Proxy Execution
DSE 5.1 introduced proxy execution. Proxy execution allows a client to connect to a node as one user but declare that some statements should actually run as a different user (without needing credentials of that second user).
Consult the DataStax Enterprise Documentation for more details.
Background
- Given
- a running DSE cluster with DSE plaintext authentication enabled
- And
- the following schema:
CREATE ROLE end_user WITH PASSWORD = 'end_user' and LOGIN = true; CREATE ROLE target_user WITH PASSWORD = 'target_user' and LOGIN = true; CREATE ROLE service_user WITH PASSWORD = 'service_user' and LOGIN = true; CREATE KEYSPACE simplex WITH REPLICATION = {'class': 'SimpleStrategy', 'replication_factor': 1}; USE simplex; CREATE TABLE proxy_execute (f1 int PRIMARY KEY, f2 int); INSERT INTO proxy_execute (f1, f2) VALUES (1, 2); GRANT ALL ON proxy_execute TO target_user; GRANT PROXY.EXECUTE ON ROLE 'target_user' to 'service_user';
Query the authorized table as a proxied user
- Given
- the following example:
$cluster = Dse::cluster() ->withPlaintextAuthenticator("service_user", "service_user") ->build(); $session = $cluster->connect("simplex"); $result = $session->execute("SELECT * from proxy_execute", array("execute_as" => "target_user")); foreach ($result as $row) { echo "f1: {$row['f1']} f2: {$row['f2']}" . PHP_EOL; } - When
- it is executed
- Then
- its output should contain:
f1: 1 f2: 2
Query the authorized table as the service user
- Given
- the following example:
try { $cluster = Dse::cluster() ->withPlaintextAuthenticator("service_user", "service_user") ->build(); $session = $cluster->connect("simplex"); $session->execute("SELECT * from proxy_execute"); echo "Request succeeded erroneously!" . PHP_EOL; } catch (Dse\Exception\UnauthorizedException $ex) { echo $ex->getMessage() . PHP_EOL; } - When
- it is executed
- Then
- its output should contain:
User service_user has no SELECT permission on <table simplex.proxy_execute> or any of its parents
Query the authorized table as a proxied user where the service user does not have the PROXY.EXECUTE privilege
- Given
- the following example:
try { $cluster = Dse::cluster() ->withPlaintextAuthenticator("service_user", "service_user") ->build(); $session = $cluster->connect("simplex"); $session->execute("SELECT * from proxy_execute", array("execute_as" => "end_user")); echo "Request succeeded erroneously!" . PHP_EOL; } catch (Dse\Exception\UnauthorizedException $ex) { echo $ex->getMessage() . PHP_EOL; } - When
- it is executed
- Then
- its output should contain:
Either 'service_user' does not have permission to execute queries as 'end_user' or that role does not exist. Run 'GRANT PROXY.EXECUTE ON ROLE 'end_user' TO 'service_user' as an administrator if you wish to allow this.