[jira] [Commented] (CASSANDRA-18420) Connection without username not logged in auditlog

[Ningzi Zhan (Jira)]

    [ 
https://issues.apache.org/jira/browse/CASSANDRA-18420?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17717292#comment-17717292
 ] 

Ningzi Zhan commented on CASSANDRA-18420:
-----------------------------------------

In the[cqlsh protocol: Initial 
handshake|https://github.com/apache/cassandra/blob/trunk/doc/native_protocol_v5.spec#:~:text=2.3%20Protocol%20Negotiation-,2.3.1%20Initial%20Handshake,-In%20order%20to],
 it suggests that the client needs to send the STARTUP message and then wait 
for the AUTHENTICATE message from the Cassandra server. If there is no username 
in the STARTUP message, there is no way that the Cassandra server can send the 
AUTHENTICATE message. Therefore, the client just deals with this non-username 
scenario itself. If there is no username, the client will end the connection 
itself so the server won't receive the message and write it into the audit log. 
 And the non-username is doomed to fail, so it might be OK that let the client 
handle it.

> Connection without username not logged in auditlog 
> ---------------------------------------------------
>
>                 Key: CASSANDRA-18420
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-18420
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Tool/auditlogging
>            Reporter: Yakir Gibraltar
>            Assignee: Ningzi Zhan
>            Priority: Normal
>             Fix For: 4.0.x, 4.1.x, 5.x
>
>
> Hi,
> If making connection *without username* to cassandra cluster with 
> PasswordAuthenticator enabled, 
> Connection will fail but not logged on auditlog.
> How to reproduce:
>  # Enable "authenticator: PasswordAuthenticator" on cluster
>  # Enable audit : "nodetool enableauditlog"
>  # Open a new screen and run "auditlogviewer -f <log_location>/audit/"
>  # Try to connect, and connection will fail:
> {code:java}
> [root@c1 ~]# cqlsh
> Connection error: ('Unable to connect to any servers', {'127.0.0.1:9042': 
> AuthenticationFailed('Remote end requires authentication',)}){code}
>  # *But nothing in auditlogviewer*.
> Connection with incorrect usernames or password logged correct on auditlog , 
> the problem only on connection without username. 
> How it's affecting:
>  # Security reason, hard to find unauthorized connections attempt  .
>  # When migrating cluster into PasswordAuthenticator, hard to find 
> applications that didn't add username/password. 
> Thank you. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org