[jira] [Commented] (CASSANDRA-17334) Pre hashed passwords in CQL

Thu, 17 Mar 2022 09:56:04 -0700 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-17334?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17508292#comment-17508292
 ] 

Andres de la Peña commented on CASSANDRA-17334:
-----------------------------------------------

I guess that if we don't solve the licensing issues nor port jbcrypt ourselves 
to other languages, we would eventually need to change to another hashing 
library and also support the current one for a time. We could keep both new and 
old hashes in separate columns.

Even if we had the means to produce hashes in different clients, we would still 
need the new {{HASHED PASSWORD}} option for {{CREATE|ALTER USER|ROLE}}. Having 
the means to hash passwords on different clients seems like a separate problem, 
so I would dedicate this ticket to add the new {{HASHED PASSWORD}} option and 
would do the rest in a followup ticket, if that makes sense. The changes 
introduced here at least would be immediately useful for those with access to 
the new {{tools/bin/hash_password}} tool.

I have left a bunch of suggestions on the PR.

> Pre hashed passwords in CQL
> ---------------------------
>
>                 Key: CASSANDRA-17334
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-17334
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Feature/Authorization
>            Reporter: Berenguer Blasi
>            Assignee: Berenguer Blasi
>            Priority: Normal
>             Fix For: 4.1
>
>         Attachments: cqlsh.diff
>
>          Time Spent: 2h
>  Remaining Estimate: 0h
>
> As seen on CASSANDRA-16801 and friends we are working across the system with 
> plain text passwords. These can be unintentionally revealed by intermediate 
> systems. Allowing the use of hashed passwords should mitigate that. The idea 
> is to add a new option {{HASHED PASSWORD}} for {{CREATE/ALTER ROLE/USER}}. 
> Examples:
> {noformat}
> CREATE ROLE foo WITH login = true AND hashed password = 
> '$2a$10$JSJEMFm6GeaW9XxT5JIheuEtPvat6i7uKbnTcxX3c1wshIIsGyUtG';
> ALTER ROLE foo WITH hashed password = 
> '$2a$10$JSJEMFm6GeaW9XxT5JIheuEtPvat6i7uKbnTcxX3c1wshIIsGyUtG';
> {noformat}
> To generate the password hash, there will be a new tool {{hash_password}} in 
> resources/cassandra/bin
> Based on original works from [~snazy]



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to