[ https://issues.apache.org/jira/browse/CASSANDRA-17457?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17860726#comment-17860726 ]
Dinesh Joshi commented on CASSANDRA-17457: ------------------------------------------ Thanks for this patch. There are a few things we should consider before proceeding. 1. Passay is a dual licensed library. Have you researched whether this can be included as a dependency? [Per ASF's policies GPL is a Category X license and cannot be used.|https://www.apache.org/legal/resolved.html#category-x] I understand Passay is dual licensed under Apache 2.0 and GPL. However, I do not know the nuances of including it under Apache 2.0. I would like to make sure we get guidance from Apache Legal or if there is precedence in Cassandra, please cite in this thread. My very superficial understanding is that Cassandra needs to explicitly document the license that the project is opting to use this library under. 2. I don't think Passay supports anything other than English language. IIRC Cassandra does not specifically restrict passwords to English. Adding this would essentially lock our users into using passwords that are in English. I don't think we should place this restriction on our users. 3. The YAML configuration for password complexity restrictions could be configured in a more flexible manner as shown below - {noformat} validations: - lowercase: characters: "[a-z]" min: [2, 1] - uppercase: characters: "[A-Z]" min: [2, 1] - numbers: characters: "[0-9]" min: [2, 1] - specialchars: characters: "!@#$%^&*()[]" min: [2, 1] {noformat} This is just illustrative. You can tweak it. However, it will allow users to specify their own validation rules with character set/classes. This is much more flexible and does not limit the user to the English character set while allowing them to pick specific characters to include or exclude. I personally feel Passay dependency should be avoided if the effort to write our own implementation of password validation is reasonably small. However, if it is a lot of work and my concerns are addressed we can proceed with its inclusion. > CEP-24 - Password validation/generation > --------------------------------------- > > Key: CASSANDRA-17457 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17457 > Project: Cassandra > Issue Type: Improvement > Components: Feature/Authorization > Reporter: Berenguer Blasi > Assignee: Stefan Miklosovic > Priority: Normal > Fix For: 5.x > > > Implement CEP-24 as per > https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=228494146 -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org