[
https://issues.apache.org/jira/browse/CASSANDRA-19765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17866781#comment-17866781
]
Abe Ratnofsky commented on CASSANDRA-19765:
-------------------------------------------
> but on the other hand you want to be nice enough to warn them that the access
> to that is going to be stopped and you do not want to do that abruptly
It's not our decision as authors whether to break workloads abruptly, it's the
operator's decision. The flag exists so an upgrade to a new version of
Cassandra does not break workloads by default; an operator can decide to start
up in an incompatible mode if they prefer.
I understand that this doesn't feel idiomatic to you; I would have also
preferred to implement behavior like this with per-column permissions, but that
doesn't currently exist, and extending the permissions hierarchy would be a
consequential change. I'm open to discussing other approaches. Changing the set
of permissions inferred by GRANT SELECT ON ALL KEYSPACES would also break user
workloads. We could just have a NEWS.txt entry stating our recommendation to
REVOKE SELECT on system_auth.roles for non-superusers, but a reasonable
operator could ask how to know usage of that table. Maybe the answer for them
is to use FQL?
> Remove accessibility to system_auth.roles salted_hash for non-superusers
> ------------------------------------------------------------------------
>
> Key: CASSANDRA-19765
> URL: https://issues.apache.org/jira/browse/CASSANDRA-19765
> Project: Cassandra
> Issue Type: Improvement
> Components: Legacy/Core
> Reporter: Abe Ratnofsky
> Assignee: Abe Ratnofsky
> Priority: Normal
> Fix For: 3.0.x, 3.11.x, 4.0.x, 4.1.x, 5.0.x
>
>
> Cassandra permits all users with SELECT on system_auth.roles to access
> contents of the salted_hash column. This column contains a bcrypt hash, which
> shouldn't be visible. This isn't a significant security risk at the current
> time, but is prone to [retrospective
> decryption|https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later]. We
> should protect this column so passwords cannot be cracked in the future.
>
>
> {code:java}
> $ ./bin/cqlsh -u cassandra -p cassandra
> [cqlsh 6.3.0 | Cassandra 5.1-SNAPSHOT | CQL spec 3.4.8 | Native protocol v5]
> cassandra@cqlsh> CREATE ROLE nonsuperuser WITH LOGIN=true AND
> PASSWORD='nonsuperuser';
> cassandra@cqlsh> GRANT SELECT ON system_auth.roles TO nonsuperuser;
> cassandra@cqlsh> exit;
> $ ./bin/cqlsh -u nonsuperuser -p nonsuperuser
> [cqlsh 6.3.0 | Cassandra 5.1-SNAPSHOT | CQL spec 3.4.8 | Native protocol v5]
> nonsuperuser@cqlsh> SELECT * FROM system_auth.roles;
> role | can_login | is_superuser | member_of | salted_hash
> --------------+-----------+--------------+-----------+--------------------------------------------------------------
> cassandra | True | True | null |
> $2a$10$WMg9UlR7F8Ko7LZxEyg0Ue12BoHR/Dn/0/3YtV4nRYCPcY7/5OmA6
> nonsuperuser | True | False | null |
> $2a$10$HmHwVZRk8F904UUNMiUYi.xkVglWyKNgHMo1xJsCCKirwyb9NO/im
> (2 rows)
> {code}
>
> Patches available:
> 3.0:
> https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-30
> 3.11:
> https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-311
> 4.0:
> https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-40
> 4.1:
> https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-41
> 5.0:
> https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-50
> trunk:
> https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-trunk
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
