[
https://issues.apache.org/jira/browse/CASSANDRA-2274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13144834#comment-13144834
]
David Allsopp edited comment on CASSANDRA-2274 at 11/6/11 9:58 AM:
-------------------------------------------------------------------
Using a custom PROTOCOL_MAGIC would be a very easy way to improve matters
substantially. Would be better if it was at least a {{long}}, not an {{int}}
though, otherwise you could brute force it, given a few weeks.
However, the weakness of this is that the shared secret (PROTOCOL_MAGIC) is
constant, and is exposed in every message, so an attacker only needs to see one
message to defeat the system.
A hash of the source IP and a shared secret would be better, as then the secret
isn't transmitted in the clear, and the IP can be validated as part of the
authentication.
In either case, another weakness is that the secret can't be easily changed
without cluster-wide reconfiguration and restart.
With a bit more work, we could combine the above with a list of allowed IPs,
plus a per-node secret, so that we only need reconfiguration when adding or
removing nodes, and can hopefully reconfigure on-the-fly. So each message would
contain a hash of the source node's IP and secret. This would only need to be
computed once by the source node and once by each other node, then cached.
was (Author: dallsopp):
Using a custom PROTOCOL_MAGIC would be a very easy way to improve matters
substantially. Would be better if it was at least a {{long}}, not an {{int}}
though, otherwise you could brute force it, given a few weeks.
> Restrict Cassandra cluster node joins to a list of named hosts
> --------------------------------------------------------------
>
> Key: CASSANDRA-2274
> URL: https://issues.apache.org/jira/browse/CASSANDRA-2274
> Project: Cassandra
> Issue Type: Improvement
> Components: Core
> Affects Versions: 0.7.2
> Environment: All
> Reporter: Andrew Schiefelbein
>
> Because firewalls and employees are not infallible it would be nice to
> restrict the ability of any node to join a cluster to a list of named hosts
> in the configuration so that someone would be unable to start a node and
> replicate all the data locally. I understand that in order to do this the
> person must know the seed servers and the cluster name and to extract the
> data they will need a userid and password but another level of security would
> be to force them to execute any brute force attack from a locked down server
> instead of replicating all the data locally.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
