You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Before the change done here we could set up the Cassandra database plugin with non-superuser which by the documentation wasn't the design but I think is a good security practice.
Describe the solution you'd like
From the original issue related to this pull request and from my understanding of the code you use the LIST ALL query to validate the session, which means you can use any CQL query or if you would like to verify access to the users/roles tables you can query it directly. I know there is a difference between CQL 2.x and 3.x but you already have in the API field called protocol_version, my suggestion is to use it in order to choose the right query:
3.x - SELECT role,is_superuser FROM system_auth.roles
2.x - SELECT user,is_superuser FROM system_auth.users
Describe alternatives you've considered
An alternative could be to find any other query that will validate the session or just to remove the validation and run the statements, or even get the validation statement from the user.
Explain any additional use-cases
In our use case, we have multiple Vault instances that use the same Cassandra cluster for different reasons. In all of them, there is a configuration for Cassandra database plugin and we don't want to share the superuser or have more than one superuser in Cassandra. Till version 0.9.0 we were able to configure the Cassandra database plugin without superuser permissions.
Additional context
The documentation about superuser seems inconsistent. If superuser only grants user management permissions then there is no reason to not use the superuser flag for vault. If superuser allows full access to the DB then the benefit of not allowing vault to have it is that in order to extract data then first the privileged account has to be used to generate or modify a role. If you have a proper audit that then gives you a chance to alert on it.
Simply put: If Vault does not require access to the data then the concept of least privilege applies and it should not have permissions to the data.
I would be happy to hear your thoughts about this idea.
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
Before the change done here we could set up the Cassandra database plugin with non-superuser which by the documentation wasn't the design but I think is a good security practice.
Describe the solution you'd like
From the original issue related to this pull request and from my understanding of the code you use the
LIST ALL
query to validate the session, which means you can use any CQL query or if you would like to verify access to the users/roles tables you can query it directly. I know there is a difference between CQL 2.x and 3.x but you already have in the API field calledprotocol_version
, my suggestion is to use it in order to choose the right query:Describe alternatives you've considered
An alternative could be to find any other query that will validate the session or just to remove the validation and run the statements, or even get the validation statement from the user.
Explain any additional use-cases
In our use case, we have multiple Vault instances that use the same Cassandra cluster for different reasons. In all of them, there is a configuration for Cassandra database plugin and we don't want to share the superuser or have more than one superuser in Cassandra. Till version 0.9.0 we were able to configure the Cassandra database plugin without superuser permissions.
Additional context
The documentation about
superuser
seems inconsistent. If superuser only grants user management permissions then there is no reason to not use the superuser flag for vault. If superuser allows full access to the DB then the benefit of not allowing vault to have it is that in order to extract data then first the privileged account has to be used to generate or modify a role. If you have a proper audit that then gives you a chance to alert on it.Simply put: If Vault does not require access to the data then the concept of least privilege applies and it should not have permissions to the data.
I would be happy to hear your thoughts about this idea.
The text was updated successfully, but these errors were encountered: