[ https://issues.apache.org/jira/browse/CASSANDRA-7216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13997366#comment-13997366 ]
Oded Peer commented on CASSANDRA-7216: -------------------------------------- I can have just a single super user, however as tightly as I control this user it still poses a security threat. This has implications in security audits, including external audits done by customers and partners. I got to know the permissions better in Cassandra and it appears that in addition to creating keyspaces and users the restricted superuser account also needs to GRANT permissions to the newly-created user to access and modify the newly-created keyspace. If the restricted superuser account has GRANT permissions to any keyspace it still poses security threat since it can create users with permissions to any arbitrary keyspace. What we are trying to find an analogy of the postgres security model in Cassandra. In postgres objects have a single 'owner'. For most kinds of objects, the initial state is that only the owner can do anything with the object. [http://www.postgresql.org/docs/9.0/static/privileges.html]. Thus, in postgres, we have a restricted admin user used in the tenant provisioning process that can only create users. These newly-created users create database objects as their 'owner' and only the user creating the objects can use them. > Restricted superuser account request > ------------------------------------ > > Key: CASSANDRA-7216 > URL: https://issues.apache.org/jira/browse/CASSANDRA-7216 > Project: Cassandra > Issue Type: Improvement > Reporter: Oded Peer > Priority: Minor > > I am developing a multi-tenant service. > Every tenant has its own user, keyspace and can access only his keyspace. > As new tenants are provisioned there is a need to create new users and > keyspaces. > Only a superuser can issue CREATE USER requests, so we must have a super user > account in the system. On the other hand super users have access to all the > keyspaces, which poses a security risk. > For tenant provisioning I would like to have a restricted account which can > only create new users, without read access to keyspaces. -- This message was sent by Atlassian JIRA (v6.2#6252)