[
https://issues.apache.org/jira/browse/CASSANDRA-17334?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17500661#comment-17500661
]
Berenguer Blasi commented on CASSANDRA-17334:
---------------------------------------------
Well,
the PR is up. Some shadows and some lights though. I managed to pin down 2
unrelated nasty bugs which is good. I managed to make the thing work which is
good also.
The problem comes from the cqlsh command. I got onto that path and I am
attaching a diff of the hash command currently just clearing the screen so I
don't loose that bit of code. Server side hash is done with jBcrypt. It does
have a py port which is just a wrapper to C code. The problem is that jBcrypt
and pyBcrypt have difference licenses, the py one not being friendly to us
after checking with some PMC members and
([link|https://www.apache.org/legal/resolved.html]) because of the advertising
clause to start with. Hence we have no py lib and the alternative would be to
call some java code. This takes us back to square 1 where we don't have a
self-contained nice command solution.
I need to explore more the hash py lib side of things and licenses. We could
replace both server and client with a new lib that supports more languages.
That would be a bit like future proofing for future hashing needs which seems
like a good idea. The problem being upgrade scenarios where we'd have to
support both hash versions, old and new, at some point. All this is well beyond
what I wanted to do in this ticket and too much of a big-bang change for my
taste if it can be avoided.
The plain text passwords path remains untouched, this will all be opt-in, it's
an improvement to the current state, we fix some bugs and doesn't block future
development. So I would get this ticket done as a first step and open a new one
for the other work .
> Pre hashed passwords in CQL
> ---------------------------
>
> Key: CASSANDRA-17334
> URL: https://issues.apache.org/jira/browse/CASSANDRA-17334
> Project: Cassandra
> Issue Type: Improvement
> Components: Feature/Authorization
> Reporter: Berenguer Blasi
> Assignee: Berenguer Blasi
> Priority: Normal
> Fix For: 4.1
>
> Attachments: cqlsh.diff
>
>
> As seen on CASSANDRA-16801 and friends we are working across the system with
> plain text passwords. These can be unintentionally revealed by intermediate
> systems. Allowing the use of hashed passwords should mitigate that. The idea
> is to add a new option {{HASHED PASSWORD}} for {{CREATE/ALTER ROLE/USER}}.
> Examples:
> {noformat}
> CREATE ROLE foo WITH login = true AND hashed password =
> '$2a$10$JSJEMFm6GeaW9XxT5JIheuEtPvat6i7uKbnTcxX3c1wshIIsGyUtG';
> ALTER ROLE foo WITH hashed password =
> '$2a$10$JSJEMFm6GeaW9XxT5JIheuEtPvat6i7uKbnTcxX3c1wshIIsGyUtG';
> {noformat}
> To generate the password hash, there will be a new tool {{hash_password}} in
> resources/cassandra/bin
> Based on original works from [~snazy]
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
