You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cassandra.apache.org by "Sam Tunnicliffe (JIRA)" <ji...@apache.org> on 2015/01/20 17:04:35 UTC

[jira] [Created] (CASSANDRA-8650) Creation and maintenance of roles should not require superuser status

Sam Tunnicliffe created CASSANDRA-8650:
------------------------------------------

             Summary: Creation and maintenance of roles should not require superuser status
                 Key: CASSANDRA-8650
                 URL: https://issues.apache.org/jira/browse/CASSANDRA-8650
             Project: Cassandra
          Issue Type: Improvement
          Components: Core
            Reporter: Sam Tunnicliffe
             Fix For: 3.0


Currently, only roles with superuser status are permitted to create/drop/grant/revoke roles, which violates the principal of least privilege. In addition, in order to run {{ALTER ROLE}} statements a user must log in directly as that role or else be a superuser. This requirement increases the (ab)use of superuser privileges, especially where roles are created without {{LOGIN}} privileges to model groups of permissions granted to individual db users. In this scenario, a superuser is always required if such roles are to be granted and modified.

We should add more granular permissions to allow administration of roles without requiring superuser status.




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)