[
https://issues.apache.org/jira/browse/CASSANDRA-17457?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17582739#comment-17582739
]
Berenguer Blasi commented on CASSANDRA-17457:
---------------------------------------------
Hi [~Jfleming] thx for looking into this. Please feel free to ping me with any
questions.
I would personally do some research on the state of things. We can do a first
discussion here to avoid too much noise in the ML. Then when we have an opinion
bounce it to the ML to finalize it and start implementing.
wdyt makes sense?
> User password strength
> ----------------------
>
> Key: CASSANDRA-17457
> URL: https://issues.apache.org/jira/browse/CASSANDRA-17457
> Project: Cassandra
> Issue Type: Improvement
> Components: Feature/Authorization
> Reporter: Berenguer Blasi
> Priority: Normal
> Labels: low-hanging-fruit
>
> Currently we can create a user with a very insecure password such as 'A'.
> _CREATE ROLE coach WITH PASSWORD = 'A' AND LOGIN = true;_
>
> As we can see there are no restrictions on length, characters, etc We should
> discuss and adopt some best practices in this area. A warning would be the
> preference instead of erroring out. Historically this has been left to be
> dealt by LDAP or other auth systems so we can't error out.
> Newcomers:
> - We should add warnings when a weak password is provided on DCL CQL. The
> {{validate}} method looks like a good place at face value. Fell free to
> analyze and suggest otherwise. See {{ClientWarn}} usages for examples.
> - We should add junit methods for the newly created warnings
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
