[
https://issues.apache.org/jira/browse/CASSANDRA-17502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17515092#comment-17515092
]
Tibor Repasi commented on CASSANDRA-17502:
------------------------------------------
Sure, and I agree with that as well. However, the concept is widely known as
the "two-man rule," sometimes referred to as the "two-person concept", which
sounds more appropriate. Along with the other suggestions, I have changed the
wording, except for the quote.
> Security enforcement by enabling "two-person concept" authorization
> -------------------------------------------------------------------
>
> Key: CASSANDRA-17502
> URL: https://issues.apache.org/jira/browse/CASSANDRA-17502
> Project: Cassandra
> Issue Type: New Feature
> Reporter: Tibor Repasi
> Priority: Normal
>
> Inspired by the
> [discussion|https://lists.apache.org/thread/4p92o2obvztkl12hvnrrmlw0cgtl391k]
> about improving security administration the idea came up to enforce
> "two-person concept" (a.k.a. two-man rule) grant of roles.
> Explanation from [Wikipedia|https://en.wikipedia.org/wiki/Two-man_rule]:
> {quote}The two-man rule is a control mechanism designed to achieve a high
> level of security for especially critical material or operations. Under this
> rule access and actions require the presence of two or more authorized people
> at all times.{quote}
> The idea summarise as having an option - e.g. GRANTORS - on roles to define
> how many grantors does it need for a user to have a specific role granted.
> Think about a keyspace containing highly sensitive data (e.g. patientdata)
> and a role - patientdata_access - allowing its grantees to access the data.
> {code}
> CREATE KEYSPACE patientdata …;
> CREATE ROLE r_patientdata_access WITH GRANTORS=2;
> GRANT SELECT, MODIFY ON patientdata TO r_patientdata_access;
> CREATE ROLE r_security_admin;
> GRANT AUTHORIZE r_patientdata_access TO r_security_admin;
> GRANT r_security_admin TO security_admin_1;
> GRANT r_security_admin TO security_admin_2;
> GRANT r_security_admin TO security_admin_3;
> {code}
> Security admins are allowed to grant the role, but it would need at least two
> of them (as defined by GRANTORS) to do so to allow the user to actually
> access the data.
> Thus,
> {code}
> GRANT r_patientdata_access TO doctor_house;
> {code}
> must be conducted by at least two different security admins of the available
> ones above.
> When GRANTORS defaults to 1, the default behaviour of roles doesn't change.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
