You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by zz...@apache.org on 2017/12/13 01:50:55 UTC
cassandra git commit: Added additional details to security documetation discussing attack surface.

Repository: cassandra
Updated Branches:
  refs/heads/trunk dc9bb8df0 -> 0d8199bab


Added additional details to security documetation discussing attack surface.


Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo
Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/0d8199ba
Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/0d8199ba
Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/0d8199ba

Branch: refs/heads/trunk
Commit: 0d8199bab25d08c8b08adb3803dd7825894c5306
Parents: dc9bb8d
Author: Nate McCall <zz...@gmail.com>
Authored: Wed Dec 13 14:48:17 2017 +1300
Committer: Nate McCall <zz...@gmail.com>
Committed: Wed Dec 13 14:48:17 2017 +1300

----------------------------------------------------------------------
 doc/source/operating/security.rst | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cassandra/blob/0d8199ba/doc/source/operating/security.rst
----------------------------------------------------------------------
diff --git a/doc/source/operating/security.rst b/doc/source/operating/security.rst
index dfcd9e6..212a25e 100644
--- a/doc/source/operating/security.rst
+++ b/doc/source/operating/security.rst
@@ -18,13 +18,25 @@
 
 Security
 --------
-
 There are three main components to the security features provided by Cassandra:
 
 - TLS/SSL encryption for client and inter-node communication
 - Client authentication
 - Authorization
 
+By default, these features are disabled as Cassandra is configured to easily find and be found by other members of a
+cluster. In other words, an out-of-the-box Cassandra installation presents a large attack surface for a bad actor.
+Possible attack vectors include:
+
+- Crafted internode messages to insert users into authentication schema
+- Crafted internode messages to truncate or drop schema
+- Use of tools such as ``sstableloader`` to overwrite ``system_auth`` tables 
+- Attaching to the cluster directly to capture write traffic
+
+Correct configuration of all three security components should negate theses vectors. Therefore, understanding Cassandra's
+security features is crucial to configuring your cluster to meet your security needs.
+
+
 TLS/SSL Encryption
 ^^^^^^^^^^^^^^^^^^
 Cassandra provides secure communication between a client machine and a database cluster and between nodes within a


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org