[
https://issues.apache.org/jira/browse/CASSANDRA-18420?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17717292#comment-17717292
]
Ningzi Zhan edited comment on CASSANDRA-18420 at 4/27/23 4:36 PM:
------------------------------------------------------------------
In the [cqlsh protocol: Initial
handshake|https://github.com/apache/cassandra/blob/trunk/doc/native_protocol_v5.spec#:~:text=2.3%20Protocol%20Negotiation-,2.3.1%20Initial%20Handshake,-In%20order%20to],
it suggests that the client needs to send the STARTUP message and then wait
for the AUTHENTICATE message from the Cassandra server. If there is no username
in the STARTUP message, there is no way that the Cassandra server can send the
AUTHENTICATE message. Therefore, the client just deals with this non-username
scenario itself. If there is no username, the client will end the connection
itself so the server won't receive the message and write it into the audit log.
And the non-username is doomed to fail, so it might be OK that let the client
handle it.
was (Author: JIRAUSER299826):
In the[cqlsh protocol: Initial
handshake|https://github.com/apache/cassandra/blob/trunk/doc/native_protocol_v5.spec#:~:text=2.3%20Protocol%20Negotiation-,2.3.1%20Initial%20Handshake,-In%20order%20to],
it suggests that the client needs to send the STARTUP message and then wait
for the AUTHENTICATE message from the Cassandra server. If there is no username
in the STARTUP message, there is no way that the Cassandra server can send the
AUTHENTICATE message. Therefore, the client just deals with this non-username
scenario itself. If there is no username, the client will end the connection
itself so the server won't receive the message and write it into the audit log.
And the non-username is doomed to fail, so it might be OK that let the client
handle it.
> Connection without username not logged in auditlog
> ---------------------------------------------------
>
> Key: CASSANDRA-18420
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18420
> Project: Cassandra
> Issue Type: Bug
> Components: Tool/auditlogging
> Reporter: Yakir Gibraltar
> Assignee: Ningzi Zhan
> Priority: Normal
> Fix For: 4.0.x, 4.1.x, 5.x
>
>
> Hi,
> If making connection *without username* to cassandra cluster with
> PasswordAuthenticator enabled,
> Connection will fail but not logged on auditlog.
> How to reproduce:
> # Enable "authenticator: PasswordAuthenticator" on cluster
> # Enable audit : "nodetool enableauditlog"
> # Open a new screen and run "auditlogviewer -f <log_location>/audit/"
> # Try to connect, and connection will fail:
> {code:java}
> [root@c1 ~]# cqlsh
> Connection error: ('Unable to connect to any servers', {'127.0.0.1:9042':
> AuthenticationFailed('Remote end requires authentication',)}){code}
> # *But nothing in auditlogviewer*.
> Connection with incorrect usernames or password logged correct on auditlog ,
> the problem only on connection without username.
> How it's affecting:
> # Security reason, hard to find unauthorized connections attempt .
> # When migrating cluster into PasswordAuthenticator, hard to find
> applications that didn't add username/password.
> Thank you.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
