[jira] [Commented] (CASSANDRA-7216) Restricted superuser account request

Thu, 15 May 2014 08:30:40 -0700 

    [ 
https://issues.apache.org/jira/browse/CASSANDRA-7216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13997366#comment-13997366
 ] 

Oded Peer commented on CASSANDRA-7216:
--------------------------------------

I can have just a single super user, however as tightly as I control this user 
it still poses a security threat.
This has implications in security audits, including external audits done by 
customers and partners.

I got to know the permissions better in Cassandra and it appears that in 
addition to creating keyspaces and users the restricted superuser account also 
needs to GRANT permissions to the newly-created user to access and modify the 
newly-created keyspace. If the restricted superuser account has GRANT 
permissions to any keyspace it still poses  security threat since it can create 
users with permissions to any arbitrary keyspace.

What we are trying to find an analogy of the postgres security model in 
Cassandra. In postgres objects have a single 'owner'. For most kinds of 
objects, the initial state is that only the owner can do anything with the 
object. [http://www.postgresql.org/docs/9.0/static/privileges.html].
Thus, in postgres, we have a restricted admin user used in the tenant 
provisioning process that can only create users. These newly-created users 
create database objects as their 'owner' and only the user creating the objects 
can use them. 

> Restricted superuser account request
> ------------------------------------
>
>                 Key: CASSANDRA-7216
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-7216
>             Project: Cassandra
>          Issue Type: Improvement
>            Reporter: Oded Peer
>            Priority: Minor
>
> I am developing a multi-tenant service.
> Every tenant has its own user, keyspace and can access only his keyspace.
> As new tenants are provisioned there is a need to create new users and 
> keyspaces.
> Only a superuser can issue CREATE USER requests, so we must have a super user 
> account in the system. On the other hand super users have access to all the 
> keyspaces, which poses a security risk.
> For tenant provisioning I would like to have a restricted account which can 
> only create new users, without read access to keyspaces.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to