[ https://issues.apache.org/jira/browse/CASSANDRA-17334?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17500661#comment-17500661 ]
Berenguer Blasi commented on CASSANDRA-17334: --------------------------------------------- Well, the PR is up. Some shadows and some lights though. I managed to pin down 2 unrelated nasty bugs which is good. I managed to make the thing work which is good also. The problem comes from the cqlsh command. I got onto that path and I am attaching a diff of the hash command currently just clearing the screen so I don't loose that bit of code. Server side hash is done with jBcrypt. It does have a py port which is just a wrapper to C code. The problem is that jBcrypt and pyBcrypt have difference licenses, the py one not being friendly to us after checking with some PMC members and ([link|https://www.apache.org/legal/resolved.html]) because of the advertising clause to start with. Hence we have no py lib and the alternative would be to call some java code. This takes us back to square 1 where we don't have a self-contained nice command solution. I need to explore more the hash py lib side of things and licenses. We could replace both server and client with a new lib that supports more languages. That would be a bit like future proofing for future hashing needs which seems like a good idea. The problem being upgrade scenarios where we'd have to support both hash versions, old and new, at some point. All this is well beyond what I wanted to do in this ticket and too much of a big-bang change for my taste if it can be avoided. The plain text passwords path remains untouched, this will all be opt-in, it's an improvement to the current state, we fix some bugs and doesn't block future development. So I would get this ticket done as a first step and open a new one for the other work . > Pre hashed passwords in CQL > --------------------------- > > Key: CASSANDRA-17334 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17334 > Project: Cassandra > Issue Type: Improvement > Components: Feature/Authorization > Reporter: Berenguer Blasi > Assignee: Berenguer Blasi > Priority: Normal > Fix For: 4.1 > > Attachments: cqlsh.diff > > > As seen on CASSANDRA-16801 and friends we are working across the system with > plain text passwords. These can be unintentionally revealed by intermediate > systems. Allowing the use of hashed passwords should mitigate that. The idea > is to add a new option {{HASHED PASSWORD}} for {{CREATE/ALTER ROLE/USER}}. > Examples: > {noformat} > CREATE ROLE foo WITH login = true AND hashed password = > '$2a$10$JSJEMFm6GeaW9XxT5JIheuEtPvat6i7uKbnTcxX3c1wshIIsGyUtG'; > ALTER ROLE foo WITH hashed password = > '$2a$10$JSJEMFm6GeaW9XxT5JIheuEtPvat6i7uKbnTcxX3c1wshIIsGyUtG'; > {noformat} > To generate the password hash, there will be a new tool {{hash_password}} in > resources/cassandra/bin > Based on original works from [~snazy] -- This message was sent by Atlassian Jira (v8.20.1#820001) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org