[
https://issues.apache.org/jira/browse/CASSANDRA-19765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17865565#comment-17865565
]
Stefan Miklosovic commented on CASSANDRA-19765:
-----------------------------------------------
I don't know ... the fact that this is by default disabled unless the flag is
turned on means that operator would need to manually intervene and restart the
nodes etc. So while they are at it, why do not they just run "REVOKE SELECT ON
system_auth.roles FROM somerole" in a repeated manner over all non-super-user
roles and be done with it? This would happen together with a patch which would
skip granting this on system_auth.roles or other tables in the future if we
choose so. The effort seems to be same to me.
> Remove accessibility to system_auth.roles salted_hash for non-superusers
> ------------------------------------------------------------------------
>
> Key: CASSANDRA-19765
> URL: https://issues.apache.org/jira/browse/CASSANDRA-19765
> Project: Cassandra
> Issue Type: Improvement
> Components: Legacy/Core
> Reporter: Abe Ratnofsky
> Assignee: Abe Ratnofsky
> Priority: Normal
> Fix For: 3.0.x, 3.11.x, 4.0.x, 4.1.x, 5.0.x
>
>
> Cassandra permits all users with SELECT on system_auth.roles to access
> contents of the salted_hash column. This column contains a bcrypt hash, which
> shouldn't be visible. This isn't a significant security risk at the current
> time, but is prone to [retrospective
> decryption|https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later]. We
> should protect this column so passwords cannot be cracked in the future.
>
>
> {code:java}
> $ ./bin/cqlsh -u cassandra -p cassandra
> [cqlsh 6.3.0 | Cassandra 5.1-SNAPSHOT | CQL spec 3.4.8 | Native protocol v5]
> cassandra@cqlsh> CREATE ROLE nonsuperuser WITH LOGIN=true AND
> PASSWORD='nonsuperuser';
> cassandra@cqlsh> GRANT SELECT ON system_auth.roles TO nonsuperuser;
> cassandra@cqlsh> exit;
> $ ./bin/cqlsh -u nonsuperuser -p nonsuperuser
> [cqlsh 6.3.0 | Cassandra 5.1-SNAPSHOT | CQL spec 3.4.8 | Native protocol v5]
> nonsuperuser@cqlsh> SELECT * FROM system_auth.roles;
> role | can_login | is_superuser | member_of | salted_hash
> --------------+-----------+--------------+-----------+--------------------------------------------------------------
> cassandra | True | True | null |
> $2a$10$WMg9UlR7F8Ko7LZxEyg0Ue12BoHR/Dn/0/3YtV4nRYCPcY7/5OmA6
> nonsuperuser | True | False | null |
> $2a$10$HmHwVZRk8F904UUNMiUYi.xkVglWyKNgHMo1xJsCCKirwyb9NO/im
> (2 rows)
> {code}
>
> Patches available:
> 3.0:
> https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-30
> 3.11:
> https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-311
> 4.0:
> https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-40
> 4.1:
> https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-41
> 5.0:
> https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-50
> trunk:
> https://github.com/apache/cassandra/compare/trunk...aratno:cassandra:CASSANDRA-19765-salted_hash-visibility-trunk
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
