users. In this scenario, a superuser is always required if
> such roles are to be granted and modified.
> We should add more granular permissions to allow administration of roles
> without requiring superuser status.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (CASSANDRA-8650) Creation and maintenance of roles should not require superuser status
[
https://issues.apache.org/jira/browse/CASSANDRA-8650?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sam Tunnicliffe updated CASSANDRA-8650:
---
Attachment: 8650-v3.txt
Attached v3 with a 2-level role resource hierarchy
Creation and maintenance of roles should not require superuser status
-
Key: CASSANDRA-8650
URL: https://issues.apache.org/jira/browse/CASSANDRA-8650
Project: Cassandra
Issue Type: Sub-task
Components: Core
Reporter: Sam Tunnicliffe
Assignee: Sam Tunnicliffe
Labels: cql, security
Fix For: 3.0
Attachments: 8650-v2.txt, 8650-v3.txt, 8650.txt
Currently, only roles with superuser status are permitted to
create/drop/grant/revoke roles, which violates the principal of least
privilege. In addition, in order to run {{ALTER ROLE}} statements a user must
log in directly as that role or else be a superuser. This requirement
increases the (ab)use of superuser privileges, especially where roles are
created without {{LOGIN}} privileges to model groups of permissions granted
to individual db users. In this scenario, a superuser is always required if
such roles are to be granted and modified.
We should add more granular permissions to allow administration of roles
without requiring superuser status.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (CASSANDRA-8650) Creation and maintenance of roles should not require superuser status
[
https://issues.apache.org/jira/browse/CASSANDRA-8650?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sam Tunnicliffe updated CASSANDRA-8650:
---
Attachment: 8650-v2.txt
V2 with a new IResource implementation representing database roles.
Creation and maintenance of roles should not require superuser status
-
Key: CASSANDRA-8650
URL: https://issues.apache.org/jira/browse/CASSANDRA-8650
Project: Cassandra
Issue Type: Sub-task
Components: Core
Reporter: Sam Tunnicliffe
Assignee: Sam Tunnicliffe
Labels: cql, security
Fix For: 3.0
Attachments: 8650-v2.txt, 8650.txt
Currently, only roles with superuser status are permitted to
create/drop/grant/revoke roles, which violates the principal of least
privilege. In addition, in order to run {{ALTER ROLE}} statements a user must
log in directly as that role or else be a superuser. This requirement
increases the (ab)use of superuser privileges, especially where roles are
created without {{LOGIN}} privileges to model groups of permissions granted
to individual db users. In this scenario, a superuser is always required if
such roles are to be granted and modified.
We should add more granular permissions to allow administration of roles
without requiring superuser status.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (CASSANDRA-8650) Creation and maintenance of roles should not require superuser status
[
https://issues.apache.org/jira/browse/CASSANDRA-8650?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Aleksey Yeschenko updated CASSANDRA-8650:
-
Issue Type: Sub-task (was: Improvement)
Parent: CASSANDRA-8394
Creation and maintenance of roles should not require superuser status
-
Key: CASSANDRA-8650
URL: https://issues.apache.org/jira/browse/CASSANDRA-8650
Project: Cassandra
Issue Type: Sub-task
Components: Core
Reporter: Sam Tunnicliffe
Assignee: Sam Tunnicliffe
Labels: cql, security
Fix For: 3.0
Attachments: 8650.txt
Currently, only roles with superuser status are permitted to
create/drop/grant/revoke roles, which violates the principal of least
privilege. In addition, in order to run {{ALTER ROLE}} statements a user must
log in directly as that role or else be a superuser. This requirement
increases the (ab)use of superuser privileges, especially where roles are
created without {{LOGIN}} privileges to model groups of permissions granted
to individual db users. In this scenario, a superuser is always required if
such roles are to be granted and modified.
We should add more granular permissions to allow administration of roles
without requiring superuser status.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (CASSANDRA-8650) Creation and maintenance of roles should not require superuser status
[
https://issues.apache.org/jira/browse/CASSANDRA-8650?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Philip Thompson updated CASSANDRA-8650:
---
Tester: Philip Thompson
Creation and maintenance of roles should not require superuser status
-
Key: CASSANDRA-8650
URL: https://issues.apache.org/jira/browse/CASSANDRA-8650
Project: Cassandra
Issue Type: Improvement
Components: Core
Reporter: Sam Tunnicliffe
Assignee: Sam Tunnicliffe
Labels: cql, security
Fix For: 3.0
Attachments: 8650.txt
Currently, only roles with superuser status are permitted to
create/drop/grant/revoke roles, which violates the principal of least
privilege. In addition, in order to run {{ALTER ROLE}} statements a user must
log in directly as that role or else be a superuser. This requirement
increases the (ab)use of superuser privileges, especially where roles are
created without {{LOGIN}} privileges to model groups of permissions granted
to individual db users. In this scenario, a superuser is always required if
such roles are to be granted and modified.
We should add more granular permissions to allow administration of roles
without requiring superuser status.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (CASSANDRA-8650) Creation and maintenance of roles should not require superuser status
[
https://issues.apache.org/jira/browse/CASSANDRA-8650?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sam Tunnicliffe updated CASSANDRA-8650:
---
Attachment: 8650.txt
A question is on which resource should these new privileges be granted? In this
initial patch I've added a number of new permissions : {{CREATE_ROLE}},
{{DROP_ROLE}}, {{ALTER_ROLE}}, {{GRANT_ROLE}} {{REVOKE_ROLE}}. As roles are
not intrinsically linked to particular keyspaces or tables, it doesn't make
sense to allow these permissions to be granted at those levels (what would it
mean to have {{CREATE_ROLE}} permissions on a specific keyspace?). So, it is
only valid to grant those permissions at the root resource level, which is
enforced in the CQL syntax. Rather than follow the existing {{GRANT
permission ON resource TO grantee}} syntax, role management privileges
are grouped into a pseudo-role, {{ROLEADMIN}}, which can be granted to regular
roles like so:
{code}
GRANT ROLEADMIN TO foo;
{code}
This statement enables {{foo}} and other roles granted {{foo}} to perform
{{CREATE ROLE}}, {{ALTER ROLE}} {{DROP ROLE}} statements, plus the ability to
{{GRANT}} and {{REVOKE}} roles. {{foo}} (or any role it is granted to), must
also have {{AUTHORIZE}} permissions on a keyspace or table to be able to grant
permissions to any role created.
Giving or taking away superuser status still requires the actor to be a
superuser. {{GRANT role TO grantee}} or {{REVOKE role FROM revokee}}
require superuser status if {{role}} has it (either directly or inherited).
Likewise, the {{SUPERUSER}} option may only be used in {{CREATE ROLE role}}
and {{ALTER ROLE role}} when the logged in user has superuser status.
Finally, {{DROP ROLE role}} where {{role}} has superuser status also
requires the logged in user to be a superuser.
Modifying other alterable options now requires only the {{ALTER_ROLE}}
permission, not superuser status. For example, a user who has been granted
{{ROLEADMIN}} may modify the password or login status of another role.
dtests added here: https://github.com/beobal/cassandra-dtest/tree/cassandra-8650
Creation and maintenance of roles should not require superuser status
-
Key: CASSANDRA-8650
URL: https://issues.apache.org/jira/browse/CASSANDRA-8650
Project: Cassandra
Issue Type: Improvement
Components: Core
Reporter: Sam Tunnicliffe
Assignee: Sam Tunnicliffe
Labels: cql, security
Fix For: 3.0
Attachments: 8650.txt
Currently, only roles with superuser status are permitted to
create/drop/grant/revoke roles, which violates the principal of least
privilege. In addition, in order to run {{ALTER ROLE}} statements a user must
log in directly as that role or else be a superuser. This requirement
increases the (ab)use of superuser privileges, especially where roles are
created without {{LOGIN}} privileges to model groups of permissions granted
to individual db users. In this scenario, a superuser is always required if
such roles are to be granted and modified.
We should add more granular permissions to allow administration of roles
without requiring superuser status.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
