[
https://issues.apache.org/jira/browse/CASSANDRA-16983?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17420410#comment-17420410
]
Bowen Song edited comment on CASSANDRA-16983 at 9/26/21, 11:40 PM:
-------------------------------------------------------------------
Hi [~stefan.miklosovic], I can read and understand Java code, and can write bad
(possibly very bad) Java code too. Also, I don't have a Java development
environment, so I'll have no way to compile and run the Java tests. If I wrote
some Java tests, I'll need to commit it as it is and hoping for the best. I'm
not sure that's acceptable?
I can write much better Python tests, but I'm having trouble to understand how
is the Python test run. I tried to run "nosetests" directly, but tests are
failing with all sorts of errors. I can see the unittests are more like
integrations tests, many of them depend on a running Cassandra cluster. Can
anyone please point me to a document about it, a script that invokes the test
or a correct (list of?) command to run the tests?
And, one more thing, is the test run as root on the CI system? Because in order
to test the change, the test will need to have root access. Specifically, it
will need access to "chown", "useradd" and "userdel" commands, which are not
available to non-root user. I'm afraid the `fakeroot` command won't cut it,
because I will need to be able to switch between users (su/sudo/etc.) in order
to test some of the code.
was (Author: bowen song):
Hi [~stefan.miklosovic], I can read and understand Java code, and can write bad
(possibly very bad) Java code too. Also, I don't have a Java development
environment, so I'll have no way to compile and run the Java tests. If I wrote
some Java tests, I'll need to commit it as it is and hoping for the best. I'm
not sure that's acceptable?
I can write much better Python tests, but I'm having trouble to understand how
is the Python test run. I tried to run "nosetests" directly, but tests are
failing with all sorts of errors. I can see the unittests are more like
integrations tests, many of them depend on a running Cassandra cluster. Can
anyone please point me to a document about it, a script that invokes the test
or a correct (list of?) command to run the tests?
> Separating CQLSH credentials from the cqlshrc file
> --------------------------------------------------
>
> Key: CASSANDRA-16983
> URL: https://issues.apache.org/jira/browse/CASSANDRA-16983
> Project: Cassandra
> Issue Type: Improvement
> Components: Tool/cqlsh
> Reporter: Bowen Song
> Assignee: Bowen Song
> Priority: Normal
> Labels: lhf
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Currently, the CQLSH tool accepts credentials (username & password) from the
> following 3 places:
> 1. the command line parameter "-p"
> 2. the cqlshrc file
> 3. prompt the user
> This is not ideal.
> Credentials in the command line is a security risk, because it could be see
> by other users on a shared system.
> The cqlshrc file is better, but still not good enough. Because the cqlshrc
> file is a config file, it's often acceptable to have it as a world readable
> file, and share it with other users. It also prevents user from having
> multiple sets of credentials, either for the same Cassandra cluster or
> different clusters.
> To improve the security of CQLSH and make it secure by design, I purpose the
> following changes:
> * Warn the user if a password is giving in the command line, and recommend
> them to use a credential file instead
> * Warn the user if credentials are present in the cqlshrc file and the
> cqlshrc file is not secure (e.g.: world readable or owned by a different user)
> * Deprecate credentials in the cqlshrc, and recommend the user to move them
> to a separate credential file. The aim is to not break anything at the
> moment, but eventually stop accepting credentials from the cqlshrc file.
> * Reject the credentials file if it's not secure, and tell the user how to
> secure it. Optionally, prompt the user for password if it's an interactive
> session. (Think how does OpenSSH handle insecure credential files)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
