[
https://issues.apache.org/jira/browse/CASSANDRA-13428?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17932283#comment-17932283
]
Stefan Miklosovic commented on CASSANDRA-13428:
-----------------------------------------------
[CASSANDRA-13428|https://github.com/instaclustr/cassandra/tree/CASSANDRA-13428]
{noformat}
java17_pre-commit_tests
✓ j17_build 4m 29s
✓ j17_cqlsh_dtests_py311 6m 56s
✓ j17_cqlsh_dtests_py311_vnode 7m 29s
✓ j17_cqlsh_dtests_py38 8m 11s
✓ j17_cqlsh_dtests_py38_vnode 7m 34s
✓ j17_cqlshlib_cython_tests 11m 23s
✓ j17_cqlshlib_tests 7m 24s
✓ j17_dtests_vnode 43m 53s
✓ j17_unit_tests 16m 25s
✓ j17_unit_tests_repeat 6m 50s
✓ j17_utests_latest_repeat 6m 15s
✓ j17_utests_oa 16m 14s
✓ j17_utests_oa_repeat 6m 36s
✕ j17_dtests 37m 55s
refresh_test.TestRefresh test_refresh_deadlock_startup
pushed_notifications_test.TestPushedNotifications
test_move_single_node_localhost
✕ j17_dtests_latest 41m 49s
topology_test.TestTopology test_resumable_decommission
✕ j17_jvm_dtests 28m 18s
org.apache.cassandra.fuzz.sai.MultiNodeSAITest indexOnlySaiTest TIMEOUTED
✕ j17_jvm_dtests_latest_vnode 25m 37s
org.apache.cassandra.fuzz.sai.MultiNodeSAITest indexOnlySaiTest TIMEOUTED
✕ j17_utests_latest 15m 52s
org.apache.cassandra.net.ConnectionTest testTimeout
{noformat}
[java17_pre-commit_tests|https://app.circleci.com/pipelines/github/instaclustr/cassandra/5532/workflows/c61a1e32-a2cc-4e75-b6d5-bdc9505372a1]
> Security: provide keystore_password_file and truststore_password_file options
> -----------------------------------------------------------------------------
>
> Key: CASSANDRA-13428
> URL: https://issues.apache.org/jira/browse/CASSANDRA-13428
> Project: Apache Cassandra
> Issue Type: Improvement
> Components: Feature/Encryption, Local/Config
> Reporter: Bas van Dijk
> Assignee: Maulin Vasavada
> Priority: Normal
> Original Estimate: 3h
> Time Spent: 3h 50m
> Remaining Estimate: 0h
>
> Currently passwords are stored in plaintext in the configuration file as in:
> {code}
> server_encryption_options:
> keystore_password: secret
> truststore_password: secret
> client_encryption_options:
> keystore_password: secret
> {code}
> This has the disadvantage that, in order to protect the secrets, the whole
> configuration file needs to have restricted ownership and permissions. This
> is problematic in operating systems like NixOS where configuration files are
> usually stored in world-readable locations.
> A secure option would be to store secrets in files (with restricted ownership
> and permissions) and reference those files from the unrestricted
> configuration file as in for example:
> {code}
> server_encryption_options:
> keystore_password_file: /run/keys/keystore-password
> truststore_password_file: /run/keys/truststore-password
> client_encryption_options:
> keystore_password_file: /run/keys/keystore-password
> {code}
> This is trivial to implement and provides a big gain in security.
> So in summary I'm proposing to add the {{keystore_password_file}} and
> {{truststore_password_file}} options besides the existing
> {{keystore_password}} and {{truststore_password options}}. The former will
> take precedence over the latter.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
