[
https://issues.apache.org/jira/browse/CASSANDRA-17502?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tibor Repasi updated CASSANDRA-17502:
-------------------------------------
Summary: Security enforcement by enabling "two-person concept"
authorization (was: Security enforcement by enabling "two-man rule"
authorization)
> Security enforcement by enabling "two-person concept" authorization
> -------------------------------------------------------------------
>
> Key: CASSANDRA-17502
> URL: https://issues.apache.org/jira/browse/CASSANDRA-17502
> Project: Cassandra
> Issue Type: New Feature
> Reporter: Tibor Repasi
> Priority: Normal
>
> Inspired by the
> [discussion|https://lists.apache.org/thread/4p92o2obvztkl12hvnrrmlw0cgtl391k]
> about improving security administration the idea came up to enforce "two-man
> rule" grant of roles.
> Explanation from [Wikipedia|https://en.wikipedia.org/wiki/Two-man_rule]:
> {quote}The two-man rule is a control mechanism designed to achieve a high
> level of security for especially critical material or operations. Under this
> rule access and actions require the presence of two or more authorized people
> at all times.
> {quote}
> The idea summarise as having an option - e.g. GRANTORS - on roles to define
> how many grantors does it need for a user to have a specific role granted.
> Think about a keyspace containing highly sensitive data (e.g. patientdata)
> and a role - patientdata_access - allowing its grantees to access the data.
> {code}
> CREATE KEYSPACE patientdata …;
> CREATE ROLE patientdata_access WITH GRANTORS=2;
> GRANT SELECT, MODIFY ON patientdata TO patientdata_access;
> CREATE ROLE security_admin;
> GRANT AUTHORIZE patientdata_access TO security_admin;
> GRANT security_admin TO admin_guy1;
> GRANT security_admin TO admin_guy2;
> GRANT security_admin TO admin_guy3;
> {code}
> Security admins are allowed to grant the role, but it would need at least two
> of them (as defined by GRANTORS) to do so to allow the user to actually
> access the data.
> Thus,
> {code}
> GRANT patientdata_access TO doctor_house;
> {code}
> must be conducted by at least two different admin_guys of the available ones
> above.
> When GRANTORS defaults to 1, the default behaviour of roles doesn't change.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
