[jira] [Commented] (CASSANDRA-17334) Pre hashed passwords in CQL

[Berenguer Blasi (Jira)]

    [ 
https://issues.apache.org/jira/browse/CASSANDRA-17334?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17494410#comment-17494410
 ] 

Berenguer Blasi commented on CASSANDRA-17334:
---------------------------------------------

Hi [~Bowen Song],

I think bash and similar other scenarios are outside of our control. But fixing 
this in C*, which is the surface area we can influence, is a real concern for 
the project (16801, 16669) and a win in my eyes we should try to address.

The idea of pseudo cqlsh command to hash the password I like a lot! That would 
keep things all in one place. I'd have to look into it as I've never done it 
before but it should be doable.

The current plain text password option will always be available to those that 
prefer it. So I think we're good here, we're not touching that. I do also agree 
on automation and other measures as the ideal solution. But I also see hashes 
safer than plain text and accidental leaks an unfortunate reality to deal with.

If I didn't miss anything I think I tried to answer all your concerns. Let me 
know otherwise and thanks again for looking into this.

> Pre hashed passwords in CQL
> ---------------------------
>
>                 Key: CASSANDRA-17334
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-17334
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Feature/Authorization
>            Reporter: Berenguer Blasi
>            Assignee: Berenguer Blasi
>            Priority: Normal
>             Fix For: 4.1
>
>
> As seen on CASSANDRA-16801 and friends we are working across the system with 
> plain text passwords. These can be unintentionally revealed by intermediate 
> systems. Allowing the use of hashed passwords should mitigate that. The idea 
> is to add a new option {{HASHED PASSWORD}} for {{CREATE/ALTER ROLE/USER}}. 
> Examples:
> {noformat}
> CREATE ROLE foo WITH login = true AND hashed password = 
> '$2a$10$JSJEMFm6GeaW9XxT5JIheuEtPvat6i7uKbnTcxX3c1wshIIsGyUtG';
> ALTER ROLE foo WITH hashed password = 
> '$2a$10$JSJEMFm6GeaW9XxT5JIheuEtPvat6i7uKbnTcxX3c1wshIIsGyUtG';
> {noformat}
> To generate the password hash, there will be a new tool {{hash_password}} in 
> resources/cassandra/bin
> Based on original works from [~snazy]



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org