[ https://issues.apache.org/jira/browse/CASSANDRA-16669?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17360546#comment-17360546 ]
Ekaterina Dimitrova commented on CASSANDRA-16669: ------------------------------------------------- One more comment which probably we can address in a new ticket for improvement: {code:java} cqlsh> CREATE ROLE role1 WITH PASSWORD = 'me' AND LOGIN = true; InvalidRequest: Error from server: code=2200 [Invalid query] message="org.apache.cassandra.auth.CassandraRoleManager doesn't support PASSWORD" cqlsh> CREATE ROLE role1; Unauthorized: Error from server: code=2100 [Unauthorized] message="You have to be logged in and not anonymous to perform this request" {code} I believe the first error message might be confusing for a user. > Password obfuscation for DCL audit log statements > ------------------------------------------------- > > Key: CASSANDRA-16669 > URL: https://issues.apache.org/jira/browse/CASSANDRA-16669 > Project: Cassandra > Issue Type: Bug > Components: Tool/auditlogging > Reporter: Vinay Chella > Assignee: Sumanth Pasupuleti > Priority: Normal > Labels: audit, security > Fix For: 4.0-rc, 4.0.x, 4.x > > Time Spent: 1.5h > Remaining Estimate: 0h > > The goal of this JIRA is to obfuscate passwords or any sensitive information > from DCL audit log statements. > Currently, (Cassandra version 4.0-rc1) logs query statements for any DCL > ([ROLE|https://cassandra.apache.org/doc/latest/cql/security.html#database-roles] > and [USER|https://cassandra.apache.org/doc/latest/cql/security.html#users] ) > queries with passwords in plaintext format in audit log files. > The current workaround to avoid plain text passwords from being logged in > audit log files is either by > [excluding|https://cassandra.apache.org/doc/latest/operating/audit_logging.html#options] > DCL statements from auditing or by excluding the user who is creating these > roles from auditing. > It would be ideal for Cassandra to provide an option or default to obfuscate > passwords or any sensitive information from DCL audit log statements. > Sample audit logs with DCL queries > {code:sh} > Type: audit > LogMessage: > user:cassandra|host:localhost/127.0.0.1:7000|source:/127.0.0.1|port:51908|timestamp:1620190499676|type:CREATE_ROLE|category:DCL|operation:CREATE > ROLE new_role; > Type: audit > LogMessage: > user:cassandra|host:localhost/127.0.0.1:7000|source:/127.0.0.1|port:51908|timestamp:1620190505313|type:CREATE_ROLE|category:DCL|operation:CREATE > ROLE alice WITH PASSWORD = 'password_a' AND LOGIN = true; > Type: audit > LogMessage: > user:cassandra|host:localhost/127.0.0.1:7000|source:/127.0.0.1|port:51908|timestamp:1620190519521|type:REQUEST_FAILURE|category:ERROR|operation:ALTER > ROLE bob WITH PASSWORD = 'PASSWORD_B' AND SUPERUSER = false;; bob doesn't > exist > Type: audit > LogMessage: > user:cassandra|host:localhost/127.0.0.1:7000|source:/127.0.0.1|port:51908|timestamp:1620190525376|type:CREATE_ROLE|category:DCL|operation:CREATE > ROLE bob WITH PASSWORD = 'password_b' AND LOGIN = true AND SUPERUSER = true; > Type: audit > LogMessage: > user:cassandra|host:localhost/127.0.0.1:7000|source:/127.0.0.1|port:51908|timestamp:1620190532462|type:ALTER_ROLE|category:DCL|operation:ALTER > ROLE bob WITH PASSWORD = 'PASSWORD_B' AND SUPERUSER = false; > {code} > It is also ideal to document this workaround or assumption in Cassandra audit > log documentation until we close this JIRA -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org