[ https://issues.apache.org/jira/browse/CASSANDRA-19765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17865565#comment-17865565 ]
Stefan Miklosovic edited comment on CASSANDRA-19765 at 7/12/24 7:01 PM: ------------------------------------------------------------------------ I don't know ... the fact that this is by default disabled unless the flag is turned on means that operator would need to manually intervene and restart the nodes etc. So while they are at it, why do not they just run "REVOKE SELECT ON system_auth.roles FROM somerole" in a repeated manner over all non-super-user roles and be done with it? This would happen together with a patch which would skip granting this on system_auth.roles or other tables in the future if we choose so. The effort seems to be same to me. I get that if we do that, we just prevented non-super-users from reading system_auth.roles as a whole, not only salted hash column, but is not this quite improbable to happen? What would you need a non-super-user role to read system_auth.roles at anyway? Is not that quite a contrived case? You mentioned that various tool happen to access to various tables, local, peers, peers_v2 etc. What non-super-user role just HAS TO read system_auth.roles? was (Author: smiklosovic): I don't know ... the fact that this is by default disabled unless the flag is turned on means that operator would need to manually intervene and restart the nodes etc. So while they are at it, why do not they just run "REVOKE SELECT ON system_auth.roles FROM somerole" in a repeated manner over all non-super-user roles and be done with it? This would happen together with a patch which would skip granting this on system_auth.roles or other tables in the future if we choose so. The effort seems to be same to me. > Remove accessibility to system_auth.roles salted_hash for non-superusers > ------------------------------------------------------------------------ > > Key: CASSANDRA-19765 > URL: https://issues.apache.org/jira/browse/CASSANDRA-19765 > Project: Cassandra > Issue Type: Improvement > Components: Legacy/Core > Reporter: Abe Ratnofsky > Assignee: Abe Ratnofsky > Priority: Normal > Fix For: 3.0.x, 3.11.x, 4.0.x, 4.1.x, 5.0.x > > > Cassandra permits all users with SELECT on system_auth.roles to access > contents of the salted_hash column. This column contains a bcrypt hash, which > shouldn't be visible. This isn't a significant security risk at the current > time, but is prone to [retrospective > decryption|https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later]. We > should protect this column so passwords cannot be cracked in the future. > > > {code:java} > $ ./bin/cqlsh -u cassandra -p cassandra > [cqlsh 6.3.0 | Cassandra 5.1-SNAPSHOT | CQL spec 3.4.8 | Native protocol v5] > cassandra@cqlsh> CREATE ROLE nonsuperuser WITH LOGIN=true AND > PASSWORD='nonsuperuser'; > cassandra@cqlsh> GRANT SELECT ON system_auth.roles TO nonsuperuser; > cassandra@cqlsh> exit; > $ ./bin/cqlsh -u nonsuperuser -p nonsuperuser > [cqlsh 6.3.0 | Cassandra 5.1-SNAPSHOT | CQL spec 3.4.8 | Native protocol v5] > nonsuperuser@cqlsh> SELECT * FROM system_auth.roles; > role | can_login | is_superuser | member_of | salted_hash > --------------+-----------+--------------+-----------+-------------------------------------------------------------- > cassandra | True | True | null | > $2a$10$WMg9UlR7F8Ko7LZxEyg0Ue12BoHR/Dn/0/3YtV4nRYCPcY7/5OmA6 > nonsuperuser | True | False | null | > $2a$10$HmHwVZRk8F904UUNMiUYi.xkVglWyKNgHMo1xJsCCKirwyb9NO/im > (2 rows) > {code} > > Patches available: > 3.0: > https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-30 > 3.11: > https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-311 > 4.0: > https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-40 > 4.1: > https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-41 > 5.0: > https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-50 > trunk: > https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-trunk -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org