[
https://issues.apache.org/jira/browse/CASSANDRA-16669?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17362204#comment-17362204
]
Ekaterina Dimitrova commented on CASSANDRA-16669:
-------------------------------------------------
Thank you [~sumanth.pasupuleti] for all your work. I spent some time on the
patch today and I did also a lot of additional manual testing to be sure about
my understanding about how things work.
Attached is a [PR |https://github.com/ekaterinadimitrova2/cassandra/pull/140]
containing your [commit
|https://github.com/ekaterinadimitrova2/cassandra/pull/140/commits/b2ed399c0818c0d3616fdb353a089829be469d3e]
and [commit
|https://github.com/ekaterinadimitrova2/cassandra/pull/140/commits/3b57f9ccfc6cec0a677463bc1f0cef722d61dbab]
with my small review comments. The new tests are all passing locally for me.
I added a few sentences to the docs to reflect the current limitations around
password obfuscation.
I am currently running full CI - [Java 8
|https://app.circleci.com/pipelines/github/ekaterinadimitrova2/cassandra/954/workflows/5e3fa9b6-0c5f-443a-880f-7635d04cea18]
| [Java 11
|https://app.circleci.com/pipelines/github/ekaterinadimitrova2/cassandra/954/workflows/edb2b149-f237-4302-8814-3c41b8fb9035]
I was thinking of more tests to add but after running more FQL and the
AuditLogging locally I think the current suite satisfies the needs as we have a
centralized solution within the _QueryEvents_. [~vinaykumarcse], please,
correct me if I am wrong as you are the author and you might have some
additional deep knowledge. Please let me know If you want me to add something
more.
Currently we obfuscate with ******** everything after the word password in a
DCL statement record so I would expect more information than less to be
obfuscated.
I am +1 to the patch on green CI completion. I will check back a bit later
tonight if there are any new failures.
> Password obfuscation for DCL audit log statements
> -------------------------------------------------
>
> Key: CASSANDRA-16669
> URL: https://issues.apache.org/jira/browse/CASSANDRA-16669
> Project: Cassandra
> Issue Type: Bug
> Components: Tool/auditlogging
> Reporter: Vinay Chella
> Assignee: Sumanth Pasupuleti
> Priority: Normal
> Labels: audit, security
> Fix For: 4.0-rc, 4.0.x, 4.x
>
> Time Spent: 5h 10m
> Remaining Estimate: 0h
>
> The goal of this JIRA is to obfuscate passwords or any sensitive information
> from DCL audit log statements.
> Currently, (Cassandra version 4.0-rc1) logs query statements for any DCL
> ([ROLE|https://cassandra.apache.org/doc/latest/cql/security.html#database-roles]
> and [USER|https://cassandra.apache.org/doc/latest/cql/security.html#users] )
> queries with passwords in plaintext format in audit log files.
> The current workaround to avoid plain text passwords from being logged in
> audit log files is either by
> [excluding|https://cassandra.apache.org/doc/latest/operating/audit_logging.html#options]
> DCL statements from auditing or by excluding the user who is creating these
> roles from auditing.
> It would be ideal for Cassandra to provide an option or default to obfuscate
> passwords or any sensitive information from DCL audit log statements.
> Sample audit logs with DCL queries
> {code:sh}
> Type: audit
> LogMessage:
> user:cassandra|host:localhost/127.0.0.1:7000|source:/127.0.0.1|port:51908|timestamp:1620190499676|type:CREATE_ROLE|category:DCL|operation:CREATE
> ROLE new_role;
> Type: audit
> LogMessage:
> user:cassandra|host:localhost/127.0.0.1:7000|source:/127.0.0.1|port:51908|timestamp:1620190505313|type:CREATE_ROLE|category:DCL|operation:CREATE
> ROLE alice WITH PASSWORD = 'password_a' AND LOGIN = true;
> Type: audit
> LogMessage:
> user:cassandra|host:localhost/127.0.0.1:7000|source:/127.0.0.1|port:51908|timestamp:1620190519521|type:REQUEST_FAILURE|category:ERROR|operation:ALTER
> ROLE bob WITH PASSWORD = 'PASSWORD_B' AND SUPERUSER = false;; bob doesn't
> exist
> Type: audit
> LogMessage:
> user:cassandra|host:localhost/127.0.0.1:7000|source:/127.0.0.1|port:51908|timestamp:1620190525376|type:CREATE_ROLE|category:DCL|operation:CREATE
> ROLE bob WITH PASSWORD = 'password_b' AND LOGIN = true AND SUPERUSER = true;
> Type: audit
> LogMessage:
> user:cassandra|host:localhost/127.0.0.1:7000|source:/127.0.0.1|port:51908|timestamp:1620190532462|type:ALTER_ROLE|category:DCL|operation:ALTER
> ROLE bob WITH PASSWORD = 'PASSWORD_B' AND SUPERUSER = false;
> {code}
> It is also ideal to document this workaround or assumption in Cassandra audit
> log documentation until we close this JIRA
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
