cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brandon Williams (Commented) (JIRA)" <>
Subject [jira] [Commented] (CASSANDRA-2274) Restrict Cassandra cluster node joins to a list of named hosts
Date Mon, 07 Nov 2011 22:00:53 GMT


Brandon Williams commented on CASSANDRA-2274:

bq. I can't see how it prevents attacks from trusted nodes

If the node is in fact *trusted* then you're screwed.  Add as many layers as you like, but
the definition of *trusted* won't change and you'll have the same core problem: something
*trusted* is doing something *malicious*.

bq. how would the use of encryption work in a multi-tenant environment?

I don't understand, a cluster is a cluster regardless of the amount of tenants.  It sounds
like you're describing something where multiple tenants would each contribute nodes to the
cluster, that is not supported.

bq. The standard practice of rolling encryption keys might be difficult as well

If the machine is trusted and compromised and wants to be malicious, it's game over, rolling
keys or not.  I don't see any value in adding such complexity given this.

bq. If a key becomes compromised then a receiving node will still honor a sender's request
because it doesn't attempt to do any verification that the sender has the authority to performing
the action it is requesting be executed.

Then the CA should issue a revocation for that key.  SSL/TLS has these problems solved.

> Restrict Cassandra cluster node joins to a list of named hosts
> --------------------------------------------------------------
>                 Key: CASSANDRA-2274
>                 URL:
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 0.7.2
>         Environment: All
>            Reporter: Andrew Schiefelbein
> Because firewalls and employees are not infallible it would be nice to restrict the ability
of any node to join a cluster to a list of named hosts in the configuration so that someone
would be unable to start a node and replicate all the data locally.  I understand that in
order to do this the person must know the seed servers and the cluster name and to extract
the data they will need a userid and password but another level of security would be to force
them to execute any brute force attack from a locked down server instead of replicating all
the data locally.  

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


View raw message