[
https://issues.apache.org/jira/browse/CASSANDRA-17502?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tibor Repasi updated CASSANDRA-17502:
-------------------------------------
Description:
Inspired by the
[discussion|https://lists.apache.org/thread/4p92o2obvztkl12hvnrrmlw0cgtl391k]
about improving security administration the idea came up to enforce "two-man
rule" grant of roles.
Explanation from [Wikipedia|https://en.wikipedia.org/wiki/Two-man_rule]:
{quote}The two-man rule is a control mechanism designed to achieve a high level
of security for especially critical material or operations. Under this rule
access and actions require the presence of two or more authorized people at all
times.
{quote}
The idea summarise as having an option - e.g. GRANTORS - on roles to define how
many grantors does it need for a user to have a specific role granted.
Think about a keyspace containing highly sensitive data (e.g. patientdata) and
a role - patientdata_access - allowing its grantees to access the data.
{code}
CREATE KEYSPACE patientdata …;
CREATE ROLE patientdata_access WITH GRANTORS=2;
GRANT SELECT, MODIFY ON patientdata TO patientdata_access;
CREATE ROLE security_admin;
GRANT AUTHORIZE patientdata_access TO security_admin;
GRANT security_admin TO admin_guy1;
GRANT security_admin TO admin_guy2;
GRANT security_admin TO admin_guy3;
{code}
Security admins are allowed to grant the role, but it would need at least two
of them (as defined by GRANTORS) to do so to allow the user to actually access
the data.
Thus,
{code}
GRANT patientdata_access TO doctor_house;
{code}
must be conducted by at least two different admin_guys of the available ones
above.
When GRANTORS defaults to 1, the default behaviour of roles doesn't change.
was:
Inspired by the
[discussion|https://lists.apache.org/thread/4p92o2obvztkl12hvnrrmlw0cgtl391k]
about improving security administration the idea came up to enforce "two-man
rule" grant of roles.
Explanation from [Wikipedia|https://en.wikipedia.org/wiki/Two-man_rule]:
{quote}The two-man rule is a control mechanism designed to achieve a high level
of security for especially critical material or operations. Under this rule
access and actions require the presence of two or more authorized people at all
times.
{quote}
The idea summarise as having an option - e.g. GRANTORS - on roles to define how
many grantors does it need for a user to have a specific role granted.
Think about a keyspace containing highly sensitive data (e.g. patientdata) and
a role - patientdata_access - allowing its grantees to access the data.
{code}
CREATE KEYSPACE patientdata …;
CREATE ROLE patientdata_access WITH GRANTORS=2;
GRANT SELECT, MODIFY ON patientdata TO patientdata_access;
CREATE ROLE security_admin;
GRANT AUTHORIZE patientdata_access TO security_admin;
GRANT security_admin TO admin_guy1;
GRANT security_admin TO admin_guy2;
GRANT security_admin TO admin_guy3;
{code}
Security admins are allowed to grant the role, but it would need at least two
of them (as defined by GRANTORS) to do so to allow the user to actually access
the data.
Thus,
{code}
GRANT patientdata_access TO doctor_house;
{code}
must be conducted by at least two of the three admin_guys above.
When GRANTORS defaults to 1, the default behaviour of roles doesn't change.
> Security enforcement by enabling "two-man rule" authorization
> -------------------------------------------------------------
>
> Key: CASSANDRA-17502
> URL: https://issues.apache.org/jira/browse/CASSANDRA-17502
> Project: Cassandra
> Issue Type: New Feature
> Reporter: Tibor Repasi
> Priority: Normal
>
> Inspired by the
> [discussion|https://lists.apache.org/thread/4p92o2obvztkl12hvnrrmlw0cgtl391k]
> about improving security administration the idea came up to enforce "two-man
> rule" grant of roles.
> Explanation from [Wikipedia|https://en.wikipedia.org/wiki/Two-man_rule]:
> {quote}The two-man rule is a control mechanism designed to achieve a high
> level of security for especially critical material or operations. Under this
> rule access and actions require the presence of two or more authorized people
> at all times.
> {quote}
> The idea summarise as having an option - e.g. GRANTORS - on roles to define
> how many grantors does it need for a user to have a specific role granted.
> Think about a keyspace containing highly sensitive data (e.g. patientdata)
> and a role - patientdata_access - allowing its grantees to access the data.
> {code}
> CREATE KEYSPACE patientdata …;
> CREATE ROLE patientdata_access WITH GRANTORS=2;
> GRANT SELECT, MODIFY ON patientdata TO patientdata_access;
> CREATE ROLE security_admin;
> GRANT AUTHORIZE patientdata_access TO security_admin;
> GRANT security_admin TO admin_guy1;
> GRANT security_admin TO admin_guy2;
> GRANT security_admin TO admin_guy3;
> {code}
> Security admins are allowed to grant the role, but it would need at least two
> of them (as defined by GRANTORS) to do so to allow the user to actually
> access the data.
> Thus,
> {code}
> GRANT patientdata_access TO doctor_house;
> {code}
> must be conducted by at least two different admin_guys of the available ones
> above.
> When GRANTORS defaults to 1, the default behaviour of roles doesn't change.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
