[ https://issues.apache.org/jira/browse/CASSANDRA-8650?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14304100#comment-14304100 ]
Aleksey Yeschenko commented on CASSANDRA-8650: ---------------------------------------------- Some nits and notes: - CA#resourceFromName() seems useful in a generic way. Should go into a shared helper class (o.a.c.auth.Resources?) - CA#convertLegacyData() shouldn’t just copy permissions verbatim now, but filter out CREATE on table resources, too - Permission#filterForResource() - would be cleaner to have boolean IResource#isValidPermission(Permission), or just Set<Permission> IResource#applicablePermissions() (not married to the names. instanceof/isinstance is a code smell tho) - with that in, and our new limitations on CREATE, we can get rid of Permission.{ALL_DATA|ALL_ROLE}, and just use IResource#applicablePermissions() instead in all places - I’d rather use DESCRIBE than SELECT for LIST ROLES, given that DESCRIBE is going to happen anyway (CASSANDRA-8163) - RoleResource#toString() needs an @Override annotation - does it make any sense to have IAuthorizer#revokeAll(String role) and IAuthorizer#revokeAll(IResource resource), now that roles are resources themselves? - the superuser check in GrantRoleStatement#checkAccess feels redundant to me. Just having AUTHORIZE there should be enough. Am I missing something? Same question w/ RevokeRoleStatement - for clarity, would be nice to rename GrantStatement to GrantPermissionStatement (to match GrantRoleStatement) - likewise with RevokeStatement. Neither of these two things have been introduced in the patch, but renaming them here kinda makes sense - similarly, either PermissionAlteringStatement should become PermissionManagementStatement, or RoleManagementStatement should become RoleAlteringStatement > Creation and maintenance of roles should not require superuser status > --------------------------------------------------------------------- > > Key: CASSANDRA-8650 > URL: https://issues.apache.org/jira/browse/CASSANDRA-8650 > Project: Cassandra > Issue Type: Sub-task > Components: Core > Reporter: Sam Tunnicliffe > Assignee: Sam Tunnicliffe > Labels: cql, security > Fix For: 3.0 > > Attachments: 8650-v2.txt, 8650-v3.txt, 8650.txt > > > Currently, only roles with superuser status are permitted to > create/drop/grant/revoke roles, which violates the principal of least > privilege. In addition, in order to run {{ALTER ROLE}} statements a user must > log in directly as that role or else be a superuser. This requirement > increases the (ab)use of superuser privileges, especially where roles are > created without {{LOGIN}} privileges to model groups of permissions granted > to individual db users. In this scenario, a superuser is always required if > such roles are to be granted and modified. > We should add more granular permissions to allow administration of roles > without requiring superuser status. -- This message was sent by Atlassian JIRA (v6.3.4#6332)