search

palantir / atlasdb

Transactional Distributed Database Layer
https://palantir.github.io/atlasdb/
Apache License 2.0
53 stars 9 forks source link

AtlasDB console should allow overriding connection credentials #2064

Open gmaretic opened 7 years ago

gmaretic commented 7 years ago

C/P from ticket: Right now, atlas console connects to the DB using the default creds stored on disk. For security and auditing reasons, it’s probably a better idea to have users log in before being able to run arbitrary queries on the database.

hsaraogi commented 7 years ago

Console should have two modes - permissive and strict, where the former picks up credentials and latter requires the user to specify them on the command line.

jboreiko commented 7 years ago

Again not sure what the value prop is here. If the user has access to the box they will have access to the perms used by the application to talk to the DB. Beyond that we don't have any concept of permissions at the DB level, as in there is only a single DB user governing a given AtlasDB instance - usually called palantir. I could see some world in which we have a separate read only user that atlasdb can use to connect (this would also have problems because AtlasDB requires that certain read conditions write values to ensure correctness), though I'm not sure how we would ever enforce that an admin user with access to the command line of a service box would be prevented from using the services write capable creds.

GrahamDennis commented 7 years ago

For me, this is about auditing. It doesn't actually provide any additional security.

Today, our Atlas application users are unaudited. The assumption is that the applications themselves provide some level of audit, and trawling through the database audit logs would not be particularly insightful. However in Gotham-land, before we did the Atlas migration, whenever we logged in to the Oracle database directly, we would use individual, audited accounts. Now that we have completed our Atlas migration, we can no longer sensibly do manual database diving directly in Oracle, we need to use AtlasConsole. But currently when we launch AtlasConsole, we connect to Oracle using the unaudited application Oracle account, but we'd ideally use our individual audited Oracle accounts.

In an ideal world, we wouldn't need to use AtlasConsole at all, but sadly, it is needed from time to time. And on those occasions, our actions should be audited.

jboreiko commented 7 years ago

That makes sense. Want to flag this concern over to the xray guys @gbonik who are particularly interested in the gotham db surgery workflows.