[
https://issues.apache.org/jira/browse/CASSANDRA-21153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18061702#comment-18061702
]
BHARATH KUMAR commented on CASSANDRA-21153:
-------------------------------------------
Hi all,
Please find attached a patch for {*}CASSANDRA-21153{*}.
Before {*}CASSANDRA-13428{*}, keystore and truststore passwords were stored
directly in {{{}cassandra.yaml{}}}. The password file option improved this, but
secrets still must exist on the local disk and be managed at the OS level. Many
enterprise environments require that sensitive credentials not be stored on
disk at all.
This patch implements {{org.apache.cassandra.security.VaultSslContextFactory
}}extending the pluggable SSL context framework introduced in
{*}CASSANDRA-16666 (commit 24dcc280){*}.
It allows Cassandra to retrieve keystore and truststore passwords dynamically
from HashiCorp Vault using AppRole authentication instead of configuration
values or local files.
Additionally, Vault {{secret_id_bound_cidrs}} and {{token_bound_cidrs}} can be
configured so that authentication is only valid from the Cassandra node network
ranges, preventing access from outside approved networks.
The change does not affect existing SSL configurations and only applies when
the new SSL context factory is explicitly configured.
Could reviewers please take a look and share feedback?
Thank you!
> Security Enhancement: Support External Secret Manager Integration for SSL
> Keystore/Truststore Passwords in Cassandra.yaml
> -------------------------------------------------------------------------------------------------------------------------
>
> Key: CASSANDRA-21153
> URL: https://issues.apache.org/jira/browse/CASSANDRA-21153
> Project: Apache Cassandra
> Issue Type: Improvement
> Components: Feature/Encryption, Local/Config
> Reporter: BHARATH KUMAR
> Assignee: BHARATH KUMAR
> Priority: Normal
> Attachments: CASSANDRA-21153-vault-sslcontextfactory.patch
>
>
> h4. Background
> Cassandra previously stored keystore and truststore passwords directly in
> {{{}cassandra.yaml{}}}, which posed operational security risks because
> sensitive data was present in config files.
> CASSANDRA-13428 addressed part of this risk by adding
> {{keystore_password_file}} and {{truststore_password_file}} options, allowing
> passwords to be read from secure files rather than embedded directly in the
> configuration.
> While this reduces exposure from plaintext passwords in config files, it
> still requires secret material to exist on disk and be managed at the
> operating system level.
> h4. Enhancement Request
> Extend Cassandra’s existing secure configuration capabilities (including the
> improvements from CASSANDRA-13428) to support external secret manager
> integration, enabling keystore and truststore passwords to be resolved at
> runtime from centralized secret stores rather than from local files.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
