vinaykumarchella commented on a change in pull request #1028:
URL: https://github.com/apache/cassandra/pull/1028#discussion_r645629256
##########
File path: doc/source/new/auditlogging.rst
##########
@@ -89,6 +89,7 @@ Audit logging does not log:
1. Configuration changes made in ``cassandra.yaml``
2. Nodetool Commands
+3. Passwords mentioned as part of DCL statements. Passwords are instead
obfuscated as ******
Review comment:
@sumanth-pasupuleti Can you also update the documentation at
`doc/source/operating/audit_logging.rst`, while you are at it, can you add a
few example log statements with DCL and password obfuscation at `Sample output`
section.
##########
File path: test/unit/org/apache/cassandra/audit/PasswordObfuscatorTest.java
##########
@@ -0,0 +1,80 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cassandra.audit;
+
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+
+public class PasswordObfuscatorTest
+{
+ @Test
+ public void testCreatRoleWithLoginPriorToPassword()
+ {
+ assertEquals(String.format("CREATE ROLE role1 WITH LOGIN = true AND
PASSWORD = '%s'", PasswordObfuscator.OBFUSCATED_TOKEN),
PasswordObfuscator.instance.obfuscate("CREATE ROLE role1 WITH LOGIN = true AND
PASSWORD = '123'"));
+ }
+
+ @Test
+ public void testCreatRoleWithLoginAfterPassword()
+ {
+ assertEquals(String.format("CREATE ROLE role1 WITH password = '%s' AND
LOGIN = true", PasswordObfuscator.OBFUSCATED_TOKEN),
PasswordObfuscator.instance.obfuscate("CREATE ROLE role1 WITH password = '123'
AND LOGIN = true"));
+ }
+
+ @Test
+ public void testCreateRoleWithoutPassword()
+ {
+ assertEquals("CREATE ROLE role1",
PasswordObfuscator.instance.obfuscate("CREATE ROLE role1"));
+ }
+
+ @Test
+ public void testAlterRoleWithPassword()
+ {
+ assertEquals(String.format("ALTER ROLE role1 with PASSWORD = '%s'",
PasswordObfuscator.OBFUSCATED_TOKEN),
PasswordObfuscator.instance.obfuscate("ALTER ROLE role1 with PASSWORD =
'123'"));
+ }
+
+ @Test
+ public void testAlterRoleWithoutPassord()
+ {
+ assertEquals("ALTER ROLE role1",
PasswordObfuscator.instance.obfuscate("ALTER ROLE role1"));
+ }
+
+ @Test
+ public void testCreateUserWithPassword()
+ {
+ assertEquals(String.format("CREATE USER user1 with PASSWORD = '%s'",
PasswordObfuscator.OBFUSCATED_TOKEN),
PasswordObfuscator.instance.obfuscate("CREATE USER user1 with PASSWORD =
'123'"));
+ }
+
+ @Test
+ public void testCreateUserWithoutPassword()
+ {
+ assertEquals("CREATE USER user1",
PasswordObfuscator.instance.obfuscate("CREATE USER user1"));
+ }
+
+ @Test
+ public void testAlterUserWithPassword()
Review comment:
Can you add few more tests with different query formats (spaces,
newlines, mixed casing at PASSWORD token etc.,), some of these could fail in
query validations themselves, but good to have these test cases to validate the
regex?
A few examples that I can think of
- ALTER USER user1 with PASSWORD='123' - No spaces, validation error
- ALTER USER user1 with PASSWORD ='123' - valid
- ALTER USER user1 with PASSWORD= '123' - valid
- ALTER USER user1 with PassWoRD = '123' - valid, mixed case
- ALTER USER user1 with passwprd = '123' - valid, small case
- ALTER USER user1 with PassWoRD = '123 - validation error
- ALTER USER user1 with passwprd = \n '123' - valid, new line? not sure how
the cql parser treats these newlines though.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
