This is an automated email from the ASF dual-hosted git repository.
erickramirezau pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/cassandra-website.git
The following commit(s) were added to refs/heads/trunk by this push:
new 17718e18 BLOG - Cassandra 4.1 Features: Client-side Password Hashing
17718e18 is described below
commit 17718e188b997f29467b09d1eeb6d4c497fb0326
Author: Diogenese Topper <[email protected]>
AuthorDate: Tue May 24 21:39:43 2022 -0700
BLOG - Cassandra 4.1 Features: Client-side Password Hashing
patch by Berenguer Blasi, Diogenese Topper; reviewed by Berenguer Blasi,
Erick Ramirez for CASSANDRA-17657
Co-authored by: Berenguer Blasi <[email protected]>
Co-authored by: Diogenese Topper <[email protected]>
Co-authored-by: bereng <[email protected]>
---
...-side-password-hashing-unsplash-jan-baborak.jpg | Bin 0 -> 159700 bytes
site-content/source/modules/ROOT/pages/blog.adoc | 25 +++++++
...-4.1-Features-Client-side-Password-Hashing.adoc | 75 +++++++++++++++++++++
3 files changed, 100 insertions(+)
diff --git
a/site-content/source/modules/ROOT/images/blog/apache-cassandra-4.1-features-client-side-password-hashing-unsplash-jan-baborak.jpg
b/site-content/source/modules/ROOT/images/blog/apache-cassandra-4.1-features-client-side-password-hashing-unsplash-jan-baborak.jpg
new file mode 100644
index 00000000..97a4f446
Binary files /dev/null and
b/site-content/source/modules/ROOT/images/blog/apache-cassandra-4.1-features-client-side-password-hashing-unsplash-jan-baborak.jpg
differ
diff --git a/site-content/source/modules/ROOT/pages/blog.adoc
b/site-content/source/modules/ROOT/pages/blog.adoc
index 34141efd..09b02c2b 100644
--- a/site-content/source/modules/ROOT/pages/blog.adoc
+++ b/site-content/source/modules/ROOT/pages/blog.adoc
@@ -8,6 +8,31 @@ NOTES FOR CONTENT CREATORS
- Replace post tile, date, description and link to you post.
////
+//start card
+[openblock,card shadow relative test]
+----
+[openblock,card-header]
+------
+[discrete]
+=== Apache Cassandra 4.1 Features: Client-side Password Hashing
+[discrete]
+==== May 26, 2022
+------
+[openblock,card-content]
+------
+To strengthen security and avoid the use of plain-text credentials altogether,
Apache Cassandra has added the option to use client-side password hashes in 4.1.
+
+[openblock,card-btn card-btn--blog]
+--------
+
+[.btn.btn--alt]
+xref:blog/Apache-Cassandra-4.1-Features-Client-side-Password-Hashing.adoc[Read
More]
+--------
+
+------
+----
+//end card
+
//start card
[openblock,card shadow relative test]
----
diff --git
a/site-content/source/modules/ROOT/pages/blog/Apache-Cassandra-4.1-Features-Client-side-Password-Hashing.adoc
b/site-content/source/modules/ROOT/pages/blog/Apache-Cassandra-4.1-Features-Client-side-Password-Hashing.adoc
new file mode 100644
index 00000000..9886faa3
--- /dev/null
+++
b/site-content/source/modules/ROOT/pages/blog/Apache-Cassandra-4.1-Features-Client-side-Password-Hashing.adoc
@@ -0,0 +1,75 @@
+= Apache Cassandra 4.1 Features: Client-side Password Hashing
+:page-layout: single-post
+:page-role: blog-post
+:page-post-date: May 26, 2022
+:page-post-author: Berenguer Blasi
+:description: Client-side password hashing in Apache Cassandra 4.1
+:keywords:
+
+:!figure-caption:
+
+.Image credit: https://unsplash.com/@janbaborak[Jan Baborák on Unsplash^]
+image::blog/apache-cassandra-4.1-features-client-side-password-hashing-unsplash-jan-baborak.jpg[Client-side
password hashing]
+
+Apache Cassandra, just like any other database, needs users to connect. This
means using a login and a password which up until recently would be provided as
plain text.
+
+This has the potential to create security concerns as, for instance, audit
logging could store the credentials in plain text. This problem also applied to
any other system in Cassandra that might log data, bearing in mind that Apache
Cassandra is an open source project and, therefore, it does not control all
possible forks and implementations and what and how data is logged.
+
+The solution was to sanitize any logging for sensitive information, and this
has been addressed recently. But that still left the door open to some corner
cases where the detection or removal of such sensitive information could fail.
There are also specific use cases, services and applications that might need to
store a user’s credentials and up until 4.1, they would be storing that in
plain text as well.
+
+To strengthen security, we wanted to avoid the use of plain-text credentials
altogether, so
https://issues.apache.org/jira/browse/CASSANDRA-17334[CASSANDRA-17334^] and the
release of Apache Cassandra 4.1 will add the option to use client-side password
hashes.
+
+=== New Hash Password Tool
+
+This feature introduces a new tool called `tools/bin/hash_password`. Here is
an example:
+
+```
+$ tools/bin/hash_password -p mySecret
+$2a$10$F5pRau9mKg5abP.DsuPQl.8rQpEoNm3OV91mKjb9vdKPUPejIPq/u
+```
+
+The tool is quite self-explanatory. It takes your plain-text secret and
provides a https://www.mindrot.org/projects/jBCrypt/[jBCrypt^] hash that can be
used in the DDL commands, e.g., to create or alter users/roles. For the moment
only a Java version is available.
+
+=== Example Usage of Hash_Password
+
+Let’s look at some examples of how we’d use the tool.
+
+Plain option:
+
+```
+CREATE ROLE role1
+ WITH LOGIN = true
+ AND PASSWORD = 'mySecret';
+```
+
+New hashed option:
+
+```
+CREATE ROLE role1
+ WITH LOGIN = true
+ AND HASHED PASSWORD
‘$2a$10$F5pRau9mKg5abP.DsuPQl.8rQpEoNm3OV91mKjb9vdKPUPejIPq/u’;
+```
+
+As you can see we’re building the CQL with the hashed value of the password
directly, i.e., this enables our applications to store the hash instead of the
plain-text password. Also, any intermediate or third-party systems, additional
logging or storing will deal with the hashes so the risk of accidental
plain-text passwords leak is removed.
+
+The same applies to ALTER statements.
+
+Plain option:
+
+```
+ALTER ROLE role1
+ WITH PASSWORD = '%s'
+```
+
+New hashed option:
+
+```
+ALTER ROLE role1
+ WITH HASHED PASSWORD = '%s'
+```
+
+=== Backward Compatibility
+
+This feature is backward compatible so it will also work for CREATE/ALTER USER
statements. On occasions where the built-in password obfuscation fails when
logging data, this feature will only reveal the hash instead of the plain-text
password.
+
+Stay tuned for upcoming further security enhancements, such as
https://issues.apache.org/jira/browse/CASSANDRA-17501[CASSANDRA-17501^].
\ No newline at end of file
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
