This is an automated email from the ASF dual-hosted git repository. erickramirezau pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/cassandra-website.git
The following commit(s) were added to refs/heads/trunk by this push: new 17718e18 BLOG - Cassandra 4.1 Features: Client-side Password Hashing 17718e18 is described below commit 17718e188b997f29467b09d1eeb6d4c497fb0326 Author: Diogenese Topper <diotop...@gmail.com> AuthorDate: Tue May 24 21:39:43 2022 -0700 BLOG - Cassandra 4.1 Features: Client-side Password Hashing patch by Berenguer Blasi, Diogenese Topper; reviewed by Berenguer Blasi, Erick Ramirez for CASSANDRA-17657 Co-authored by: Berenguer Blasi <berenguerbl...@gmail.com> Co-authored by: Diogenese Topper <diogen...@constantia.io> Co-authored-by: bereng <6973517+ber...@users.noreply.github.com> --- ...-side-password-hashing-unsplash-jan-baborak.jpg | Bin 0 -> 159700 bytes site-content/source/modules/ROOT/pages/blog.adoc | 25 +++++++ ...-4.1-Features-Client-side-Password-Hashing.adoc | 75 +++++++++++++++++++++ 3 files changed, 100 insertions(+) diff --git a/site-content/source/modules/ROOT/images/blog/apache-cassandra-4.1-features-client-side-password-hashing-unsplash-jan-baborak.jpg b/site-content/source/modules/ROOT/images/blog/apache-cassandra-4.1-features-client-side-password-hashing-unsplash-jan-baborak.jpg new file mode 100644 index 00000000..97a4f446 Binary files /dev/null and b/site-content/source/modules/ROOT/images/blog/apache-cassandra-4.1-features-client-side-password-hashing-unsplash-jan-baborak.jpg differ diff --git a/site-content/source/modules/ROOT/pages/blog.adoc b/site-content/source/modules/ROOT/pages/blog.adoc index 34141efd..09b02c2b 100644 --- a/site-content/source/modules/ROOT/pages/blog.adoc +++ b/site-content/source/modules/ROOT/pages/blog.adoc @@ -8,6 +8,31 @@ NOTES FOR CONTENT CREATORS - Replace post tile, date, description and link to you post. //// +//start card +[openblock,card shadow relative test] +---- +[openblock,card-header] +------ +[discrete] +=== Apache Cassandra 4.1 Features: Client-side Password Hashing +[discrete] +==== May 26, 2022 +------ +[openblock,card-content] +------ +To strengthen security and avoid the use of plain-text credentials altogether, Apache Cassandra has added the option to use client-side password hashes in 4.1. + +[openblock,card-btn card-btn--blog] +-------- + +[.btn.btn--alt] +xref:blog/Apache-Cassandra-4.1-Features-Client-side-Password-Hashing.adoc[Read More] +-------- + +------ +---- +//end card + //start card [openblock,card shadow relative test] ---- diff --git a/site-content/source/modules/ROOT/pages/blog/Apache-Cassandra-4.1-Features-Client-side-Password-Hashing.adoc b/site-content/source/modules/ROOT/pages/blog/Apache-Cassandra-4.1-Features-Client-side-Password-Hashing.adoc new file mode 100644 index 00000000..9886faa3 --- /dev/null +++ b/site-content/source/modules/ROOT/pages/blog/Apache-Cassandra-4.1-Features-Client-side-Password-Hashing.adoc @@ -0,0 +1,75 @@ += Apache Cassandra 4.1 Features: Client-side Password Hashing +:page-layout: single-post +:page-role: blog-post +:page-post-date: May 26, 2022 +:page-post-author: Berenguer Blasi +:description: Client-side password hashing in Apache Cassandra 4.1 +:keywords: + +:!figure-caption: + +.Image credit: https://unsplash.com/@janbaborak[Jan Baborák on Unsplash^] +image::blog/apache-cassandra-4.1-features-client-side-password-hashing-unsplash-jan-baborak.jpg[Client-side password hashing] + +Apache Cassandra, just like any other database, needs users to connect. This means using a login and a password which up until recently would be provided as plain text. + +This has the potential to create security concerns as, for instance, audit logging could store the credentials in plain text. This problem also applied to any other system in Cassandra that might log data, bearing in mind that Apache Cassandra is an open source project and, therefore, it does not control all possible forks and implementations and what and how data is logged. + +The solution was to sanitize any logging for sensitive information, and this has been addressed recently. But that still left the door open to some corner cases where the detection or removal of such sensitive information could fail. There are also specific use cases, services and applications that might need to store a user’s credentials and up until 4.1, they would be storing that in plain text as well. + +To strengthen security, we wanted to avoid the use of plain-text credentials altogether, so https://issues.apache.org/jira/browse/CASSANDRA-17334[CASSANDRA-17334^] and the release of Apache Cassandra 4.1 will add the option to use client-side password hashes. + +=== New Hash Password Tool + +This feature introduces a new tool called `tools/bin/hash_password`. Here is an example: + +``` +$ tools/bin/hash_password -p mySecret +$2a$10$F5pRau9mKg5abP.DsuPQl.8rQpEoNm3OV91mKjb9vdKPUPejIPq/u +``` + +The tool is quite self-explanatory. It takes your plain-text secret and provides a https://www.mindrot.org/projects/jBCrypt/[jBCrypt^] hash that can be used in the DDL commands, e.g., to create or alter users/roles. For the moment only a Java version is available. + +=== Example Usage of Hash_Password + +Let’s look at some examples of how we’d use the tool. + +Plain option: + +``` +CREATE ROLE role1 + WITH LOGIN = true + AND PASSWORD = 'mySecret'; +``` + +New hashed option: + +``` +CREATE ROLE role1 + WITH LOGIN = true + AND HASHED PASSWORD ‘$2a$10$F5pRau9mKg5abP.DsuPQl.8rQpEoNm3OV91mKjb9vdKPUPejIPq/u’; +``` + +As you can see we’re building the CQL with the hashed value of the password directly, i.e., this enables our applications to store the hash instead of the plain-text password. Also, any intermediate or third-party systems, additional logging or storing will deal with the hashes so the risk of accidental plain-text passwords leak is removed. + +The same applies to ALTER statements. + +Plain option: + +``` +ALTER ROLE role1 + WITH PASSWORD = '%s' +``` + +New hashed option: + +``` +ALTER ROLE role1 + WITH HASHED PASSWORD = '%s' +``` + +=== Backward Compatibility + +This feature is backward compatible so it will also work for CREATE/ALTER USER statements. On occasions where the built-in password obfuscation fails when logging data, this feature will only reveal the hash instead of the plain-text password. + +Stay tuned for upcoming further security enhancements, such as https://issues.apache.org/jira/browse/CASSANDRA-17501[CASSANDRA-17501^]. \ No newline at end of file --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org