[ https://issues.apache.org/jira/browse/CASSANDRA-19765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17866758#comment-17866758 ]
Stefan Miklosovic edited comment on CASSANDRA-19765 at 7/17/24 1:36 PM: ------------------------------------------------------------------------ I do not know the details about your deployments at all, but what I find interesting is that at one side you want to limit the users to access this table because you are concerned that they might crack the passwords, but on the other hand you want to be nice enough to warn them that the access to that is going to be stopped and you do not want to do that abruptly. I can imagine that being someone who has access to this and I see the warning that it will not be possible to access anymore, a potential attacker would try to get the hashes, exactly just because it will not be possible to do anymore. It is as if you invited people to get all hashes before it will not be possible anymore. I think shutting it down suddenly is just better. Users should not access this anyway. Another issue I have with this is that this is something completely custom, we are plumbing it, that is what we do. We need to deal with this every single SELECT. We are not dealing with this "idiomatically". was (Author: smiklosovic): I do not know the details about your deployments at all, but what I find interesting is that at one side you want to limit the users to access this table because you are concerned that they might crack the passwords, but on the other hand you want to be nice enough to warn them that the access to that is going to be stopped and you do not want to do that abruptly. I can imagine that being someone who has access to this and I see the warning that it will not be possible to access anymore, a potential attacker would try to get the hashes, exactly just because it will not be possible to do anymore. It is as if you invited people to get all hashes before it will not be possible anymore. I think shutting it down suddenly is just better. Users should not access this anyway. > Remove accessibility to system_auth.roles salted_hash for non-superusers > ------------------------------------------------------------------------ > > Key: CASSANDRA-19765 > URL: https://issues.apache.org/jira/browse/CASSANDRA-19765 > Project: Cassandra > Issue Type: Improvement > Components: Legacy/Core > Reporter: Abe Ratnofsky > Assignee: Abe Ratnofsky > Priority: Normal > Fix For: 3.0.x, 3.11.x, 4.0.x, 4.1.x, 5.0.x > > > Cassandra permits all users with SELECT on system_auth.roles to access > contents of the salted_hash column. This column contains a bcrypt hash, which > shouldn't be visible. This isn't a significant security risk at the current > time, but is prone to [retrospective > decryption|https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later]. We > should protect this column so passwords cannot be cracked in the future. > > > {code:java} > $ ./bin/cqlsh -u cassandra -p cassandra > [cqlsh 6.3.0 | Cassandra 5.1-SNAPSHOT | CQL spec 3.4.8 | Native protocol v5] > cassandra@cqlsh> CREATE ROLE nonsuperuser WITH LOGIN=true AND > PASSWORD='nonsuperuser'; > cassandra@cqlsh> GRANT SELECT ON system_auth.roles TO nonsuperuser; > cassandra@cqlsh> exit; > $ ./bin/cqlsh -u nonsuperuser -p nonsuperuser > [cqlsh 6.3.0 | Cassandra 5.1-SNAPSHOT | CQL spec 3.4.8 | Native protocol v5] > nonsuperuser@cqlsh> SELECT * FROM system_auth.roles; > role | can_login | is_superuser | member_of | salted_hash > --------------+-----------+--------------+-----------+-------------------------------------------------------------- > cassandra | True | True | null | > $2a$10$WMg9UlR7F8Ko7LZxEyg0Ue12BoHR/Dn/0/3YtV4nRYCPcY7/5OmA6 > nonsuperuser | True | False | null | > $2a$10$HmHwVZRk8F904UUNMiUYi.xkVglWyKNgHMo1xJsCCKirwyb9NO/im > (2 rows) > {code} > > Patches available: > 3.0: > https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-30 > 3.11: > https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-311 > 4.0: > https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-40 > 4.1: > https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-41 > 5.0: > https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-50 > trunk: > https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-trunk -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org