[ https://issues.apache.org/jira/browse/CASSANDRA-17502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17515092#comment-17515092 ]
Tibor Repasi commented on CASSANDRA-17502: ------------------------------------------ Sure, and I agree with that as well. However, the concept is widely known as the "two-man rule," sometimes referred to as the "two-person concept", which sounds more appropriate. Along with the other suggestions, I have changed the wording, except for the quote. > Security enforcement by enabling "two-person concept" authorization > ------------------------------------------------------------------- > > Key: CASSANDRA-17502 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17502 > Project: Cassandra > Issue Type: New Feature > Reporter: Tibor Repasi > Priority: Normal > > Inspired by the > [discussion|https://lists.apache.org/thread/4p92o2obvztkl12hvnrrmlw0cgtl391k] > about improving security administration the idea came up to enforce > "two-person concept" (a.k.a. two-man rule) grant of roles. > Explanation from [Wikipedia|https://en.wikipedia.org/wiki/Two-man_rule]: > {quote}The two-man rule is a control mechanism designed to achieve a high > level of security for especially critical material or operations. Under this > rule access and actions require the presence of two or more authorized people > at all times.{quote} > The idea summarise as having an option - e.g. GRANTORS - on roles to define > how many grantors does it need for a user to have a specific role granted. > Think about a keyspace containing highly sensitive data (e.g. patientdata) > and a role - patientdata_access - allowing its grantees to access the data. > {code} > CREATE KEYSPACE patientdata …; > CREATE ROLE r_patientdata_access WITH GRANTORS=2; > GRANT SELECT, MODIFY ON patientdata TO r_patientdata_access; > CREATE ROLE r_security_admin; > GRANT AUTHORIZE r_patientdata_access TO r_security_admin; > GRANT r_security_admin TO security_admin_1; > GRANT r_security_admin TO security_admin_2; > GRANT r_security_admin TO security_admin_3; > {code} > Security admins are allowed to grant the role, but it would need at least two > of them (as defined by GRANTORS) to do so to allow the user to actually > access the data. > Thus, > {code} > GRANT r_patientdata_access TO doctor_house; > {code} > must be conducted by at least two different security admins of the available > ones above. > When GRANTORS defaults to 1, the default behaviour of roles doesn't change. -- This message was sent by Atlassian Jira (v8.20.1#820001) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org