[
https://issues.apache.org/jira/browse/CASSANDRA-17457?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17860726#comment-17860726
]
Dinesh Joshi commented on CASSANDRA-17457:
------------------------------------------
Thanks for this patch. There are a few things we should consider before
proceeding.
1. Passay is a dual licensed library. Have you researched whether this can be
included as a dependency? [Per ASF's policies GPL is a Category X license and
cannot be used.|https://www.apache.org/legal/resolved.html#category-x] I
understand Passay is dual licensed under Apache 2.0 and GPL. However, I do not
know the nuances of including it under Apache 2.0. I would like to make sure we
get guidance from Apache Legal or if there is precedence in Cassandra, please
cite in this thread. My very superficial understanding is that Cassandra needs
to explicitly document the license that the project is opting to use this
library under.
2. I don't think Passay supports anything other than English language. IIRC
Cassandra does not specifically restrict passwords to English. Adding this
would essentially lock our users into using passwords that are in English. I
don't think we should place this restriction on our users.
3. The YAML configuration for password complexity restrictions could be
configured in a more flexible manner as shown below -
{noformat}
validations:
- lowercase:
characters: "[a-z]"
min: [2, 1]
- uppercase:
characters: "[A-Z]"
min: [2, 1]
- numbers:
characters: "[0-9]"
min: [2, 1]
- specialchars:
characters: "!@#$%^&*()[]"
min: [2, 1]
{noformat}
This is just illustrative. You can tweak it. However, it will allow users to
specify their own validation rules with character set/classes. This is much
more flexible and does not limit the user to the English character set while
allowing them to pick specific characters to include or exclude.
I personally feel Passay dependency should be avoided if the effort to write
our own implementation of password validation is reasonably small. However, if
it is a lot of work and my concerns are addressed we can proceed with its
inclusion.
> CEP-24 - Password validation/generation
> ---------------------------------------
>
> Key: CASSANDRA-17457
> URL: https://issues.apache.org/jira/browse/CASSANDRA-17457
> Project: Cassandra
> Issue Type: Improvement
> Components: Feature/Authorization
> Reporter: Berenguer Blasi
> Assignee: Stefan Miklosovic
> Priority: Normal
> Fix For: 5.x
>
>
> Implement CEP-24 as per
> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=228494146
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
