[
https://issues.apache.org/jira/browse/CASSANDRA-17457?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17583113#comment-17583113
]
Stefan Miklosovic commented on CASSANDRA-17457:
-----------------------------------------------
Too bad there can be only one! [~Jfleming] could you please provide a PR with
what you have and we take it from there? We will then contemplate about who is
actually going to do this. I think the most proper way would be to create a CEP
with comprehensive design of this feature where CQL stuff Berenguer wants to
introduce would be also incorporated. Then we would create all the respective
implementation tickets as I do not think that one ticket covers it all.
> User password strength
> ----------------------
>
> Key: CASSANDRA-17457
> URL: https://issues.apache.org/jira/browse/CASSANDRA-17457
> Project: Cassandra
> Issue Type: Improvement
> Components: Feature/Authorization
> Reporter: Berenguer Blasi
> Assignee: Jackson Fleming
> Priority: Normal
> Labels: low-hanging-fruit
> Fix For: 4.x
>
>
> Currently we can create a user with a very insecure password such as 'A'.
> _CREATE ROLE coach WITH PASSWORD = 'A' AND LOGIN = true;_
>
> As we can see there are no restrictions on length, characters, etc We should
> discuss and adopt some best practices in this area. A warning would be the
> preference instead of erroring out. Historically this has been left to be
> dealt by LDAP or other auth systems so we can't error out.
> Newcomers:
> - We should add warnings when a weak password is provided on DCL CQL. The
> {{validate}} method looks like a good place at face value. Fell free to
> analyze and suggest otherwise. See {{ClientWarn}} usages for examples.
> - We should add junit methods for the newly created warnings
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
