How do I restrict access to keyspaces?

Question

question

dshevchuk asked Oct 26, '20 dshevchuk edited Oct 28, '20

How do I restrict access to keyspaces?

I have a DSE 6.8.3 cluster installed by Lifecycle Manager with 2 datacenters: dc1 - Transactional, dc2 - Analytics Solo.

I have configured the security keyspaces replication factors and have executed on all nodes:

nodetool repair --full system_auth
nodetool repair --full dse_security

I have configured 2 auth schemes: internal (default) and ldap.

Role Manager mode is set to "ldap".

system_keyspaces_filtering is set to true.

I have created a role that represents my ldap group "myldapgroup":

CREATE ROLE myldapgroup WITH LOGIN = true;
GRANT EXECUTE on LDAP SCHEME to myldapgroup;

"myldapuser" is a member of "myldapgroup". When I log in via "myldapuser" it has access to all keyspaces.

I mean a situation when I have additional keyspaces:

app1_keyspace1
app1_keyspace2

And myldapuser is able to successfully execute

DROP KEYSPACE app1_keyspace1;

How to restrict default users access only to keyspaces that I directly grant access to?

security

10 |1000

Attachments: Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

DataStax Enterprise is powered by the best distribution of Apache Cassandra ™

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries.

Privacy Policy Terms of Use

Answer 1 · 2020-10-26T22:15:37Z

Erick Ramirez answered Oct 26, '20 dshevchuk edited Oct 28, '20

In DSE Advanced Security, you need to configure Role Based Access Control to grant specific permissions to users. Note this feature requires both authentication and authorization to be enabled.

Control access to keyspaces with the GRANT and REVOKE commands. For example, to grant all permissions (including ALTER, MODIFY or DROP) on the keyspace app_ks to the role svc_account, run the following command as a superuser:

GRANT ALL PERMISSIONS ON KEYSPACE app_ks TO svc_account;

For details, see Controlling access to keyspaces and tables. For a list of resource permissions and examples, see the CQL pages for the GRANT and REVOKE commands. Cheers!

7 Share

10 |1000

Attachments: Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

dshevchuk commented · Oct 26, 2020 at 10:28 PM

Did I need directly restrict permissions for newly created roles?

I have 2 keyspaces: mykeyspace1 and mykeyspace2. I need that created role myldapgroup had access to only mykeyspace1 and do not have access to mykeyspace2.

So, in this case I need to execute:

  
                    
                     CREATE ROLE myldapgroup WITH LOGIN = true;
                     GRANT EXECUTE on LDAP SCHEME to myldapgroup;
                     GRANT ALL PERMISSIONS ON KEYSPACE mykeyspace1 TO myldapgroup;
                     REVOKE ALL PERMISSIONS ON KEYSPACE mykeyspace2 TO myldapgroup;

Is this right? Or I have misconfigured dse security?

0 ·

Erick Ramirez ♦♦ dshevchuk commented · Oct 26, 2020 at 10:47 PM

Yes, you can go as far as revoking access for all roles and only grant it to one role if that's what you need. Cheers!

0 ·

dshevchuk Erick Ramirez ♦♦ commented · Oct 27, 2020 at 12:34 AM

Is this a default behavior? To revoke permissions? I though the right way is to grant permissions to a resources the role should have access to.

I think you don't understand my question.

0 ·

Show more comments

question