[
https://issues.apache.org/jira/browse/CASSANDRA-17457?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17860886#comment-17860886
]
Dinesh Joshi commented on CASSANDRA-17457:
------------------------------------------
1. Thanks for clarifying with legal. This is resolved.
2. I appeared to have overlooked the character sets that Passay and therefore
this validator supports. In addition to English, Passay appears to support
Cryillic, Cryillic Modern, Czech, German and Polish. However, Cassandra today
supports any valid Unicode characters. With the validator enabled, the user
cannot use Asian languages like Chinese (or any valid Unicode characters) which
we support today for passwords. Here's what the user gets as an error when
using traditional Chinese (I am not familiar with Chinese language so these are
just some characters I found via Google Translate. Hopefully they're not
offensive.) -
{noformat}
cassandra@cqlsh> CREATE ROLE foo WITH LOGIN = true and PASSWORD =
'卡桑德拉-卡桑德拉山山羊棚';
InvalidRequest: Error from server: code=2200 [Invalid query] message="Password
was not set as it violated configured password strength policy. To fix this
error, the following has to be resolved: Password must contain 1 or more
uppercase characters. Password must contain 1 or more lowercase characters.
Password must contain 1 or more digit characters. Password matches 1 of 4
character rules, but 3 are required. You may also use 'GENERATED PASSWORD' upon
role creation or alteration."
{noformat}
I hope we can agree that this is not a great user experience. Moreover in Asian
languages that I am familiar with there are no uppercase or lowercase
characters which is an assumption both Passay and now Cassandra is making. This
is what led to my suggestion to make the configuration more flexible so the
operator can configure the character set they wish to use which could be any
valid Unicode characters we support.
This feature restricts existing functionality for our users and that is partly
the point of password complexity and validation. However, losing the ability to
use any Unicode characters is definitely an issue that is worth addressing.
I propose the following to unblock this feature for now -
1. The validator should check if the password is in one of the supported
languages. If it is, it proceeds with the validation of the rules. If it is
not, it generates an error which says something along the lines of 'Unsupported
language or character set'.
2. Document clearly in Cassandra's documentation, NEWS.txt and Cassandra docs
warning the operator and user that enabling this plugin would limit the
language choices for passwords.
In the intermediate / long term, we should find a way to support other Unicode
character sets so we are inclusive.
I appreciate your patience with my feedback and I would like to be very clear
that while the CEP is voted on, we as a community need to be flexible and need
to listen to constructive feedback as and when it comes in. My objective here
is to offer constructive feedback and not to derail your feature.
> CEP-24 - Password validation/generation
> ---------------------------------------
>
> Key: CASSANDRA-17457
> URL: https://issues.apache.org/jira/browse/CASSANDRA-17457
> Project: Cassandra
> Issue Type: Improvement
> Components: Feature/Authorization
> Reporter: Berenguer Blasi
> Assignee: Stefan Miklosovic
> Priority: Normal
> Fix For: 5.x
>
>
> Implement CEP-24 as per
> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=228494146
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
