You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Robert Stupp (JIRA)" <ji...@apache.org> on 2014/06/23 10:55:24 UTC
[jira] [Commented] (CASSANDRA-7422) Logging for Authentication and
Authorization
[ https://issues.apache.org/jira/browse/CASSANDRA-7422?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14040532#comment-14040532 ]
Robert Stupp commented on CASSANDRA-7422:
-----------------------------------------
I think you are looking for full auditing.
Your patch relies on local log files. Although your solution might work for a few nodes, it will be a pain on some dozen nodes to collect the information you are looking for (imagine to grep for something on 100 servers and interpret the output manually ;) ).
A working audit solution would
# collect authentication and authorization events
# collect DDL statements (filtered on some/all keyspaces, tables, user, group etc)
# collect DML statements (filtered on some/all keyspaces, tables, user, group etc)
# store these events in "some protected area"
# use strong cryptography on the protocol level with a working CA to prevent protocol level attacks against audit
It's an interesting idea but needs more conceptual work to build a solution that works for all users with demand for audit.
> Logging for Authentication and Authorization
> --------------------------------------------
>
> Key: CASSANDRA-7422
> URL: https://issues.apache.org/jira/browse/CASSANDRA-7422
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Adam Holmberg
> Priority: Trivial
> Fix For: 1.2.17
>
> Attachments: auth_logging_remote_host.patch.201406666201020
>
>
> We would like to enable Cassandra to log authentication and authorization change events.
> This facilitates audits on access to certain data. As a side effect it would also make it easier to notice ill-behaved clients connecting repeatedly.
--
This message was sent by Atlassian JIRA
(v6.2#6252)