This is an automated email from the ASF dual-hosted git repository.
bereng pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/cassandra.git
The following commit(s) were added to refs/heads/trunk by this push:
new bdde665032 Adding docs for pre hashed passwords
bdde665032 is described below
commit bdde665032679bd197566cfeea34b52538da4f1a
Author: Bereng <[email protected]>
AuthorDate: Tue Mar 29 08:13:04 2022 +0200
Adding docs for pre hashed passwords
patch by Berenguer Blasi; reviewed by Andres de la Peña for CASSANDRA-17494
---
.../examples/BNF/alter_user_statement.bnf | 2 +-
.../examples/BNF/create_role_statement.bnf | 1 +
.../examples/BNF/create_user_statement.bnf | 2 +-
doc/modules/cassandra/examples/CQL/alter_role.cql | 1 +
doc/modules/cassandra/examples/CQL/alter_user.cql | 1 +
doc/modules/cassandra/examples/CQL/create_role.cql | 1 +
doc/modules/cassandra/examples/CQL/create_user.cql | 1 +
doc/modules/cassandra/pages/cql/security.adoc | 4 +++
.../cassandra/pages/tools/hash_password.adoc | 31 ++++++++++++++++++++++
doc/modules/cassandra/pages/tools/index.adoc | 1 +
10 files changed, 43 insertions(+), 2 deletions(-)
diff --git a/doc/modules/cassandra/examples/BNF/alter_user_statement.bnf
b/doc/modules/cassandra/examples/BNF/alter_user_statement.bnf
index 129607c1bc..ab0d8d648d 100644
--- a/doc/modules/cassandra/examples/BNF/alter_user_statement.bnf
+++ b/doc/modules/cassandra/examples/BNF/alter_user_statement.bnf
@@ -1 +1 @@
-alter_user_statement ::= ALTER USER role_name [ WITH PASSWORD string] [
user_option]
+alter_user_statement ::= ALTER USER role_name [ WITH [ HASHED ] PASSWORD
string] [ user_option]
diff --git a/doc/modules/cassandra/examples/BNF/create_role_statement.bnf
b/doc/modules/cassandra/examples/BNF/create_role_statement.bnf
index bc93fbca3b..4236cc6ee2 100644
--- a/doc/modules/cassandra/examples/BNF/create_role_statement.bnf
+++ b/doc/modules/cassandra/examples/BNF/create_role_statement.bnf
@@ -2,6 +2,7 @@ create_role_statement ::= CREATE ROLE [ IF NOT EXISTS ]
role_name
[ WITH role_options# ]
role_options ::= role_option ( AND role_option)*
role_option ::= PASSWORD '=' string
+ | HASHED PASSWORD '=' string
| LOGIN '=' boolean
| SUPERUSER '=' boolean
| OPTIONS '=' map_literal
diff --git a/doc/modules/cassandra/examples/BNF/create_user_statement.bnf
b/doc/modules/cassandra/examples/BNF/create_user_statement.bnf
index 19f9903921..e090e38413 100644
--- a/doc/modules/cassandra/examples/BNF/create_user_statement.bnf
+++ b/doc/modules/cassandra/examples/BNF/create_user_statement.bnf
@@ -1,4 +1,4 @@
create_user_statement ::= CREATE USER [ IF NOT EXISTS ] role_name
- [ WITH PASSWORD string ]
+ [ WITH [ HASHED ] PASSWORD string ]
[ user_option ]
user_option: SUPERUSER | NOSUPERUSER
diff --git a/doc/modules/cassandra/examples/CQL/alter_role.cql
b/doc/modules/cassandra/examples/CQL/alter_role.cql
index c5f7d3d399..1e858aea23 100644
--- a/doc/modules/cassandra/examples/CQL/alter_role.cql
+++ b/doc/modules/cassandra/examples/CQL/alter_role.cql
@@ -1 +1,2 @@
ALTER ROLE bob WITH PASSWORD = 'PASSWORD_B' AND SUPERUSER = false;
+ALTER ROLE bob WITH HASHED PASSWORD =
'$2a$10$JSJEMFm6GeaW9XxT5JIheuEtPvat6i7uKbnTcxX3c1wshIIsGyUtG' AND SUPERUSER =
false;
diff --git a/doc/modules/cassandra/examples/CQL/alter_user.cql
b/doc/modules/cassandra/examples/CQL/alter_user.cql
index 97de7ba1dd..a0bf30ef8a 100644
--- a/doc/modules/cassandra/examples/CQL/alter_user.cql
+++ b/doc/modules/cassandra/examples/CQL/alter_user.cql
@@ -1,2 +1,3 @@
ALTER USER alice WITH PASSWORD 'PASSWORD_A';
+ALTER USER alice WITH HASHED PASSWORD
'$2a$10$JSJEMFm6GeaW9XxT5JIheuEtPvat6i7uKbnTcxX3c1wshIIsGyUtG';
ALTER USER bob SUPERUSER;
diff --git a/doc/modules/cassandra/examples/CQL/create_role.cql
b/doc/modules/cassandra/examples/CQL/create_role.cql
index c8d0d640de..2ceee54d62 100644
--- a/doc/modules/cassandra/examples/CQL/create_role.cql
+++ b/doc/modules/cassandra/examples/CQL/create_role.cql
@@ -1,5 +1,6 @@
CREATE ROLE new_role;
CREATE ROLE alice WITH PASSWORD = 'password_a' AND LOGIN = true;
+CREATE ROLE alice WITH HASHED PASSWORD =
'$2a$10$JSJEMFm6GeaW9XxT5JIheuEtPvat6i7uKbnTcxX3c1wshIIsGyUtG' AND LOGIN = true;
CREATE ROLE bob WITH PASSWORD = 'password_b' AND LOGIN = true AND SUPERUSER =
true;
CREATE ROLE carlos WITH OPTIONS = { 'custom_option1' : 'option1_value',
'custom_option2' : 99 };
CREATE ROLE alice WITH PASSWORD = 'password_a' AND LOGIN = true AND ACCESS TO
DATACENTERS {'DC1', 'DC3'};
diff --git a/doc/modules/cassandra/examples/CQL/create_user.cql
b/doc/modules/cassandra/examples/CQL/create_user.cql
index b6531ebbc4..d7542271bd 100644
--- a/doc/modules/cassandra/examples/CQL/create_user.cql
+++ b/doc/modules/cassandra/examples/CQL/create_user.cql
@@ -1,2 +1,3 @@
CREATE USER alice WITH PASSWORD 'password_a' SUPERUSER;
CREATE USER bob WITH PASSWORD 'password_b' NOSUPERUSER;
+CREATE USER bob WITH HASHED PASSWORD
'$2a$10$JSJEMFm6GeaW9XxT5JIheuEtPvat6i7uKbnTcxX3c1wshIIsGyUtG' NOSUPERUSER;
diff --git a/doc/modules/cassandra/pages/cql/security.adoc
b/doc/modules/cassandra/pages/cql/security.adoc
index 7ea0620ac8..7d97bad76b 100644
--- a/doc/modules/cassandra/pages/cql/security.adoc
+++ b/doc/modules/cassandra/pages/cql/security.adoc
@@ -58,6 +58,8 @@ authentication, enclosing the password in single quotation
marks.
If internal authentication has not been set up or the role does not have
`LOGIN` privileges, the `WITH PASSWORD` clause is not necessary.
+USE `WITH HASHED PASSWORD` to provide the jBcrypt hashed password directly.
See the `hash_password` tool.
+
==== Restricting connections to specific datacenters
If a `network_authorizer` has been configured, you can restrict login
@@ -95,6 +97,8 @@ For example:
include::example$CQL/alter_role.cql[]
----
+USE `WITH HASHED PASSWORD` to provide the jBcrypt hashed password directly.
See the `hash_password` tool.
+
==== Restricting connections to specific datacenters
If a `network_authorizer` has been configured, you can restrict login
diff --git a/doc/modules/cassandra/pages/tools/hash_password.adoc
b/doc/modules/cassandra/pages/tools/hash_password.adoc
new file mode 100644
index 0000000000..b2e8e0f78e
--- /dev/null
+++ b/doc/modules/cassandra/pages/tools/hash_password.adoc
@@ -0,0 +1,31 @@
+= Hash password
+
+The `hash_password` tool is used to get the jBcrypt hash of a password. This
hash
+can be used in CREATE/ALTER ROLE/USER statements for improved security.
+
+This feature can be useful if we want to make sure no intermediate system,
logging or
+any other possible plain text password leak can happen.
+
+== Usage
+
+hash_password <options>
+
+[cols=",",]
+|===
+
+|-h,--help |Displays help message
+
+|-e,--environment-var <arg> |Use value of the specified environment
+variable as the password
+
+|-i,--input <arg> |Input is a file (or - for stdin) to read the
+password from. Make sure that the whole input including newlines is
+considered. For example, the shell command `echo -n foobar \| hash_password
+-i -` will work as intended and just hash 'foobar'.
+
+|-p,--plain <arg> |Argument is the plain text password
+
+|-r,--logrounds <arg> |Number of hash rounds (default: 10).
+|===
+
+One of the options --environment-var, --plain or --input must be used.
\ No newline at end of file
diff --git a/doc/modules/cassandra/pages/tools/index.adoc
b/doc/modules/cassandra/pages/tools/index.adoc
index a25af555cb..ca8b791844 100644
--- a/doc/modules/cassandra/pages/tools/index.adoc
+++ b/doc/modules/cassandra/pages/tools/index.adoc
@@ -7,3 +7,4 @@ Cassandra.
* xref:tools/nodetool/nodetool.adoc[nodetool]
* xref:tools/sstable/index.adoc[SSTable tools]
* xref:tools/cassandra_stress.adoc[cassandra-stress tool]
+* xref:tools/hash_password.adoc[hash password tool]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
