[jira] [Commented] (CASSANDRA-17457) User password strength

Mon, 22 Aug 2022 01:59:57 -0700 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-17457?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17582818#comment-17582818
 ] 

Stefan Miklosovic commented on CASSANDRA-17457:
-----------------------------------------------

It does not seem like that but this is quite complex issue to get it right and 
have it robust which would nicely fit into Cassandra and upcoming ideas we were 
discussing with Berenguer offline. I think that the very first step would be to 
write done the requirements and design the solution as such. We are thinking 
about having this as a guardrail which seems to make sense. We also need to 
investigate all the rules and how it would be configurable. Maybe pluggable 
password policies by implementing some interface and putting it on the class 
path would be the ultimate way to achieve this (with a sane default 
implementation provided out of the box).

We will work on this with Jackson (he is my colleague at work).

> User password strength
> ----------------------
>
>                 Key: CASSANDRA-17457
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-17457
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Feature/Authorization
>            Reporter: Berenguer Blasi
>            Assignee: Stefan Miklosovic
>            Priority: Normal
>              Labels: low-hanging-fruit
>
> Currently we can create a user with a very insecure password such as 'A'.
> _CREATE ROLE coach WITH PASSWORD = 'A' AND LOGIN = true;_
>  
> As we can see there are no restrictions on length, characters, etc We should 
> discuss and adopt some best practices in this area. A warning would be the 
> preference instead of erroring out. Historically this has been left to be 
> dealt by LDAP or other auth systems so we can't error out.
> Newcomers:
> - We should add warnings when a weak password is provided on DCL CQL. The 
> {{validate}} method looks like a good place at face value. Fell free to 
> analyze and suggest otherwise. See {{ClientWarn}} usages for examples.
> - We should add junit methods for the newly created warnings



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to