[CASSANDRA-16669] Password obfuscation for DCL audit log statements - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Normal
Resolution: Fixed
Fix Version/s: 4.0.0, 4.1-alpha1, 4.1
Component/s: Tool/auditlogging
Labels:
- audit
- security

Complexity:
Normal
Platform:

All
Impacts:

Security
Since Version:

4.0-alpha1
Source Control Link:

https://github.com/apache/cassandra/commit/f978bea272409109e312a27a121f849879650bdb
Test and Documentation Plan:

Hide

https://github.com/ekaterinadimitrova2/cassandra/pull/140

Additional tests and docs added as part of the patch

Show
https://github.com/ekaterinadimitrova2/cassandra/pull/140 Additional tests and docs added as part of the patch

Description

The goal of this JIRA is to obfuscate passwords or any sensitive information from DCL audit log statements.

Currently, (Cassandra version 4.0-rc1) logs query statements for any DCL (ROLE and USER ) queries with passwords in plaintext format in audit log files.

The current workaround to avoid plain text passwords from being logged in audit log files is either by excluding DCL statements from auditing or by excluding the user who is creating these roles from auditing.

It would be ideal for Cassandra to provide an option or default to obfuscate passwords or any sensitive information from DCL audit log statements.

Sample audit logs with DCL queries

Type: audit
LogMessage: user:cassandra|host:localhost/127.0.0.1:7000|source:/127.0.0.1|port:51908|timestamp:1620190499676|type:CREATE_ROLE|category:DCL|operation:CREATE ROLE new_role;
Type: audit
LogMessage: user:cassandra|host:localhost/127.0.0.1:7000|source:/127.0.0.1|port:51908|timestamp:1620190505313|type:CREATE_ROLE|category:DCL|operation:CREATE ROLE alice WITH PASSWORD = 'password_a' AND LOGIN = true;
Type: audit
LogMessage: user:cassandra|host:localhost/127.0.0.1:7000|source:/127.0.0.1|port:51908|timestamp:1620190519521|type:REQUEST_FAILURE|category:ERROR|operation:ALTER ROLE bob WITH PASSWORD = 'PASSWORD_B' AND SUPERUSER = false;; bob doesn't exist
Type: audit
LogMessage: user:cassandra|host:localhost/127.0.0.1:7000|source:/127.0.0.1|port:51908|timestamp:1620190525376|type:CREATE_ROLE|category:DCL|operation:CREATE ROLE bob WITH PASSWORD = 'password_b' AND LOGIN = true AND SUPERUSER = true;
Type: audit
LogMessage: user:cassandra|host:localhost/127.0.0.1:7000|source:/127.0.0.1|port:51908|timestamp:1620190532462|type:ALTER_ROLE|category:DCL|operation:ALTER ROLE bob WITH PASSWORD = 'PASSWORD_B' AND SUPERUSER = false;

It is also ideal to document this workaround or assumption in Cassandra audit log documentation until we close this JIRA

Attachments

Issue Links

relates to

CASSANDRA-16801 PasswordObfuscator should not assume PASSWORD is the last item in the WITH clause

Resolved

Activity

People

Assignee:: Sumanth Pasupuleti

Reporter:: Vinay Chella

Authors:: Sumanth Pasupuleti

Reviewers:: Berenguer Blasi, Ekaterina Dimitrova, Stefan Miklosovic, Vinay Chella

Votes:: 0 Vote for this issue

Watchers:: 11 Start watching this issue

Dates

Created:: 15/May/21 01:44

Updated:: 27/May/22 19:24

Resolved:: 15/Jun/21 12:46

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

6h 40m