You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Maxim Chanturiay (Jira)" <ji...@apache.org> on 2022/11/10 09:45:00 UTC

[jira] [Commented] (CASSANDRA-18018) List command output not correct for super user, after grant command

    [ https://issues.apache.org/jira/browse/CASSANDRA-18018?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17631559#comment-17631559 ] 

Maxim Chanturiay commented on CASSANDRA-18018:
----------------------------------------------

Since CREATE USER is deprecated ([https://cassandra.apache.org/doc/4.1/cassandra/cql/security.html#users]), I've looked at the issue with the CREATE ROLE command.

Let's create 2 new SUPERUSER roles.
{code:java}
cassandra@cqlsh> CREATE ROLE IF NOT EXISTS superuser_joe WITH SUPERUSER = true AND LOGIN = true AND PASSWORD = 'super';
cassandra@cqlsh>
cassandra@cqlsh> CREATE ROLE IF NOT EXISTS superuser_jane WITH SUPERUSER = true AND LOGIN = true AND PASSWORD = 'super';
cassandra@cqlsh>
{code}
Let's login to role "superuser_joe" and create a new keyspace.
{code:java}
cassandra@cqlsh> LOGIN superuser_joe
Password: 
superuser_joe@cqlsh>
superuser_joe@cqlsh> CREATE KEYSPACE test_keyspace WITH replication = {'class' : 'NetworkTopologyStrategy', 'datacenter1' : 1 };
superuser_joe@cqlsh>
{code}
When we query the "system_auth.role_permissions" table, entries for "superuser_joe" are updated as expected regarding the new keyspace.
However, there is no expected entries regarding permissions on ALL ROLES resource.
{code:java}
superuser_joe@cqlsh> SELECT * FROM system_auth.role_permissions WHERE role = 'superuser_joe';

@ Row 1
-------------+--------------------------------------------------------------
 role        | superuser_joe
 resource    | data/test_keyspace
 permissions | {'ALTER', 'AUTHORIZE', 'CREATE', 'DROP', 'MODIFY', 'SELECT'}

@ Row 2
-------------+--------------------------------------------------------------
 role        | superuser_joe
 resource    | functions/test_keyspace
 permissions | {'ALTER', 'AUTHORIZE', 'CREATE', 'DROP', 'EXECUTE'}

(2 rows)
{code}
Now, let's list the permissions for the user "superuser_jane".
There is entries regarding neither ALL ROLES resource (not as expected), nor the new keyspace (as expected, actually).
{code:java}
superuser_joe@cqlsh> SELECT * FROM system_auth.role_permissions WHERE role = 'superuser_jane';

 role | resource | permissions
------+----------+-------------

(0 rows)
{code}
However, "superuser_jane" is able to manage the new keyspace.
An execution of one of such commands, for example CREATE, unexpectedly succeeds.
{code:java}
superuser_joe@cqlsh> LOGIN superuser_jane
Password: 
superuser_jane@cqlsh> CREATE TABLE test_keyspace.test_table (a text, b int, primary key (b));
superuser_jane@cqlsh>
superuser_jane@cqlsh> SELECT * FROM system_auth.role_permissions WHERE role = 'superuser_jane';

@ Row 1
-------------+----------------------------------------------------
 role        | superuser_jane
 resource    | data/test_keyspace/test_table
 permissions | {'ALTER', 'AUTHORIZE', 'DROP', 'MODIFY', 'SELECT'}

(1 rows)
{code}
In summary, it seems that there are 2 bugs here:

1. Table "system_auth.role_permissions" is not updated with an entry regarding permissions on ALL ROLES resource for new roles with SUPERUSER = true.
The expected behavior stated at official datastax documentation is that new SUPERUSER roles are to have AUTHORIZE, CREATE and DROP permission on ALL ROLES by default.
References:
 - [https://docs.datastax.com/en/cql-oss/3.x/cql/cql_reference/cqlCreateRole.html] (CREATE ROLE -> SUPERUSER)

2. Newly created SUPERUSER roles are able to manage resources other than ALL ROLES - which is not the expected behavior.
Every permission for a resource that is not ALL ROLES should be granted explicitly.
References:
 - [https://docs.datastax.com/en/cql-oss/3.x/cql/cql_reference/cqlCreateRole.html] (CREATE ROLE -> SUPERUSER)

An additional issue is that official cassandra documenation doesn't have the description for either creation of SUPERUSER role or user.
There is also no link which leads to such a description. I couldn't understand what is the expected behavior of SUPERUSER upon its creation from:
 - [https://cassandra.apache.org/doc/4.1/cassandra/cql/security.html#create-role-statement]
 - [https://cassandra.apache.org/doc/4.1/cassandra/cql/security.html#create-user-statement]

> List command output not correct for super user, after grant command
> -------------------------------------------------------------------
>
>                 Key: CASSANDRA-18018
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-18018
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Feature/Authorization
>            Reporter: Shailaja Koppu
>            Priority: Normal
>              Labels: lhf
>
> Running local Cassandra with below config:
> {noformat}
> authenticator: PasswordAuthenticator
> authorizer: CassandraAuthorizer
> role_manager: CassandraRoleManager
> network_authorizer: CassandraNetworkAuthorizer{noformat}
> Created a super user and then ran *Grant select* command on a keyspace. 
> {noformat}
> shaadmin1@cqlsh> CREATE USER 'shaadmin1c1' WITH PASSWORD 'shaadmin1c1' SUPERUSER;
> shaadmin1@cqlsh:system_auth> grant select on testk1.t1 to shaadmin1c1;
> shaadmin1@cqlsh:system_auth> alter role shaadmin1c1 with access to all datacenters;
> {noformat}
>  
> After this, list permissions command showing only select permission for that role on the resource.
> {noformat}
> shaadmin1c1@cqlsh> list all permissions of shaadmin1c1;
> role | username | resource | permission
> ----------------------------------------+-----------
> shaadmin1c1 | shaadmin1c1 | <table testk1.t1> | SELECT
> {noformat}
>  
> Row in role_permissions table:
> {noformat}
> role | resource | permissions
> ------------------------------------------------------------------------------------------
> shaadmin1c1 | data/testk1/t1 | {'SELECT'}{noformat}
> But insert command by that role on the resource is successful because role is a super user
> {noformat}
> shaadmin1c1@cqlsh> insert into testk1.t1 (c1, c2) values ('a', 1);
> shaadmin1c1@cqlsh> select * from testk1.t1 ;
> c1 | c2
> ---+---
> a | 1
> (1 rows)
> {noformat}
>  
> The problem is, output of list permissions command, which indicates only select permission on the resource, is misleading. I think list command need to be fixed to show all permissions super user has on the resource. Also grant command for a super user can be either a no-op or throw error, because the role already have requested permissions.
>  
> Documentation also misleading:
> {quote}True automatically grants AUTHORIZE, CREATE and DROP permission on ALL ROLES.
> Superusers can only manage roles by default. To manage other resources, {color:#ff0000}you must grant the permission set to that resource. ** {color}For example, to allow access management for all keyspaces: {{{}GRANT ALL PERMISSIONS ON ALL KEYSPACES TO }}\{{{}{*}role_name{*}{}}}.
> {quote}
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org