You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cassandra.apache.org by "Sam Tunnicliffe (JIRA)" <ji...@apache.org> on 2015/01/21 09:44:35 UTC

[jira] [Commented] (CASSANDRA-8650) Creation and maintenance of roles should not require superuser status

    [ https://issues.apache.org/jira/browse/CASSANDRA-8650?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14285363#comment-14285363 ] 

Sam Tunnicliffe commented on CASSANDRA-8650:
--------------------------------------------

Syntactically, this is similar to the way Oracle does things. There, creation/modification/deletion of roles are system privileges which are conferred using {{GRANT}} syntax. 

http://docs.oracle.com/cd/E11882_01/server.112/e41084/statements_9013.htm#i2062318
http://docs.oracle.com/cd/E11882_01/network.112/e36292/authorization.htm#DBSEG004

In Postgres {{CREATEROLE}} is top level role attribute like {{SUPERUSER}} and {{LOGIN}}, which covers all role management functions:

{code}
CREATE ROLE foo NOSUPERUSER LOGIN CREATEROLE;
ALTER ROLE foo NOCREATEROLE;
{code}

http://www.postgresql.org/docs/9.4/static/role-attributes.html

We could certainly implement this alternative in Cassandra, either by adding another role attribute (and a corresponding method to IRoleManager) or by just adopting the syntax and having it work with permissions under the hood.

> Creation and maintenance of roles should not require superuser status
> ---------------------------------------------------------------------
>
>                 Key: CASSANDRA-8650
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-8650
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Sam Tunnicliffe
>            Assignee: Sam Tunnicliffe
>              Labels: cql, security
>             Fix For: 3.0
>
>         Attachments: 8650.txt
>
>
> Currently, only roles with superuser status are permitted to create/drop/grant/revoke roles, which violates the principal of least privilege. In addition, in order to run {{ALTER ROLE}} statements a user must log in directly as that role or else be a superuser. This requirement increases the (ab)use of superuser privileges, especially where roles are created without {{LOGIN}} privileges to model groups of permissions granted to individual db users. In this scenario, a superuser is always required if such roles are to be granted and modified.
> We should add more granular permissions to allow administration of roles without requiring superuser status.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)