[
https://issues.apache.org/jira/browse/CASSANDRA-20856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18016529#comment-18016529
]
Stefan Miklosovic edited comment on CASSANDRA-20856 at 8/27/25 12:58 PM:
-------------------------------------------------------------------------
What is problematic about redacting whole sections is that while testing it,
there are existing tests in (1) (like I just linked), which are testing that we
can set some configuration property. When I redact whole section, that test
fails, because it will start to return "REDACTED".
(1)
https://github.com/apache/cassandra/blob/trunk/test/unit/org/apache/cassandra/db/virtual/SettingsTableTest.java#L170
There is also this counter-argument for not redacting everything
https://issues.apache.org/jira/browse/CASSANDRA-14573?focusedCommentId=16748128&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-16748128
was (Author: smiklosovic):
In 4.1 patch, (1), I have redacted whole sections of
client_encryption_options
server_encryption_options
transparent_data_encryption_options
so nothing is visible there, not just individual properties.
(1) https://github.com/apache/cassandra/pull/4340/files
> system_views.settings exposes encryption and TDE passwords in plaintext over
> CQL
> --------------------------------------------------------------------------------
>
> Key: CASSANDRA-20856
> URL: https://issues.apache.org/jira/browse/CASSANDRA-20856
> Project: Apache Cassandra
> Issue Type: Bug
> Components: Feature/Virtual Tables
> Reporter: Hayato Shimizu
> Assignee: Stefan Miklosovic
> Priority: Normal
> Fix For: 4.1.x, 5.0.x, 5.x
>
> Time Spent: 2.5h
> Remaining Estimate: 0h
>
> Selecting from the virtual table {{system_views.settings}} shows the
> property values cassandra.yaml faithfully, including the ones that contain
> passwords.
>
> Any user with {{SELECT}} on {{system_views.settings}} can read these secrets.
>
> {code:java}
> cqlsh:system_views> select * from settings where name =
> 'client_encryption_options.truststore_password';
> name | value
> -----------------------------------------------+----------
> client_encryption_options.truststore_password | changeit
> (1 rows)
> cqlsh:system_views> select * from settings where name =
> 'client_encryption_options.keystore_password';
> name | value
> ---------------------------------------------+----------
> client_encryption_options.keystore_password | changeit
> (1 rows)
> cqlsh:system_views> select * from settings where name =
> 'server_encryption_options.truststore_password';
> name | value
> -----------------------------------------------+----------
> server_encryption_options.truststore_password | changeit
> (1 rows)
> cqlsh:system_views> select * from settings where name =
> 'server_encryption_options.keystore_password';
> name | value
> ---------------------------------------------+----------
> server_encryption_options.keystore_password | changeit
> (1 rows)
> cqlsh:system_views> select * from system_views.settings where name =
> 'transparent_data_encryption_options.key_provider.parameters';
> name | value
> -------------------------------------------------------------+--------------------------------------------------------------------------------------------------
> transparent_data_encryption_options.key_provider.parameters |
> {keystore_password=cassandra, keystore=conf/.keystore, store_type=JCEKS,
> key_password=cassandra} {code}
> Passwords and secrets should be handled as a special case and not exposed in
> plain text in any of the virtual tables.
> Observed in 4.1.x and 5.0.x
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
