[ https://issues.apache.org/jira/browse/CASSANDRA-19765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17865570#comment-17865570 ]
Stefan Miklosovic commented on CASSANDRA-19765: ----------------------------------------------- Plus to that, if there is some non-super-user role which HAS TO read all roles, you can do this: {code} cassandra@cqlsh> GRANT DESCRIBE ON ALL ROLES TO iamnosuper; iamnosuper@cqlsh> list roles; role | super | login | options | datacenters -------------+-------+-------+---------+------------- cassandra | True | True | {} | ALL iamnosuper | False | True | {} | ALL iamnosuper2 | False | True | {} | ALL stefan | False | False | {} | ALL {code} without granting that, iamnosuper sees just itself. > Remove accessibility to system_auth.roles salted_hash for non-superusers > ------------------------------------------------------------------------ > > Key: CASSANDRA-19765 > URL: https://issues.apache.org/jira/browse/CASSANDRA-19765 > Project: Cassandra > Issue Type: Improvement > Components: Legacy/Core > Reporter: Abe Ratnofsky > Assignee: Abe Ratnofsky > Priority: Normal > Fix For: 3.0.x, 3.11.x, 4.0.x, 4.1.x, 5.0.x > > > Cassandra permits all users with SELECT on system_auth.roles to access > contents of the salted_hash column. This column contains a bcrypt hash, which > shouldn't be visible. This isn't a significant security risk at the current > time, but is prone to [retrospective > decryption|https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later]. We > should protect this column so passwords cannot be cracked in the future. > > > {code:java} > $ ./bin/cqlsh -u cassandra -p cassandra > [cqlsh 6.3.0 | Cassandra 5.1-SNAPSHOT | CQL spec 3.4.8 | Native protocol v5] > cassandra@cqlsh> CREATE ROLE nonsuperuser WITH LOGIN=true AND > PASSWORD='nonsuperuser'; > cassandra@cqlsh> GRANT SELECT ON system_auth.roles TO nonsuperuser; > cassandra@cqlsh> exit; > $ ./bin/cqlsh -u nonsuperuser -p nonsuperuser > [cqlsh 6.3.0 | Cassandra 5.1-SNAPSHOT | CQL spec 3.4.8 | Native protocol v5] > nonsuperuser@cqlsh> SELECT * FROM system_auth.roles; > role | can_login | is_superuser | member_of | salted_hash > --------------+-----------+--------------+-----------+-------------------------------------------------------------- > cassandra | True | True | null | > $2a$10$WMg9UlR7F8Ko7LZxEyg0Ue12BoHR/Dn/0/3YtV4nRYCPcY7/5OmA6 > nonsuperuser | True | False | null | > $2a$10$HmHwVZRk8F904UUNMiUYi.xkVglWyKNgHMo1xJsCCKirwyb9NO/im > (2 rows) > {code} > > Patches available: > 3.0: > https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-30 > 3.11: > https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-311 > 4.0: > https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-40 > 4.1: > https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-41 > 5.0: > https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-50 > trunk: > https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-trunk -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org