Implementing separation of duties

Use the separation of duties functionality to configure administrator roles for permission management without the ability to execute other CQL commands.

Use the separation of duties functionality to configure administrator roles for permission management without the ability to execute other CQL commands.

Assigning permission management privileges

In order for administrators and others to use or to permissions on a resource, their role must have one of the following permissions on the object:
  • AUTHORIZE granted is true - Manage any permissions that has been granted on the resource; the role also allows the user to execute the CQL commands that correspond to the permission.
    For example, the admin role that has both authorize and select on the all keyspaces resource.
    GRANT AUTHORIZE, SELECT ON ALL KEYSPACES TO admin;
    Users with the role can GRANT AND REVOKE both the AUTHORIZE and SELECT permissions to any other role, including their own:
    LIST ALL PERMISSIONS OF admin;
    role   | username | resource        | permission | granted | restricted | grantable
    -------+----------+-----------------+------------+---------+------------+-----------
     admin |  dbadmin | <all keyspaces> |     SELECT |    True |      False |     False
     admin |  dbadmin | <all keyspaces> |  AUTHORIZE |    True |      False |     False
  • grantable is true for a permission - Manage only the specified permission for other roles, which are not assigned to them. The related commands are executable if granted is also true.
    For example, to allow the sec_admin to GRANT and REVOKE permissions for other roles but not access the data in all keyspaces:
    GRANT AUTHORIZE FOR CREATE, ALTER, DROP, SELECT, MODIFY, DESCRIBE 
    ON ALL KEYSPACES
    TO sec_admin;
    Verify the permissions:
    LIST ALL PERMISSIONS OF sec_admin;
    Granted is false and grantable true.
     role      | username   | resource        | permission | granted | restricted | grantable
    -----------+------------+-----------------+------------+---------+------------+-----------
     sec_admin |  sec_admin | <all keyspaces> |     CREATE |   False |      False |      True
     sec_admin |  sec_admin | <all keyspaces> |      ALTER |   False |      False |      True
     sec_admin |  sec_admin | <all keyspaces> |       DROP |   False |      False |      True
     sec_admin |  sec_admin | <all keyspaces> |     SELECT |   False |      False |      True
     sec_admin |  sec_admin | <all keyspaces> |     MODIFY |   False |      False |      True
     sec_admin |  sec_admin | <all keyspaces> |   DESCRIBE |   False |      False |      True
Tip: Roles that are granted ALL PERMISSIONS can delegate resource permission to all roles. When a user creates an object, they are automatically granted ALL PERMISSIONS.
Restriction: The following rules apply when managing roles and access to database objects:
  • Creating a new role requires CREATE granted on ALL ROLES.
  • GRANT/REVOKE requires the permission to be grantable (AUTHORIZE FOR permission_name) on the resource.
  • Users can not modify their own role properties LOGIN and SUPERUSER. Prevents users with ALTER permissions from making their own account a SUPERUSER or creating a role with a higher level of permission.

Authorize syntax

Use the following to allow the role to and
  • AUTHORIZE and any other permission that has been granted to them on the resource.
    GRANT AUTHORIZE 
    ON (ALL KEYSPACES | TABLE table_name | 'filter_string' ROWS IN table_name)
    TO role_name;
  • Only the listed permissions.
    GRANT AUTHORIZE FOR permission_list
    ON resource_name 
    TO role_name;
Type Permissions Resources
Data

ALTER

CREATE

DESCRIBE

DROP

MODIFY

SELECT

ALL KEYSPACES

KEYSPACE keyspace_name

TABLE table_name

'filtering_data' ROWS IN table_name

Functions

ALTER

CREATE

DROP

EXECUTE

ALL FUNCTIONS

    ALL FUNCTIONS IN KEYSPACE keyspace_name

        FUNCTION function_name ( argument_types )

Search indexes

SEARCH.ALTER

SEARCH.COMMIT

SEARCH.CREATE

SEARCH.DROP

SEARCH.REBUILD

SEARCH.RELOAD

ALL SEARCH INDICES

    SEARCH INDEX [keyspace_name.]table_name

Roles

ALTER

CREATE

DESCRIBE

DROP

ALL ROLES

    ROLE role_name

Proxy role PROXY.EXECUTE

PROXY.LOGIN

    ROLE role_name

Authentication Scheme EXECUTE ALL AUTHENTICATION SCHEMES

LDAP SCHEME

KERBEROS SCHEME

INTERNAL SCHEME

MBeans DESCRIBE, EXECUTE, MODIFY, and SELECT ALL MBEANS > MBEANS pattern > MBEAN name
Spark applications

CREATE

DESCRIBE

ANY WORKPOOL > WORKPOOL datacenter_name

MODIFY

DESCRIBE

ANY SUBMISSION

    ANY SUBMISSION IN WORKPOOL datacenter_name

        SUBMISSION id IN WORKPOOL datacenter_name

Remote calls EXECUTE ALL REMOTE CALLS > REMOTE OBJECT object_name > REMOTE METHOD object_name.method_name

Delegating role management permissions

  • When the AUTHORIZE is granted to a role, the target role can delegate any permission it has on the resource to other roles (including itself).
    GRANT AUTHORIZE ON ALL ROLES 
    TO role_name;
    The permission shows as granted when the role's permission are listed.
    Tip: When ALL PERMISSIONS are granted, the role has the ability to GRANT and REVOKE all permissions to all roles, including itself.
  • ROLE
    GRANT permission[, permission ...] 
    ON ROLE role_name 
    TO role_name;
    where permissions ALL PERMISSIONS, ALTER, AUTHORIZE, CREATE, DESCRIBE, and DROP
Table 1. Authorization
Permission Resource
AUTHORIZE ALL ROLES and the permissions the issuing role has been granted on the role.
AUTHORIZE FOR permission_list ALL ROLES and the listed permissions.
AUTHORIZE ROLE name and the permissions the issuing role has been granted on the role.
AUTHORIZE FOR permission_list ROLE name and the listed permissions.

Delegating resource management permissions

Authentication schemes
  • Delegate privileges to administrators that manage roles.
    GRANT AUTHORIZE [FOR EXECUTE] 
    ON (ALL AUTHENTICATION SCHEMES | LDAP SCHEME | KERBEROS SCHEME | INTERNAL SCHEME)
    TO role_name;
    • AUTHORIZE - Allows role to delegate the AUTHORIZE permission and if EXECUTE is also granted, the role can delegate execute permissions.
    • AUTHORIZE FOR EXECUTE - Allows role to delegate which other roles can assign scheme permissions without changing their own login scheme.

Manage access

Set up roles that can manage permissions on objects.

Set up roles that can manage permissions on objects without access permission.

Procedure

  1. Create a role. For example securty_admin.
    CREATE ROLE security_admin;
  2. Allow the role to manage roles:
    GRANT ALTER, CREATE, DROP, DESCRIBE
    ON ALL ROLES 
    TO security_admin;
  3. Allow authorization for all permissions with no access privileges.
    • Data resources
      GRANT AUTHORIZE FOR ALL PERMISSIONS 
      ON ALL KEYSPACES 
      TO security_admin;
      which allows the role to grant AUTHORIZE, CREATE, ALTER, DROP, SELECT, MODIFY, and DESCRIBE permission to other roles.
    • Functions and aggregate resources
      GRANT AUTHORIZE FOR ALL PERMISSIONS
      ON ALL FUNCTIONS 
      TO security_admin;
      which allows the role to grant AUTHORIZE, CREATE, ALTER, DROP, and EXECUTE permission to other roles.
    • Search indexes
      GRANT AUTHORIZE FOR ALL PERMISSIONS 
      ON ALL SEARCH INDICES 
      TO security_admin;
      which allows the role to grant AUTHORIZE, SEARCH.CREATE, SEARCH.ALTER, SEARCH.DROP, SEARCH.RELOAD, SEARCH.REBUILD, and SEARCH.COMMIT to other roles.
    • Roles
      GRANT AUTHORIZE FOR ALL PERMISSIONS 
      ON ALL ROLES 
      TO security_admin;
      which allows the role to grant AUTHORIZE, CREATE, ALTER, DROP, and DESCRIBE permission to other roles.
    • Authentication scheme resources
      GRANT AUTHORIZE FOR ALL PERMISSIONS 
      ON ALL AUTHENTICATION SCHEMES 
      TO security_admin;
      which allows the role to grant AUTHORIZE and EXECUTE permission to other roles.
    • JMX resources (MBeans) for DSE utilities
      GRANT AUTHORIZE FOR ALL PERMISSIONS 
      ON ALL MBEANS 
      TO security_admin;
      which allows the role to grant SELECT, MODIFY, AUTHORIZE, DESCRIBE, and EXECUTE permission to other roles.
    • Analytic applications
      • WORKPOOLS
        GRANT AUTHORIZE FOR ALL PERMISSIONS 
        ON ANY WORKPOOL 
        TO security_admin;
        which allows the role to grant CREATE, DESCRIBE, and AUTHORIZE permission to other roles.
      • SUBMISSIONS
        GRANT AUTHORIZE FOR ALL PERMISSIONS 
        ON ANY SUBMISSION 
        TO security_admin;
        which allows the role to grant MODIFY, DESCRIBE, and AUTHORIZE permission to other roles.
    • Remote procedure calls
      GRANT AUTHORIZE FOR ALL PERMISSIONS
      ON ALL REMOTE CALLS
      TO security_admin;
  4. Assign role depending on the Role Management mode:
    • Internal - Use the GRANT command to assign role to a login or another group role.
      GRANT security_admin TO login_role_name;
    • LDAP - Create a group object with matching CN (securty_admin) and assign users as members of the group.