cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bas van Dijk (JIRA)" <>
Subject [jira] [Created] (CASSANDRA-13428) Security: provide keystore_password_file and truststore_password_file options
Date Sat, 08 Apr 2017 13:07:41 GMT
Bas van Dijk created CASSANDRA-13428:

             Summary: Security: provide keystore_password_file and truststore_password_file
                 Key: CASSANDRA-13428
             Project: Cassandra
          Issue Type: Improvement
          Components: Configuration
            Reporter: Bas van Dijk

Currently passwords are stored in plaintext in the configuration file as in:

      keystore_password: secret
      truststore_password: secret
      keystore_password: secret

This has the disadvantage that, in order to protect the secrets, the whole configuration file
needs to have restricted ownership and permissions. This is problematic in operating systems
like NixOS where configuration files are usually stored in world-readable locations.

A secure option would be to store secrets in files (with restricted ownership and permissions)
and reference those files from the unrestricted configuration file as in for example:

      keystore_password_file: /run/keys/keystore-password
      truststore_password_file: /run/keys/truststore-password
      keystore_password_file: /run/keys/keystore-password

This is trivial to implement and provides a big gain in security.

So in summary I'm proposing to add the keystore_password_file and truststore_password_file
options besides the existing keystore_password and truststore_password options. The former
will take precedence over the latter.

This message was sent by Atlassian JIRA

View raw message