[ https://issues.apache.org/jira/browse/CASSANDRA-19765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17866781#comment-17866781 ]
Abe Ratnofsky commented on CASSANDRA-19765: ------------------------------------------- > but on the other hand you want to be nice enough to warn them that the access > to that is going to be stopped and you do not want to do that abruptly It's not our decision as authors whether to break workloads abruptly, it's the operator's decision. The flag exists so an upgrade to a new version of Cassandra does not break workloads by default; an operator can decide to start up in an incompatible mode if they prefer. I understand that this doesn't feel idiomatic to you; I would have also preferred to implement behavior like this with per-column permissions, but that doesn't currently exist, and extending the permissions hierarchy would be a consequential change. I'm open to discussing other approaches. Changing the set of permissions inferred by GRANT SELECT ON ALL KEYSPACES would also break user workloads. We could just have a NEWS.txt entry stating our recommendation to REVOKE SELECT on system_auth.roles for non-superusers, but a reasonable operator could ask how to know usage of that table. Maybe the answer for them is to use FQL? > Remove accessibility to system_auth.roles salted_hash for non-superusers > ------------------------------------------------------------------------ > > Key: CASSANDRA-19765 > URL: https://issues.apache.org/jira/browse/CASSANDRA-19765 > Project: Cassandra > Issue Type: Improvement > Components: Legacy/Core > Reporter: Abe Ratnofsky > Assignee: Abe Ratnofsky > Priority: Normal > Fix For: 3.0.x, 3.11.x, 4.0.x, 4.1.x, 5.0.x > > > Cassandra permits all users with SELECT on system_auth.roles to access > contents of the salted_hash column. This column contains a bcrypt hash, which > shouldn't be visible. This isn't a significant security risk at the current > time, but is prone to [retrospective > decryption|https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later]. We > should protect this column so passwords cannot be cracked in the future. > > > {code:java} > $ ./bin/cqlsh -u cassandra -p cassandra > [cqlsh 6.3.0 | Cassandra 5.1-SNAPSHOT | CQL spec 3.4.8 | Native protocol v5] > cassandra@cqlsh> CREATE ROLE nonsuperuser WITH LOGIN=true AND > PASSWORD='nonsuperuser'; > cassandra@cqlsh> GRANT SELECT ON system_auth.roles TO nonsuperuser; > cassandra@cqlsh> exit; > $ ./bin/cqlsh -u nonsuperuser -p nonsuperuser > [cqlsh 6.3.0 | Cassandra 5.1-SNAPSHOT | CQL spec 3.4.8 | Native protocol v5] > nonsuperuser@cqlsh> SELECT * FROM system_auth.roles; > role | can_login | is_superuser | member_of | salted_hash > --------------+-----------+--------------+-----------+-------------------------------------------------------------- > cassandra | True | True | null | > $2a$10$WMg9UlR7F8Ko7LZxEyg0Ue12BoHR/Dn/0/3YtV4nRYCPcY7/5OmA6 > nonsuperuser | True | False | null | > $2a$10$HmHwVZRk8F904UUNMiUYi.xkVglWyKNgHMo1xJsCCKirwyb9NO/im > (2 rows) > {code} > > Patches available: > 3.0: > https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-30 > 3.11: > https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-311 > 4.0: > https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-40 > 4.1: > https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-41 > 5.0: > https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-50 > trunk: > https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-trunk -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org