[cassandra-website] branch trunk updated: BLOG - Cassandra 4.1 Features: Client-side Password Hashing

Wed, 25 May 2022 03:09:35 -0700 

This is an automated email from the ASF dual-hosted git repository.

erickramirezau pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/cassandra-website.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 17718e18 BLOG - Cassandra 4.1 Features: Client-side Password Hashing
17718e18 is described below

commit 17718e188b997f29467b09d1eeb6d4c497fb0326
Author: Diogenese Topper <diotop...@gmail.com>
AuthorDate: Tue May 24 21:39:43 2022 -0700

    BLOG - Cassandra 4.1 Features: Client-side Password Hashing
    
    patch by Berenguer Blasi, Diogenese Topper; reviewed by Berenguer Blasi, 
Erick Ramirez for CASSANDRA-17657
    
    Co-authored by: Berenguer Blasi <berenguerbl...@gmail.com>
    Co-authored by: Diogenese Topper <diogen...@constantia.io>
    
    Co-authored-by: bereng <6973517+ber...@users.noreply.github.com>
---
 ...-side-password-hashing-unsplash-jan-baborak.jpg | Bin 0 -> 159700 bytes
 site-content/source/modules/ROOT/pages/blog.adoc   |  25 +++++++
 ...-4.1-Features-Client-side-Password-Hashing.adoc |  75 +++++++++++++++++++++
 3 files changed, 100 insertions(+)

diff --git 
a/site-content/source/modules/ROOT/images/blog/apache-cassandra-4.1-features-client-side-password-hashing-unsplash-jan-baborak.jpg
 
b/site-content/source/modules/ROOT/images/blog/apache-cassandra-4.1-features-client-side-password-hashing-unsplash-jan-baborak.jpg
new file mode 100644
index 00000000..97a4f446
Binary files /dev/null and 
b/site-content/source/modules/ROOT/images/blog/apache-cassandra-4.1-features-client-side-password-hashing-unsplash-jan-baborak.jpg
 differ
diff --git a/site-content/source/modules/ROOT/pages/blog.adoc 
b/site-content/source/modules/ROOT/pages/blog.adoc
index 34141efd..09b02c2b 100644
--- a/site-content/source/modules/ROOT/pages/blog.adoc
+++ b/site-content/source/modules/ROOT/pages/blog.adoc
@@ -8,6 +8,31 @@ NOTES FOR CONTENT CREATORS
 - Replace post tile, date, description and link to you post.
 ////
 
+//start card
+[openblock,card shadow relative test]
+----
+[openblock,card-header]
+------
+[discrete]
+=== Apache Cassandra 4.1 Features: Client-side Password Hashing
+[discrete]
+==== May 26, 2022
+------
+[openblock,card-content]
+------
+To strengthen security and avoid the use of plain-text credentials altogether, 
Apache Cassandra has added the option to use client-side password hashes in 4.1.
+
+[openblock,card-btn card-btn--blog]
+--------
+
+[.btn.btn--alt]
+xref:blog/Apache-Cassandra-4.1-Features-Client-side-Password-Hashing.adoc[Read 
More]
+--------
+
+------
+----
+//end card
+
 //start card
 [openblock,card shadow relative test]
 ----
diff --git 
a/site-content/source/modules/ROOT/pages/blog/Apache-Cassandra-4.1-Features-Client-side-Password-Hashing.adoc
 
b/site-content/source/modules/ROOT/pages/blog/Apache-Cassandra-4.1-Features-Client-side-Password-Hashing.adoc
new file mode 100644
index 00000000..9886faa3
--- /dev/null
+++ 
b/site-content/source/modules/ROOT/pages/blog/Apache-Cassandra-4.1-Features-Client-side-Password-Hashing.adoc
@@ -0,0 +1,75 @@
+= Apache Cassandra 4.1 Features: Client-side Password Hashing
+:page-layout: single-post
+:page-role: blog-post
+:page-post-date: May 26, 2022
+:page-post-author: Berenguer Blasi
+:description: Client-side password hashing in Apache Cassandra 4.1
+:keywords:
+
+:!figure-caption:
+
+.Image credit: https://unsplash.com/@janbaborak[Jan Baborák on Unsplash^]
+image::blog/apache-cassandra-4.1-features-client-side-password-hashing-unsplash-jan-baborak.jpg[Client-side
 password hashing]
+
+Apache Cassandra, just like any other database, needs users to connect. This 
means using a login and a password which up until recently would be provided as 
plain text.
+
+This has the potential to create security concerns as, for instance, audit 
logging could store the credentials in plain text. This problem also applied to 
any other system in Cassandra that might log data, bearing in mind that Apache 
Cassandra is an open source project and, therefore, it does not control all 
possible forks and implementations and what and how data is logged.
+
+The solution was to sanitize any logging for sensitive information, and this 
has been addressed recently. But that still left the door open to some corner 
cases where the detection or removal of such sensitive information could fail. 
There are also specific use cases, services and applications that might need to 
store a user’s credentials and up until 4.1, they would be storing that in 
plain text as well.
+
+To strengthen security, we wanted to avoid the use of plain-text credentials 
altogether, so 
https://issues.apache.org/jira/browse/CASSANDRA-17334[CASSANDRA-17334^] and the 
release of Apache Cassandra 4.1 will add the option to use client-side password 
hashes.
+
+=== New Hash Password Tool
+
+This feature introduces a new tool called `tools/bin/hash_password`. Here is 
an example:
+
+```
+$ tools/bin/hash_password -p mySecret
+$2a$10$F5pRau9mKg5abP.DsuPQl.8rQpEoNm3OV91mKjb9vdKPUPejIPq/u
+```
+
+The tool is quite self-explanatory. It takes your plain-text secret and 
provides a https://www.mindrot.org/projects/jBCrypt/[jBCrypt^] hash that can be 
used in the DDL commands, e.g., to create or alter users/roles. For the moment 
only a Java version is available.
+
+=== Example Usage of Hash_Password
+
+Let’s look at some examples of how we’d use the tool.
+
+Plain option:
+
+```
+CREATE ROLE role1
+    WITH LOGIN = true
+    AND PASSWORD = 'mySecret';
+```
+
+New hashed option:
+
+```
+CREATE ROLE role1
+    WITH LOGIN = true
+    AND HASHED PASSWORD 
‘$2a$10$F5pRau9mKg5abP.DsuPQl.8rQpEoNm3OV91mKjb9vdKPUPejIPq/u’;
+```
+
+As you can see we’re building the CQL with the hashed value of the password 
directly, i.e., this enables our applications to store the hash instead of the 
plain-text password. Also, any intermediate or third-party systems, additional 
logging or storing will deal with the hashes so the risk of accidental 
plain-text passwords leak is removed.
+
+The same applies to ALTER statements.
+
+Plain option:
+
+```
+ALTER ROLE role1
+    WITH PASSWORD = '%s'
+```
+
+New hashed option:
+
+```
+ALTER ROLE role1
+    WITH HASHED PASSWORD = '%s'
+```
+
+=== Backward Compatibility
+
+This feature is backward compatible so it will also work for CREATE/ALTER USER 
statements. On occasions where the built-in password obfuscation fails when 
logging data, this feature will only reveal the hash instead of the plain-text 
password. 
+
+Stay tuned for upcoming further security enhancements, such as 
https://issues.apache.org/jira/browse/CASSANDRA-17501[CASSANDRA-17501^].
\ No newline at end of file


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to