You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cassandra.apache.org by "Berenguer Blasi (Jira)" <ji...@apache.org> on 2021/10/29 12:47:00 UTC

[jira] [Issue Comment Deleted] (CASSANDRA-16801) PasswordObfuscator should not assume PASSWORD is the last item in the WITH clause

     [ https://issues.apache.org/jira/browse/CASSANDRA-16801?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Berenguer Blasi updated CASSANDRA-16801:
----------------------------------------
    Comment: was deleted

(was: Info for the reviewer:

Luckily antlr was already moving the password around in a DTO {{RoleOptions}}. So the new logic is applied whenever possible and uses the previous logic as a fallback.

Interesting corner case I found where {{testp}} is being revealed #justfyi
{noformat}
Type: audit
LogMessage: user:cassandra|host:localhost/127.0.0.1:7000|source:/127.0.0.1|port:41278|timestamp:1635328638577|type:REQUEST_FAILURE|category:ERROR|operation:create user 'test' with password *******; line 1:33 mismatched input 'testp' expecting STRING_LITERAL (create user 'test' with password *******
{noformat}
)

> PasswordObfuscator should not assume PASSWORD is the last item in the WITH clause
> ---------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-16801
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-16801
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Tool/auditlogging
>            Reporter: Caleb Rackliffe
>            Assignee: Berenguer Blasi
>            Priority: Normal
>             Fix For: 4.0.x, 4.x
>
>
> CASSANDRA-16669 introduced support for obfuscating passwords for audit log statements, but there are a few cases where the obfuscation logic can destroy some of the contents of the original/provided string.
> ex. This is perfectly valid...
> {noformat}
> WITH LOGIN = false AND PASSWORD = 'bar' AND SUPERUSER = false
> {noformat}
> ...but calling obfuscate() on it will produce...
> {noformat}
> WITH LOGIN = false AND PASSWORD *******
> {noformat}
> -We should be able to create a reasonable RegEx and use String#replaceAll() to both simplify and correct PasswordObfuscator#obfuscate().-



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org