[jira] [Created] (CASSANDRA-17502) Security enforcement by enabling "two-man rule" authorization

Wed, 30 Mar 2022 10:14:06 -0700 

Tibor Repasi created CASSANDRA-17502:
----------------------------------------

             Summary: Security enforcement by enabling "two-man rule" 
authorization
                 Key: CASSANDRA-17502
                 URL: https://issues.apache.org/jira/browse/CASSANDRA-17502
             Project: Cassandra
          Issue Type: New Feature
            Reporter: Tibor Repasi


Inspired by the 
[discussion|https://lists.apache.org/thread/4p92o2obvztkl12hvnrrmlw0cgtl391k] 
about improving security administration the idea came up to enforce "two-man 
rule" grant of roles.

Explanation from [Wikipedia|https://en.wikipedia.org/wiki/Two-man_rule]:
{quote}The two-man rule is a control mechanism designed to achieve a high level 
of security for especially critical material or operations. Under this rule 
access and actions require the presence of two or more authorized people at all 
times.
{quote}

The idea summarise as having an option - e.g. GRANTORS - on roles to define how 
many grantors does it need for a user to have a specific role granted.

Think about a keyspace containing highly sensitive data (e.g. patientdata) and 
a role - patientdata_access - allowing its grantees to access the data.
{code}
CREATE KEYSPACE patientdata …;
CREATE ROLE patientdata_access WITH GRANTORS=2;
GRANT SELECT, MODIFY ON patientdata TO patientdata_access;

CREATE ROLE security_admin;
GRANT AUTHORIZE patientdata_access TO security_admin;
GRANT security_admin TO admin_guy1;
GRANT security_admin TO admin_guy2;
GRANT security_admin TO admin_guy3;
{code}
Security admins are allowed to grant the role, but it would need at least two 
of them (as defined by GRANTORS) to do so to allow the user to actually access 
the data.

Thus,
{code}
GRANT patientdata_access TO doctor_house;
{code}
must be conducted by at least two of the three admin_guys above.

When GRANTORS defaults to 1, the default behaviour of roles doesn't change.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to