[
https://issues.apache.org/jira/browse/CASSANDRA-17334?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17508292#comment-17508292
]
Andres de la Peña edited comment on CASSANDRA-17334 at 3/17/22, 4:56 PM:
-------------------------------------------------------------------------
I guess that if we don't solve the licensing issues nor port jbcrypt ourselves
to other languages, we would eventually need to change to another hashing
library and also support the current one for a time. We could keep both new and
old hashes in separate columns.
Even if we had the means to produce hashes in different clients, we would still
need the new {{HASHED PASSWORD}} option for {{CREATE|ALTER USER|ROLE}}. Having
the means to hash passwords on different clients seems like a separate problem,
so I would dedicate this ticket to add the new {{HASHED PASSWORD}} option and
would do the rest in a followup ticket, if that makes sense. The changes
introduced here at least would be immediately useful for those with access to
the new {{tools/bin/hash_password}} tool.
I have left a bunch of suggestions on the PR, which overall looks good to me.
was (Author: adelapena):
I guess that if we don't solve the licensing issues nor port jbcrypt ourselves
to other languages, we would eventually need to change to another hashing
library and also support the current one for a time. We could keep both new and
old hashes in separate columns.
Even if we had the means to produce hashes in different clients, we would still
need the new {{HASHED PASSWORD}} option for {{CREATE|ALTER USER|ROLE}}. Having
the means to hash passwords on different clients seems like a separate problem,
so I would dedicate this ticket to add the new {{HASHED PASSWORD}} option and
would do the rest in a followup ticket, if that makes sense. The changes
introduced here at least would be immediately useful for those with access to
the new {{tools/bin/hash_password}} tool.
I have left a bunch of suggestions on the PR.
> Pre hashed passwords in CQL
> ---------------------------
>
> Key: CASSANDRA-17334
> URL: https://issues.apache.org/jira/browse/CASSANDRA-17334
> Project: Cassandra
> Issue Type: Improvement
> Components: Feature/Authorization
> Reporter: Berenguer Blasi
> Assignee: Berenguer Blasi
> Priority: Normal
> Fix For: 4.1
>
> Attachments: cqlsh.diff
>
> Time Spent: 2h
> Remaining Estimate: 0h
>
> As seen on CASSANDRA-16801 and friends we are working across the system with
> plain text passwords. These can be unintentionally revealed by intermediate
> systems. Allowing the use of hashed passwords should mitigate that. The idea
> is to add a new option {{HASHED PASSWORD}} for {{CREATE/ALTER ROLE/USER}}.
> Examples:
> {noformat}
> CREATE ROLE foo WITH login = true AND hashed password =
> '$2a$10$JSJEMFm6GeaW9XxT5JIheuEtPvat6i7uKbnTcxX3c1wshIIsGyUtG';
> ALTER ROLE foo WITH hashed password =
> '$2a$10$JSJEMFm6GeaW9XxT5JIheuEtPvat6i7uKbnTcxX3c1wshIIsGyUtG';
> {noformat}
> To generate the password hash, there will be a new tool {{hash_password}} in
> resources/cassandra/bin
> Based on original works from [~snazy]
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
