You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Ekaterina Dimitrova (Jira)" <ji...@apache.org> on 2021/11/02 18:02:00 UTC
[jira] [Comment Edited] (CASSANDRA-16801) PasswordObfuscator should
not assume PASSWORD is the last item in the WITH clause
[ https://issues.apache.org/jira/browse/CASSANDRA-16801?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17437504#comment-17437504 ]
Ekaterina Dimitrova edited comment on CASSANDRA-16801 at 11/2/21, 6:01 PM:
---------------------------------------------------------------------------
{quote}I must be missing sthg here. Antlr already parses the password into a DTO. And the attached PR does not delete everything after the password. It only obfuscates the password itself leaving the rest of the CQL intact.
{quote}
Seems to me you actually fall back to the old way in case of errors.
Look [here|https://github.com/apache/cassandra/pull/1293/files#diff-df97ca69d481fde559e155c724ca60967a1e57222ea845d8ee8299d7b014df46R251]
Syntax errors are indeed fully obfuscated, but other errors fall to the old way. This worries me a bit. My understanding was that we need to get rid in full of the old way.
was (Author: e.dimitrova):
{quote}I must be missing sthg here. Antlr already parses the password into a DTO. And the attached PR does not delete everything after the password. It only obfuscates the password itself leaving the rest of the CQL intact.
{quote}
Seems to me you actually fall back to the old way in case of errors.
Look [here|https://github.com/apache/cassandra/pull/1293/files#diff-df97ca69d481fde559e155c724ca60967a1e57222ea845d8ee8299d7b014df46R251]
Syntax errors are fully obfuscated, other errors fall to the old way. This worries me a bit. My understanding was that we need to get rid in full of the old way.
> PasswordObfuscator should not assume PASSWORD is the last item in the WITH clause
> ---------------------------------------------------------------------------------
>
> Key: CASSANDRA-16801
> URL: https://issues.apache.org/jira/browse/CASSANDRA-16801
> Project: Cassandra
> Issue Type: Bug
> Components: Tool/auditlogging
> Reporter: Caleb Rackliffe
> Assignee: Berenguer Blasi
> Priority: Normal
> Fix For: 4.0.x, 4.x
>
>
> CASSANDRA-16669 introduced support for obfuscating passwords for audit log statements, but there are a few cases where the obfuscation logic can destroy some of the contents of the original/provided string.
> ex. This is perfectly valid...
> {noformat}
> WITH LOGIN = false AND PASSWORD = 'bar' AND SUPERUSER = false
> {noformat}
> ...but calling obfuscate() on it will produce...
> {noformat}
> WITH LOGIN = false AND PASSWORD *******
> {noformat}
> -We should be able to create a reasonable RegEx and use String#replaceAll() to both simplify and correct PasswordObfuscator#obfuscate().-
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org