[jira] [Comment Edited] (CASSANDRA-19765) Remove accessibility to system_auth.roles salted_hash for non-superusers

[Stefan Miklosovic (Jira)]

    [ 
https://issues.apache.org/jira/browse/CASSANDRA-19765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17865565#comment-17865565
 ] 

Stefan Miklosovic edited comment on CASSANDRA-19765 at 7/12/24 7:01 PM:
------------------------------------------------------------------------

I don't know ... the fact that this is by default disabled unless the flag is 
turned on means that operator would need to manually intervene and restart the 
nodes etc. So while they are at it, why do not they just run "REVOKE SELECT ON 
system_auth.roles FROM somerole" in a repeated manner over all non-super-user 
roles and be done with it? This would happen together with a patch which would 
skip granting this on system_auth.roles or other tables in the future if we 
choose so. The effort seems to be same to me.

I get that if we do that, we just prevented non-super-users from reading 
system_auth.roles as a whole, not only salted hash column, but is not this 
quite improbable to happen? What would you need a non-super-user role to read 
system_auth.roles at anyway? Is not that quite a contrived case?

You mentioned that various tool happen to access to various tables, local, 
peers, peers_v2 etc. What non-super-user role just HAS TO read 
system_auth.roles?


was (Author: smiklosovic):
I don't know ... the fact that this is by default disabled unless the flag is 
turned on means that operator would need to manually intervene and restart the 
nodes etc. So while they are at it, why do not they just run "REVOKE SELECT ON 
system_auth.roles FROM somerole" in a repeated manner over all non-super-user 
roles and be done with it? This would happen together with a patch which would 
skip granting this on system_auth.roles or other tables in the future if we 
choose so. The effort seems to be same to me.

> Remove accessibility to system_auth.roles salted_hash for non-superusers
> ------------------------------------------------------------------------
>
>                 Key: CASSANDRA-19765
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-19765
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Legacy/Core
>            Reporter: Abe Ratnofsky
>            Assignee: Abe Ratnofsky
>            Priority: Normal
>             Fix For: 3.0.x, 3.11.x, 4.0.x, 4.1.x, 5.0.x
>
>
> Cassandra permits all users with SELECT on system_auth.roles to access 
> contents of the salted_hash column. This column contains a bcrypt hash, which 
> shouldn't be visible. This isn't a significant security risk at the current 
> time, but is prone to [retrospective 
> decryption|https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later]. We 
> should protect this column so passwords cannot be cracked in the future.
>  
>  
> {code:java}
> $ ./bin/cqlsh -u cassandra -p cassandra
> [cqlsh 6.3.0 | Cassandra 5.1-SNAPSHOT | CQL spec 3.4.8 | Native protocol v5] 
> cassandra@cqlsh> CREATE ROLE nonsuperuser WITH LOGIN=true AND 
> PASSWORD='nonsuperuser';
> cassandra@cqlsh> GRANT SELECT ON system_auth.roles TO nonsuperuser;
> cassandra@cqlsh> exit;
> $ ./bin/cqlsh -u nonsuperuser -p nonsuperuser
> [cqlsh 6.3.0 | Cassandra 5.1-SNAPSHOT | CQL spec 3.4.8 | Native protocol v5] 
> nonsuperuser@cqlsh> SELECT * FROM system_auth.roles;
>  role         | can_login | is_superuser | member_of | salted_hash
> --------------+-----------+--------------+-----------+--------------------------------------------------------------
>     cassandra |      True |         True |      null | 
> $2a$10$WMg9UlR7F8Ko7LZxEyg0Ue12BoHR/Dn/0/3YtV4nRYCPcY7/5OmA6
>  nonsuperuser |      True |        False |      null | 
> $2a$10$HmHwVZRk8F904UUNMiUYi.xkVglWyKNgHMo1xJsCCKirwyb9NO/im
> (2 rows)
> {code}
>  
> Patches available:
> 3.0: 
> https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-30
> 3.11: 
> https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-311
> 4.0: 
> https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-40
> 4.1: 
> https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-41
> 5.0: 
> https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-50
> trunk: 
> https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-trunk



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org