Implementing separation of duties
Use the separation of duties functionality to configure administrator roles for permission management without the ability to execute other CQL commands.
Use the separation of duties functionality to configure administrator roles for permission management without the ability to execute other CQL commands.
Assigning permission management privileges
-
AUTHORIZE
granted is true - Manage any permissions that has been granted on the resource; the role also allows the user to execute the CQL commands that correspond to the permission.For example, theadmin
role that has both authorize and select on theall keyspaces
resource.GRANT AUTHORIZE, SELECT ON ALL KEYSPACES TO admin;
Users with the role can GRANT AND REVOKE both the AUTHORIZE and SELECT permissions to any other role, including their own:LIST ALL PERMISSIONS OF admin;
role | username | resource | permission | granted | restricted | grantable -------+----------+-----------------+------------+---------+------------+----------- admin | dbadmin | <all keyspaces> | SELECT | True | False | False admin | dbadmin | <all keyspaces> | AUTHORIZE | True | False | False
- grantable is true for a permission - Manage only the specified permission for other
roles, which are not assigned to them. The related commands are executable if granted is also
true. For example, to allow the
sec_admin
to GRANT and REVOKE permissions for other roles but not access the data in all keyspaces:GRANT AUTHORIZE FOR CREATE, ALTER, DROP, SELECT, MODIFY, DESCRIBE ON ALL KEYSPACES TO sec_admin;
Verify the permissions:LIST ALL PERMISSIONS OF sec_admin;
Granted is false and grantable true.role | username | resource | permission | granted | restricted | grantable -----------+------------+-----------------+------------+---------+------------+----------- sec_admin | sec_admin | <all keyspaces> | CREATE | False | False | True sec_admin | sec_admin | <all keyspaces> | ALTER | False | False | True sec_admin | sec_admin | <all keyspaces> | DROP | False | False | True sec_admin | sec_admin | <all keyspaces> | SELECT | False | False | True sec_admin | sec_admin | <all keyspaces> | MODIFY | False | False | True sec_admin | sec_admin | <all keyspaces> | DESCRIBE | False | False | True
- Creating a new role requires CREATE granted on ALL ROLES.
- GRANT/REVOKE requires the permission to be grantable (
AUTHORIZE FOR permission_name
) on the resource. - Users can not modify their own role properties LOGIN and SUPERUSER. Prevents users with ALTER permissions from making their own account a SUPERUSER or creating a role with a higher level of permission.
Authorize syntax
AUTHORIZE
and any other permission that has been granted to them on the resource.GRANT AUTHORIZE ON (ALL KEYSPACES | TABLE table_name | 'filter_string' ROWS IN table_name) TO role_name;
- Only the listed
permissions.
GRANT AUTHORIZE FOR permission_list ON resource_name TO role_name;
Type | Permissions | Resources |
---|---|---|
Data |
|
|
Functions |
ALL FUNCTIONS ALL FUNCTIONS IN KEYSPACE keyspace_name FUNCTION function_name ( argument_types ) |
|
Search indexes |
SEARCH.ALTER SEARCH.COMMIT SEARCH.CREATE SEARCH.DROP SEARCH.REBUILD SEARCH.RELOAD |
ALL SEARCH
INDICES SEARCH INDEX [keyspace_name.]table_name |
Roles |
ALTER CREATE DESCRIBE DROP |
ALL ROLES ROLE role_name |
Proxy role | PROXY.EXECUTE PROXY.LOGIN |
ROLE role_name |
Authentication Scheme | EXECUTE | ALL AUTHENTICATION
SCHEMES LDAP SCHEME KERBEROS SCHEME INTERNAL SCHEME |
MBeans | DESCRIBE, EXECUTE, MODIFY, and SELECT | ALL MBEANS > MBEANS pattern > MBEAN name |
Spark applications |
CREATE DESCRIBE |
ANY WORKPOOL > WORKPOOL datacenter_name |
MODIFY DESCRIBE |
ANY SUBMISSION
ANY SUBMISSION IN WORKPOOL datacenter_name SUBMISSION id IN WORKPOOL datacenter_name |
|
Remote calls | EXECUTE | ALL REMOTE CALLS > REMOTE OBJECT object_name > REMOTE METHOD object_name.method_name |
Delegating role management permissions
-
When the AUTHORIZE is granted to a role, the target role can delegate any permission it has on the resource to other roles (including itself).
GRANT AUTHORIZE ON ALL ROLES TO role_name;
The permission shows as granted when the role's permission are listed.Tip: WhenALL PERMISSIONS
are granted, the role has the ability to GRANT and REVOKE all permissions to all roles, including itself. - ROLE
GRANT permission[, permission ...] ON ROLE role_name TO role_name;
where permissions ALL PERMISSIONS, ALTER, AUTHORIZE, CREATE, DESCRIBE, and DROP
Permission | Resource | |
---|---|---|
AUTHORIZE | ALL ROLES | and the permissions the issuing role has been granted on the role. |
AUTHORIZE FOR permission_list | ALL ROLES | and the listed permissions. |
AUTHORIZE | ROLE name | and the permissions the issuing role has been granted on the role. |
AUTHORIZE FOR permission_list | ROLE name | and the listed permissions. |
Delegating resource management permissions
- Authentication schemes
-
- Delegate privileges to administrators that manage roles.
GRANT AUTHORIZE [FOR EXECUTE] ON (ALL AUTHENTICATION SCHEMES | LDAP SCHEME | KERBEROS SCHEME | INTERNAL SCHEME) TO role_name;
- AUTHORIZE - Allows role to delegate the AUTHORIZE permission and if EXECUTE is also granted, the role can delegate execute permissions.
- AUTHORIZE FOR EXECUTE - Allows role to delegate which other roles can assign scheme permissions without changing their own login scheme.
- Delegate privileges to administrators that manage roles.
Manage access
Set up roles that can manage permissions on objects.
Set up roles that can manage permissions on objects without access permission.
Procedure
-
Create a role. For example
securty_admin
.CREATE ROLE security_admin;
-
Allow the role to manage roles:
GRANT ALTER, CREATE, DROP, DESCRIBE ON ALL ROLES TO security_admin;
-
Allow authorization for all permissions with no access privileges.
- Data resources
which allows the role to grant AUTHORIZE, CREATE, ALTER, DROP, SELECT, MODIFY, and DESCRIBE permission to other roles.GRANT AUTHORIZE FOR ALL PERMISSIONS ON ALL KEYSPACES TO security_admin;
- Functions and aggregate resources
which allows the role to grant AUTHORIZE, CREATE, ALTER, DROP, and EXECUTE permission to other roles.GRANT AUTHORIZE FOR ALL PERMISSIONS ON ALL FUNCTIONS TO security_admin;
- Search indexes
which allows the role to grant AUTHORIZE, SEARCH.CREATE, SEARCH.ALTER, SEARCH.DROP, SEARCH.RELOAD, SEARCH.REBUILD, and SEARCH.COMMIT to other roles.GRANT AUTHORIZE FOR ALL PERMISSIONS ON ALL SEARCH INDICES TO security_admin;
- Roles
which allows the role to grant AUTHORIZE, CREATE, ALTER, DROP, and DESCRIBE permission to other roles.GRANT AUTHORIZE FOR ALL PERMISSIONS ON ALL ROLES TO security_admin;
- Authentication scheme resources
which allows the role to grant AUTHORIZE and EXECUTE permission to other roles.GRANT AUTHORIZE FOR ALL PERMISSIONS ON ALL AUTHENTICATION SCHEMES TO security_admin;
- JMX resources (MBeans) for DSE utilities
which allows the role to grant SELECT, MODIFY, AUTHORIZE, DESCRIBE, and EXECUTE permission to other roles.GRANT AUTHORIZE FOR ALL PERMISSIONS ON ALL MBEANS TO security_admin;
- Analytic applications
- WORKPOOLS
which allows the role to grant CREATE, DESCRIBE, and AUTHORIZE permission to other roles.GRANT AUTHORIZE FOR ALL PERMISSIONS ON ANY WORKPOOL TO security_admin;
- SUBMISSIONS
which allows the role to grant MODIFY, DESCRIBE, and AUTHORIZE permission to other roles.GRANT AUTHORIZE FOR ALL PERMISSIONS ON ANY SUBMISSION TO security_admin;
- WORKPOOLS
- Remote procedure calls
GRANT AUTHORIZE FOR ALL PERMISSIONS ON ALL REMOTE CALLS TO security_admin;
- Data resources
-
Assign role depending on the Role Management mode:
- Internal - Use the GRANT command to assign role to a login or
another group
role.
GRANT security_admin TO login_role_name;
- LDAP - Create a group object with matching CN (securty_admin) and assign users as members of the group.
- Internal - Use the GRANT command to assign role to a login or
another group
role.