Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use Non-superuser for Cassandra database plugin #5402

Closed
idanto opened this issue Sep 26, 2018 · 2 comments
Closed

Use Non-superuser for Cassandra database plugin #5402

idanto opened this issue Sep 26, 2018 · 2 comments

Comments

@idanto
Copy link

idanto commented Sep 26, 2018
edited
Loading

Is your feature request related to a problem? Please describe.
Before the change done here we could set up the Cassandra database plugin with non-superuser which by the documentation wasn't the design but I think is a good security practice.

Describe the solution you'd like
From the original issue related to this pull request and from my understanding of the code you use the LIST ALL query to validate the session, which means you can use any CQL query or if you would like to verify access to the users/roles tables you can query it directly. I know there is a difference between CQL 2.x and 3.x but you already have in the API field called protocol_version, my suggestion is to use it in order to choose the right query:

3.x - SELECT role,is_superuser FROM system_auth.roles
2.x - SELECT user,is_superuser FROM system_auth.users

Describe alternatives you've considered
An alternative could be to find any other query that will validate the session or just to remove the validation and run the statements, or even get the validation statement from the user.

Explain any additional use-cases
In our use case, we have multiple Vault instances that use the same Cassandra cluster for different reasons. In all of them, there is a configuration for Cassandra database plugin and we don't want to share the superuser or have more than one superuser in Cassandra. Till version 0.9.0 we were able to configure the Cassandra database plugin without superuser permissions.

Additional context
The documentation about superuser seems inconsistent. If superuser only grants user management permissions then there is no reason to not use the superuser flag for vault. If superuser allows full access to the DB then the benefit of not allowing vault to have it is that in order to extract data then first the privileged account has to be used to generate or modify a role. If you have a proper audit that then gives you a chance to alert on it.

Simply put: If Vault does not require access to the data then the concept of least privilege applies and it should not have permissions to the data.

I would be happy to hear your thoughts about this idea.
@briankassouf
Copy link
Contributor

@idanto Sure, we'd accept a PR with this change

@kohend kohend mentioned this issue Oct 10, 2018
Merged
@kohend
Copy link
Contributor

kohend commented Oct 12, 2018

I created a PR with this change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kohend @briankassouf @ncabatoff @idanto