[
https://issues.apache.org/jira/browse/CASSANDRA-8650?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14304100#comment-14304100
]
Aleksey Yeschenko commented on CASSANDRA-8650:
----------------------------------------------
Some nits and notes:
- CA#resourceFromName() seems useful in a generic way. Should go into a shared
helper class (o.a.c.auth.Resources?)
- CA#convertLegacyData() shouldn’t just copy permissions verbatim now, but
filter out CREATE on table resources, too
- Permission#filterForResource() - would be cleaner to have boolean
IResource#isValidPermission(Permission), or just Set<Permission>
IResource#applicablePermissions() (not married to the names.
instanceof/isinstance is a code smell tho)
- with that in, and our new limitations on CREATE, we can get rid of
Permission.{ALL_DATA|ALL_ROLE}, and just use IResource#applicablePermissions()
instead in all places
- I’d rather use DESCRIBE than SELECT for LIST ROLES, given that DESCRIBE is
going to happen anyway (CASSANDRA-8163)
- RoleResource#toString() needs an @Override annotation
- does it make any sense to have IAuthorizer#revokeAll(String role) and
IAuthorizer#revokeAll(IResource resource), now that roles are resources
themselves?
- the superuser check in GrantRoleStatement#checkAccess feels redundant to me.
Just having AUTHORIZE there should be enough. Am I missing something? Same
question w/ RevokeRoleStatement
- for clarity, would be nice to rename GrantStatement to
GrantPermissionStatement (to match GrantRoleStatement)
- likewise with RevokeStatement. Neither of these two things have been
introduced in the patch, but renaming them here kinda makes sense
- similarly, either PermissionAlteringStatement should become
PermissionManagementStatement, or RoleManagementStatement should become
RoleAlteringStatement
> Creation and maintenance of roles should not require superuser status
> ---------------------------------------------------------------------
>
> Key: CASSANDRA-8650
> URL: https://issues.apache.org/jira/browse/CASSANDRA-8650
> Project: Cassandra
> Issue Type: Sub-task
> Components: Core
> Reporter: Sam Tunnicliffe
> Assignee: Sam Tunnicliffe
> Labels: cql, security
> Fix For: 3.0
>
> Attachments: 8650-v2.txt, 8650-v3.txt, 8650.txt
>
>
> Currently, only roles with superuser status are permitted to
> create/drop/grant/revoke roles, which violates the principal of least
> privilege. In addition, in order to run {{ALTER ROLE}} statements a user must
> log in directly as that role or else be a superuser. This requirement
> increases the (ab)use of superuser privileges, especially where roles are
> created without {{LOGIN}} privileges to model groups of permissions granted
> to individual db users. In this scenario, a superuser is always required if
> such roles are to be granted and modified.
> We should add more granular permissions to allow administration of roles
> without requiring superuser status.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
