>
> I don't think it ever makes sense to log a password in plaintext, so
> my feeling is we should obfuscate there as well.
+1
Le ven. 4 juin 2021 à 22:06, Brandon Williams a écrit :
> On Fri, Jun 4, 2021 at 10:32 AM Stefan Miklosovic
> wrote:
> > I would re-iterate on FQL logging though.
On Fri, Jun 4, 2021 at 10:32 AM Stefan Miklosovic
wrote:
> I would re-iterate on FQL logging though. What is our decision? Should
> these passwords be clearly visible or we should obfuscate them too?
I don't think it ever makes sense to log a password in plaintext, so
my feeling is we should
Hi,
ok, so this will make it to 4.0 then.
I would re-iterate on FQL logging though. What is our decision? Should
these passwords be clearly visible or we should obfuscate them too?
I am trying to close all remaining questions, while I do get that
passwords in audit are for sure problematic, I
+1, please, reclassify it as a bug.
Thank you Stefan
On Fri, 4 Jun 2021 at 9:13, Brandon Williams wrote:
> On Fri, Jun 4, 2021 at 4:32 AM Sam Tunnicliffe wrote:
> > Shipping a brand new, non-experimental feature with a security hole like
> this feels
> > counter to our goal of releases being
On Fri, Jun 4, 2021 at 4:32 AM Sam Tunnicliffe wrote:
> Shipping a brand new, non-experimental feature with a security hole like this
> feels
> counter to our goal of releases being prod ready in .0, so I'm +1 on
> including it in
> an rc/ga
I think I have to agree here. We can ship a
> On 4 Jun 2021, at 03:44, Jonathan Koppenhofer wrote:
>
> +1 to this being a serious bug. As a large user, if we used internal
> passwords, this would completely prevent me from using Cassandra native
> audit log capabilities. Disabling DCL is not a great option, as DCL is
> probably the most
+1 to this being a serious bug. As a large user, if we used internal
passwords, this would completely prevent me from using Cassandra native
audit log capabilities. Disabling DCL is not a great option, as DCL is
probably the most needed auditable event.
If this is on by default (not sure of
> I am on the side of "this sounds like a really bad bug" for the audit
pieces, maybe less so than FQL. Anyone using audit for real probably has
meaningful audit requirements, which means they're in an industry where
they get audited for security, which means logging passwords is a big deal.
+1.
I am on the side of "this sounds like a really bad bug" for the audit
pieces, maybe less so than FQL. Anyone using audit for real probably has
meaningful audit requirements, which means they're in an industry where
they get audited for security, which means logging passwords is a big deal.
On
I think it can be argued that this is a pretty serious bug for a newly
introduced feature, and qualifies for inclusion in an RC, but I don’t
personally have a strong opinion on if this should happen.
I can’t imagine how this would be an _exception_ for inclusion in 4.0.1 though.
From: Mick
On Fri, Jun 4, 2021 at 8:53 AM Ekaterina Dimitrova
wrote:
> One more point - if we keep the workaround, that should be documented with
> big red letters for the users.
>
>
Agree with addressing this with some docs.
Good catch, Stefan. Per your question on obsfucation - IMO, IME passwords
should
Thanks for raising this Stefan.
> While I humbly think this is 4.0-worthy, the process we have, as far
> as I know, is that there should be only critical fixes in 4.0 so I
> guess this will go to 4.0.1, right? Or does this qualify to go to 4.0
> still?
>
I believe the question here is whether
One more point - if we keep the workaround, that should be documented with
big red letters for the users.
On Thu, 3 Jun 2021 at 16:38, Ekaterina Dimitrova
wrote:
> Hi Stefan,
> Thank you for bringing this to the list. Truly appreciate it!
> Honestly, I have mixed feelings. While I am sure it is
Hi Stefan,
Thank you for bringing this to the list. Truly appreciate it!
Honestly, I have mixed feelings. While I am sure it is a great work, I
think that anything classified as improvement and not a bug which has a
current workaround(that is what I understood from your email without
looking at
Hi list,
During our evaluation of 4.0 internally, we noticed that there are
passwords in the plaintext in audit logging (and in fql). While I was
going through CASSANDRA-12151, I noticed that the password obfuscation
in these components was planned but it was never implemented and it
was merged
15 matches
Mail list logo
