cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Branimir Lambov (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-6018) Add option to encrypt commitlog
Date Fri, 21 Aug 2015 09:24:46 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-6018?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14706453#comment-14706453
] 

Branimir Lambov commented on CASSANDRA-6018:
--------------------------------------------

Patch looks good overall. The only issue I have is with the way the header parameters are
used by the descriptor-- they are on one hand part of it, on the other not written with it.
I don't think that's actually needed, as the use of this is to store the initialization vector,
which in part is determined at segment creation time, i.e. at the right moment for the descriptor
to be initialized with that data. Is there something I'm missing?

[EncryptedSegment.createBuffer|https://github.com/apache/cassandra/compare/trunk...jasobrown:feature/jasobrown/tde-commit-log-2#diff-a3015c78b233e027651f8b0be8ae22c8R112]:
This will create an OFF_HEAP buffer (LZ4's preferred type). Since you are compressing to ON_HEAP,
I think it will help to use the same buffer type for the input as well. Perhaps {{FileDirectSegment.createBuffer}}
should take the preferred type as argument?

[The documentation of the encryption API|http://docs.oracle.com/javase/7/docs/api/javax/crypto/Cipher.html#doFinal(java.nio.ByteBuffer,%20java.nio.ByteBuffer)]
specifies that {{doFinal}} is copy-safe, which should mean that we can do encryption in-place
and do with just one buffer (improving cache efficiency). Have you tried that?

[ByteBufferUtils.ensureCapacity|https://github.com/apache/cassandra/compare/trunk...jasobrown:feature/jasobrown/tde-commit-log-2#diff-353f6807394bf3c22f882d65aa2b45f7R638]:
silent switch to ON_HEAP is not a very nice default action. I'd use {{BufferType.typeOf(buf)}}
instead.

[RebufferingDataInput.bytesPastMark|https://github.com/apache/cassandra/compare/trunk...jasobrown:feature/jasobrown/tde-commit-log-2#diff-a57383490d3cfec5358bfe6090fb5cd7R99]
should throw. If there's reason not to, could that be put in comment?

Style issue [here|https://github.com/apache/cassandra/compare/trunk...jasobrown:feature/jasobrown/tde-commit-log-2#diff-a31d0d12862a6db3395f2b204c9ff775R276].

The tests will need some rebasing.

> Add option to encrypt commitlog 
> --------------------------------
>
>                 Key: CASSANDRA-6018
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-6018
>             Project: Cassandra
>          Issue Type: New Feature
>          Components: Core
>            Reporter: Jason Brown
>            Assignee: Jason Brown
>              Labels: commit_log, encryption, security
>             Fix For: 3.x
>
>
> We are going to start using cassandra for a billing system, and while I can encrypt sstables
at rest (via Datastax Enterprise), commit logs are more or less plain text. Thus, an attacker
would be able to easily read, for example, credit card numbers in the clear text commit log
(if the calling app does not encrypt the data itself before sending it to cassandra).
> I want to allow the option of encrypting the commit logs, most likely controlled by a
property in the yaml.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message