cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ted Zlatanov <...@lifelogs.com>
Subject Re: bandwidth limiting Cassandra's replication and access control
Date Thu, 12 Nov 2009 14:58:44 GMT
On Thu, 12 Nov 2009 12:40:05 +1100 Ian Holsman <ian@holsman.net> wrote: 

IH> most places i've seen don't use DB auth anywhere. there is a common
IH> login, stored in a property file, sometimes stored in a internally- 
IH> world-readable SVN repo.

In my current industry (financials) this is not acceptable.  It puts
money and jobs at risk to open access this way.

IH> they usually use network ACLs to restrict access to good hosts. (jump
IH> hosts). network ACLs have been tested for decades and they work.
IH> implementing your own auth is just asking for problems. It's too hard
IH> to do properly, and will probably never work well with the enterprises
IH> existing auth systems.

Layers of security are always a good idea (any firewall is just a part
of good security design, and by itself only increases complacency).  I
should mention I've been a sysadmin and network admin for many years
besides doing programming.

No one is suggesting to implement our own authentication.  We're going
to use existing mechanisms, namely what JAAS supports (LDAP, NIS,
etc.).  We're creating a specific authorization mechanism because it
makes sense for Cassandra, but we're again using JAAS to do that.

IH> If you have sensitive data being stored, ENCRYPT it, or use a 1-way
IH> hash instead of storing it.  Ideally with a user-supplied key which
IH> is not stored anywhere on disk.

This is not feasible in many cases.  Encryption is slow and very hard to
implement properly.  One-way hashes lose the original content,
obviously.  User-supplied keys require interactivity at least at some
point, which is annoying and makes reliable operation harder to
achieve.  Fast access to the data is very important and my proposal
(initial login followed by an auth token passed around) is a decent
solution to these concerns.

IH> sadly DBA's are people too, and it is pathetically easy for them to
IH> get all the data from a DB-dump.

Securing backups is, fortunately, much easier to address on the server
side because it deals with static data.

Ted


Mime
View raw message