[
https://issues.apache.org/jira/browse/CASSANDRA-2274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13145900#comment-13145900
]
Andrew Schiefelbein edited comment on CASSANDRA-2274 at 11/7/11 10:42 PM:
--------------------------------------------------------------------------
{quote}Good point about storing the settings in the Cassandra storage itself,
though it looks from https://issues.apache.org/jira/browse/CASSANDRA-3319 as
though it needs to be a non-system keyspace . It feels wrong for it to be a
'normal' keyspace though, as it would need to have a predetermined name and
schema in order for various parts of the server code to use if when
authenticating, and it would have the same visibility and access as normal data
keyspaces (surely it should require greater privileges, as for schema
modifications and other 'dangerous' operations?).{quote}
If you go according to the OpenLDAP model there is a separate LDAP database
that contains the settings that is used by the underlying system, it has a
separate login than the normal database that it's serving and never the two
shall meet. To translate that to Cassandra there would have to be a separate
keyspace or maybe in this case possibly a "database" that is serving the
cluster wide options. I haven't really thought through the different
permutations on this, but I would hope it is achievable.
{quote}
It seems to me, if you really want to do this properly, you should enable the
existing encryption options.
{quote}
I agree that encryption is part of the solution, not the solution for this I'm
sorry to say, unless you choose to become your own CA or have something that
checks an embedded thing in, oh say, the OU level of the certificate (encrypted
has of course, otherwise it's clear text), it is fairly easy to get a signed
certificate that will pass through the normal SSL handshake without question,
it also doesn't solve the problem of we only want a select group of nodes in.
If there is something like Apache HTTPD's SSLRequire
(http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslrequire) that allows for
some form of regular expression that checks a number of things that may
actually be pretty close to what I was suggesting, but you would still need to
maintain the list of stuff you want checked cluster wide. Only those nodes you
want to talk to should be allowed in, all others should be told to go away or
you will taunt them a second time.
was (Author: as3525):
{quote}Good point about storing the settings in the Cassandra storage
itself, though it looks from
https://issues.apache.org/jira/browse/CASSANDRA-3319 as though it needs to be a
non-system keyspace . It feels wrong for it to be a 'normal' keyspace though,
as it would need to have a predetermined name and schema in order for various
parts of the server code to use if when authenticating, and it would have the
same visibility and access as normal data keyspaces (surely it should require
greater privileges, as for schema modifications and other 'dangerous'
operations?).{quote}
If you go according to the OpenLDAP model there is a separate LDAP database
that contains the settings that is used by the underlying system, it has a
separate login than the normal database that it's serving and the two shall
meet. To translate that to Cassandra there would have to be a separate
keyspace or maybe in this case possibly a "database" that is serving the
cluster wide options. I haven't really thought through the different
permutations on this, but I would hope it is achievable.
{quote}
It seems to me, if you really want to do this properly, you should enable the
existing encryption options.
{quote}
I agree that encryption is part of the solution, not the solution for this I'm
sorry to say, unless you choose to become your own CA or have something that
checks an embedded thing in, oh say, the OU level of the certificate (encrypted
has of course, otherwise it's clear text), it is fairly easy to get a signed
certificate that will pass through the normal SSL handshake without question,
it also doesn't solve the problem of we only want a select group of nodes in.
If there is something like Apache HTTPD's SSLRequire
(http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslrequire) that allows for
some form of regular expression that checks a number of things that may
actually be pretty close to what I was suggesting, but you would still need to
maintain the list of stuff you want checked cluster wide. Only those nodes you
want to talk to should be allowed in, all others should be told to go away or
you will taunt them a second time.
> Restrict Cassandra cluster node joins to a list of named hosts
> --------------------------------------------------------------
>
> Key: CASSANDRA-2274
> URL: https://issues.apache.org/jira/browse/CASSANDRA-2274
> Project: Cassandra
> Issue Type: Improvement
> Components: Core
> Affects Versions: 0.7.2
> Environment: All
> Reporter: Andrew Schiefelbein
>
> Because firewalls and employees are not infallible it would be nice to
> restrict the ability of any node to join a cluster to a list of named hosts
> in the configuration so that someone would be unable to start a node and
> replicate all the data locally. I understand that in order to do this the
> person must know the seed servers and the cluster name and to extract the
> data they will need a userid and password but another level of security would
> be to force them to execute any brute force attack from a locked down server
> instead of replicating all the data locally.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
