Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dropping table does not remove role-based whitelist on that table #136

Open
etedpet opened this issue Jan 30, 2020 · 0 comments
Open

Dropping table does not remove role-based whitelist on that table #136

etedpet opened this issue Jan 30, 2020 · 0 comments
Labels
bug Something isn't working

Comments

@etedpet
Copy link
Contributor

etedpet commented Jan 30, 2020

When using Role Based Whitelisting with the following setup:

Given user/role kalle_wl wihch is granted all permissions to table ks.test:
cassandra@cqlsh> grant all on TABLE ks.test TO kalle_wl;

And the user/role is whitelisted for the ks.test table:
cassandra@cqlsh> ALTER ROLE kalle_wl WITH OPTIONS = { 'GRANT AUDIT WHITELIST FOR ALL' : 'data/ks/test' };

Gives the following permissions:

cassandra@cqlsh> list all PERMISSIONS of kalle_wl;
 role     | username | resource        | permission
----------+----------+-----------------+------------
 kalle_wl | kalle_wl | <table ks.test> |      ALTER
 kalle_wl | kalle_wl | <table ks.test> |       DROP
 kalle_wl | kalle_wl | <table ks.test> |     SELECT
 kalle_wl | kalle_wl | <table ks.test> |     MODIFY
 kalle_wl | kalle_wl | <table ks.test> |  AUTHORIZE

Gives the role options:

cassandra@cqlsh> list roles;
 role      | super | login | options
-----------+-------+-------+--------------------------------------------------------------------------
 cassandra |  True |  True |                                                                        {}
  kalle_wl | False | False | {'AUDIT WHITELIST ON data/ks/test': 'ALTER,DROP,SELECT,MODIFY,AUTHORIZE'}

When the table is dropped:
cassandra@cqlsh> DROP TABLE ks.test ;

Then the permission for that table is removed:

cassandra@cqlsh> list all PERMISSIONS of kalle_wl ;
 role | resource | permissions
------+----------+-------------

BUT the whitelist-data for that user is not removed:

cassandra@cqlsh> list roles;
 role      | super | login | options
-----------+-------+-------+--------------------------------------------------------------------------
 cassandra |  True |  True |                                                                        {}
  kalle_wl | False | False | {'AUDIT WHITELIST ON data/ks/test': 'ALTER,DROP,SELECT,MODIFY,AUTHORIZE'}

-> This could lead to whitelist "issues" if another table is created with the same name... The new table will immediately be whitelisted, which might not be the intent.
@eperott eperott added the bug Something isn't working label Feb 1, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eperott @etedpet