Return-Path: X-Original-To: apmail-cassandra-user-archive@www.apache.org Delivered-To: apmail-cassandra-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 42E51189A5 for ; Thu, 11 Feb 2016 20:44:11 +0000 (UTC) Received: (qmail 18004 invoked by uid 500); 11 Feb 2016 20:44:09 -0000 Delivered-To: apmail-cassandra-user-archive@cassandra.apache.org Received: (qmail 17964 invoked by uid 500); 11 Feb 2016 20:44:09 -0000 Mailing-List: contact user-help@cassandra.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@cassandra.apache.org Delivered-To: mailing list user@cassandra.apache.org Received: (qmail 17954 invoked by uid 99); 11 Feb 2016 20:44:09 -0000 Received: from Unknown (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 11 Feb 2016 20:44:09 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 90E7DC1994 for ; Thu, 11 Feb 2016 20:44:08 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.418 X-Spam-Level: * X-Spam-Status: No, score=1.418 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, KAM_HUGEIMGSRC=0.2, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-us-east.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id K7nqPyTNEvif for ; Thu, 11 Feb 2016 20:44:04 +0000 (UTC) Received: from mail-io0-f169.google.com (mail-io0-f169.google.com [209.85.223.169]) by mx1-us-east.apache.org (ASF Mail Server at mx1-us-east.apache.org) with ESMTPS id C68FE429C4 for ; Thu, 11 Feb 2016 20:44:04 +0000 (UTC) Received: by mail-io0-f169.google.com with SMTP id g203so42204282iof.2 for ; Thu, 11 Feb 2016 12:44:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=moOWie7CWB2U2eyJhP8sUBapzWM13idCOiJuLMJKJoA=; b=sv8VXj32pu3Ogau1E1YxBhIuLuu+fuOJpIUtzbgREaetCPb+z7vLutzoZ2P7Gr6eXd qMXt5c5arHTK69+eCvNKJAH2JxMoW3M0kG+gOfEawxNHxlgFoi/MYOqmUrSE5uQsgJec E6DMxlYgWaPLiHstONOrP5L80i5qM6VUGTelIpKFTKB7tS/H6YpWA4p1ImRFdQuJL4zi B2pzOQfaaD4v2xUTdlfixUNWxm3ZUTCCCrPLC9w/QBwW+6UYxSVrv/JW/v1ovzg1j8Kh o6cLN85JL4LnXESPclZPZ728Ml9Z21O9JoiNLNcKzEAEsGJx+DtMD1yRYG2HyIdt2OqJ uSQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=moOWie7CWB2U2eyJhP8sUBapzWM13idCOiJuLMJKJoA=; b=hvYCorLk5itggx8MInpweWtmIB6ihCsz4mkSX3SU6Pivl1SY0cK+PGQimxaDg6o4MZ nnbi6oFVQZPdyW4JbWZsL7Qc71wZvf0kR20ykAt1iFEet3D//fMr9RLb6f8bYrsqugrK V+nxgQq/TGzp8L2Oyq4DyzzgmzgZ509tqN6BGCa49DsAvrJaDFd6OCvv3iM+OXBBT+j0 pkhQY0HUq2xDW4CZV4Fgzu1LBxaal91nmOZpu5sk6SoAqzzAxyV62ri4dDGJPgu9Uu24 dpOni/4Ir2ZWp9LQ6twW9KeaCXfchDUyllat5JQL3nrYwN6ZW2+K+1qu4vsTXcs6tGkk 3Ryw== X-Gm-Message-State: AG10YORWTjtYtBzJbXKhxfxbQRj7zg7164qHQ+lsWjQlZ1Lmb/tZmXVzWJqILpNczjY7KlqMudyH4sykxHKnVA== MIME-Version: 1.0 X-Received: by 10.107.148.75 with SMTP id w72mr55098681iod.115.1455223438048; Thu, 11 Feb 2016 12:43:58 -0800 (PST) Received: by 10.107.168.19 with HTTP; Thu, 11 Feb 2016 12:43:57 -0800 (PST) In-Reply-To: References: Date: Thu, 11 Feb 2016 14:43:57 -0600 Message-ID: Subject: Re: Security labels From: oleg yusim To: user@cassandra.apache.org Content-Type: multipart/alternative; boundary=001a113faa5a18105f052b849c99 --001a113faa5a18105f052b849c99 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Thanks Dani. Oleg On Thu, Feb 11, 2016 at 2:27 PM, Dani Traphagen wrote: > Hi Oleg, > > I'm happy to take a look. Will update after review. > > Thanks, > Dani > > On Thu, Feb 11, 2016 at 12:23 PM, oleg yusim wrote: > >> Hi Dani, >> >> As promised, I sort of put all my questions under the "one roof". I woul= d >> really appreciate you opinion on them. >> >> https://drive.google.com/open?id=3D0B2L9nW4Cyj41YWd1UkI4ZXVPYmM >> >> Thanks, >> >> Oleg >> >> On Fri, Jan 29, 2016 at 3:28 PM, Dani Traphagen < >> dani.traphagen@datastax.com> wrote: >> >>> =E2=80=8BHi Oleg, >>> >>> Thanks that helped clear things up! This sounds like a daunting task. I >>> wish you all the best with it. >>> >>> Cheers, >>> Dani=E2=80=8B >>> >>> On Fri, Jan 29, 2016 at 10:03 AM, oleg yusim >>> wrote: >>> >>>> Dani, >>>> >>>> I really appreciate you response. Actually, session timeouts and >>>> security labels are two different topics (first is about attack when >>>> somebody opened, say, ssh window to DB, left his machine unattended an= d >>>> somebody else stole his session, second - to enable DB to support what >>>> called MAC access model - stays for mandatory access control. It is wi= dely >>>> used in the government and military, but not outside of it, we all are= used >>>> to DAC access control model). However, I think you are right and I sho= uld >>>> move all my queries under the one big roof and call this thread "Secur= ity". >>>> I will do this today. >>>> >>>> Now, about what you have said, I just answered the same to Jon, in >>>> Session Timeout thread, but would quickly re-cap here. I understand th= at >>>> Cassandra's architecture was aimed and tailored for completely differe= nt >>>> type of scenario. However, unfortunately, that doesn't mean that Cassa= ndra >>>> is not vulnerable to the same very set of attacks relational database = would >>>> be vulnerable to. It just means Cassandra is not protected against tho= se >>>> attacks, because protection against them was not thought of, when data= base >>>> was created. I already gave the AAA and session's timeout example in J= on's >>>> thread, and those are just one of many. >>>> >>>> Now what I'm trying to do, I'm trying to create a STIG - security >>>> federal compliance document, which will assess Cassandra against SRG >>>> concepts (security federal compliance recommendations for databases >>>> overall) and will highlight what is not met, and can't be in current d= esign >>>> (i.e. what system architects should keep in mind and what they need to >>>> compensate for with other controls on different layers of system model= ) and >>>> what can be met either with configuration or with little enhancement = (and >>>> how). >>>> >>>> That document would be of great help for Cassandra as a product becaus= e >>>> it would allow it to be marketed as a product with existing security >>>> assessment and guidelines, performed according to DoD standards. It wo= uld >>>> also allow to move product in the general direction of improving its >>>> security posture. Finally, the document would be posted on DISA site ( >>>> http://iase.disa.mil/stigs/Pages/a-z.aspx) available for every >>>> security architect to utilize, which would greatly reduce the risk for >>>> Cassandra product to be hacked in a field. >>>> >>>> To clear things out - what I ask about are not my expectations. I >>>> really do not expect developers of Cassandra to run and start implemen= ting >>>> security labels, just because I asked about it. :) My questions are to >>>> build my internal knowledge of DB current design, so that I can build = my >>>> security assessment based of it, not more, not less. >>>> >>>> I guess, summarizing what I said on top, from what I'm doing Cassandra >>>> as a product would end up benefiting quite a bit. That is why I think = it >>>> would make sense for Cassandra community to help me with my questions = even >>>> if they sound completely of the traditional "grid". >>>> >>>> Thanks again, I really appreciate your response and conversation >>>> overall. >>>> >>>> Oleg >>>> >>>> On Fri, Jan 29, 2016 at 11:20 AM, Dani Traphagen < >>>> dani.traphagen@datastax.com> wrote: >>>> >>>>> Also -- it looks like you're really asking questions about session >>>>> timeouts and security labels as they associate, would be more helpful= to >>>>> keep in one thread. :) >>>>> >>>>> >>>>> On Friday, January 29, 2016, Dani Traphagen < >>>>> dani.traphagen@datastax.com> wrote: >>>>> >>>>>> Hi Oleg, >>>>>> >>>>>> I understand your frustration but unfortunately, in the terms of you= r >>>>>> security assessment, you have fallen into a mismatch for Cassandra's >>>>>> utility. >>>>>> >>>>>> The eventuality of having multiple sockets open without the query >>>>>> input for long durations of time isn't something that was >>>>>> architected...because...Cassnadra was built to take massive quantiti= es >>>>>> of queries both in volume and velocity. >>>>>> >>>>>> Your expectation of the database isn't in line with how our why it >>>>>> was designed. Generally, security solutions are architected >>>>>> around Cassandra, baked into the data model, many solutions >>>>>> are home-brewed, written into the application or provided by using a= nother >>>>>> security client. >>>>>> >>>>>> DSE has different security aspects rolling out in the next release >>>>>> as addressed earlier by Jack, like commit log and hint encryptions, = as well >>>>>> as, unified authentication...but secuirty labels aren't on anyone's = radar >>>>>> as a pressing "need." It's not something I've heard about as a >>>>>> priority before anyway. >>>>>> >>>>>> Hope this helps! >>>>>> >>>>>> Cheers, >>>>>> Dani >>>>>> >>>>>> On Friday, January 29, 2016, oleg yusim wrote: >>>>>> >>>>>>> Jack, >>>>>>> >>>>>>> Thanks for your suggestion. I'm familiar with Cassandra >>>>>>> documentation, and I'm aware of differences between DSE and Cassand= ra. >>>>>>> >>>>>>> Questions I ask here are those, I found no mention about in >>>>>>> documentation. Let's take security labels for instance. Cassandra >>>>>>> documentation is completely silent on this regard and so is Google.= I >>>>>>> assume, based on it, Cassandra doesn't support it. But I can't crea= te >>>>>>> federal compliance security document for Cassandra basing it of my >>>>>>> assumptions and lack of information solely. That is where my questi= ons stem >>>>>>> from. >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> Oleg >>>>>>> >>>>>>> On Fri, Jan 29, 2016 at 10:17 AM, Jack Krupansky < >>>>>>> jack.krupansky@gmail.com> wrote: >>>>>>> >>>>>>>> To answer any future questions along these same lines, I suggest >>>>>>>> that you start by simply searching the doc and search the github r= epo for >>>>>>>> the source code for the relevant keywords. That will give you the >>>>>>>> definitive answers quickly. If something is missing, feel free to = propose >>>>>>>> that it be added (if you really need it). And feel free to confirm= here if >>>>>>>> a quick search doesn't give you a solid answer. >>>>>>>> >>>>>>>> Here's the root page for security in the Cassandra doc: >>>>>>>> >>>>>>>> https://docs.datastax.com/en/cassandra/3.x/cassandra/configuration= /secureTOC.html >>>>>>>> >>>>>>>> Also note that on questions of security, DataStax Enterprise may >>>>>>>> have different answers than pure open source Cassandra. >>>>>>>> >>>>>>>> -- Jack Krupansky >>>>>>>> >>>>>>>> On Thu, Jan 28, 2016 at 8:37 PM, oleg yusim >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Patrick, >>>>>>>>> >>>>>>>>> Absolutely. Security label is mechanism of access control, >>>>>>>>> utilized by MAC (mandatory access control) model, and not utilize= d by DAC >>>>>>>>> (discretionary access control) model, we all are used to. In data= base >>>>>>>>> content it is illustrated for instance here: >>>>>>>>> http://www.postgresql.org/docs/current/static/sql-security-label.= html >>>>>>>>> >>>>>>>>> Now, as per my goals, I'm making a security assessment for >>>>>>>>> Cassandra DB with a goal to produce STIG on this product. That is= one of >>>>>>>>> the parameters in database SRG I have to assess against. >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> >>>>>>>>> Oleg >>>>>>>>> >>>>>>>>> >>>>>>>>> On Thu, Jan 28, 2016 at 6:32 PM, Patrick McFadin < >>>>>>>>> pmcfadin@gmail.com> wrote: >>>>>>>>> >>>>>>>>>> Cassandra has support for authentication security, but I'm not >>>>>>>>>> familiar with a security label. Can you describe what you want t= o do? >>>>>>>>>> >>>>>>>>>> Patrick >>>>>>>>>> >>>>>>>>>> On Thu, Jan 28, 2016 at 2:26 PM, oleg yusim >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> Greetings, >>>>>>>>>>> >>>>>>>>>>> Does Cassandra support security label concept? If so, where can >>>>>>>>>>> I read on how it should be applied? >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> >>>>>>>>>>> Oleg >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> Sent from mobile -- apologizes for brevity or errors. >>>>>> >>>>> >>>>> >>>>> -- >>>>> Sent from mobile -- apologizes for brevity or errors. >>>>> >>>> >>>> >>> >>> >>> -- >>> [image: datastax_logo.png] >>> >>> DANI TRAPHAGEN >>> >>> Technical Enablement Lead | dani.traphagen@datastax.com >>> >>> [image: twitter.png] [image: >>> linkedin.png] >>> >>> >> >> > > > -- > [image: datastax_logo.png] > > DANI TRAPHAGEN > > Technical Enablement Lead | dani.traphagen@datastax.com > > [image: twitter.png] [image: > linkedin.png] > > --001a113faa5a18105f052b849c99 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Thanks Dani.

Oleg

On Thu, Feb 11, 2016 at 2:2= 7 PM, Dani Traphagen <dani.traphagen@datastax.com>= wrote:
Hi Oleg,

I'm= happy to take a look. Will update after review.

Thanks,
Dani

<= div class=3D"gmail_quote">On Thu, Feb 11, 2016 at 12:23 PM, oleg yusim <= olegyusim@gmail.com> wrote:
Hi Dani,

As promised, I sort of put al= l my questions under the "one roof". I would really appreciate yo= u opinion on them.


<= /div>
Thanks,

Oleg

On Fri, Jan 29, 2016 at= 3:28 PM, Dani Traphagen <dani.traphagen@datastax.com> wrote:
=E2=80=8BHi Ole= g,

Thanks that helped clear things up! This sounds like a daunting tas= k. I wish you all the best with it.=C2=A0

Cheers,
Dani=E2=80=8B
<= /div>

On= Fri, Jan 29, 2016 at 10:03 AM, oleg yusim <olegyusim@gmail.com><= /span> wrote:
Dani,=C2= =A0

I really appreciate you response. Actually, session = timeouts and security labels are two different topics (first is about attac= k when somebody opened, say, ssh window to DB, left his machine unattended = and somebody else stole his session, second - to enable DB to support what = called MAC access model - stays for mandatory access control. It is widely = used in the government and military, but not outside of it, we all are used= to DAC access control model). However, I think you are right and I should = move all my queries under the one big roof and call this thread "Secur= ity". I will do this today.

Now, about what y= ou have said, I just answered the same to Jon, in Session Timeout thread, b= ut would quickly re-cap here. I understand that Cassandra's architectur= e was aimed and tailored for completely different type of scenario. However= , unfortunately, that doesn't mean that Cassandra is not vulnerable to = the same very set of attacks relational database would be vulnerable to. It= just means Cassandra is not protected against those attacks, because prote= ction against them was not thought of, when database was created. I already= gave the AAA and session's timeout example in Jon's thread, and th= ose are just one of many.

Now what I'm trying = to do, I'm trying to create a STIG - security federal compliance docume= nt, which will assess Cassandra against SRG concepts (security federal comp= liance recommendations for databases overall) and will highlight what is no= t met, and can't be in current design (i.e. what system architects shou= ld keep in mind and what they need to compensate for with other controls on= different layers of system model) and =C2=A0what can be met either with co= nfiguration or with little enhancement (and how).=C2=A0

That document would be of great help for Cassandra as a product becau= se it would allow it to be marketed as a product with existing security ass= essment and guidelines, performed according to DoD standards. It would also= allow to move product in the general direction of improving its security p= osture. Finally, the document would be posted on DISA site (http://iase.disa.m= il/stigs/Pages/a-z.aspx) available for every security architect to util= ize, which would greatly reduce the risk for Cassandra product to be hacked= in a field.

To clear things out - what I ask abou= t are not my expectations. I really do not expect developers of Cassandra t= o run and start implementing security labels, just because I asked about it= . :) My questions are to build my internal knowledge of DB current design, = so that I can build my security assessment based of it, not more, not less.= =C2=A0

I guess, summarizing what I said on top, fr= om what I'm doing Cassandra as a product would end up benefiting quite = a bit. That is why I think it would make sense for Cassandra community to h= elp me with my questions even if they sound completely of the traditional &= quot;grid".

Thanks again, I really appreciate= your response and conversation overall.

Oleg

On Fri, Jan 29, 2016 at 11:20 A= M, Dani Traphagen <dani.traphagen@datastax.com> wr= ote:
Also -- it looks like you're rea= lly asking questions about session timeouts and security labels as they ass= ociate, would be more helpful to keep in one thread. :)=C2=A0


On Friday, January 29, 2016, Dani Traphagen <dani.traphagen@datas= tax.com> wrote:
Hi Oleg,=C2=A0
I understand your frustration but unfortunately, in the ter= ms of your security assessment,=C2=A0you have fallen into a mismatch for=C2= =A0Cassandra's utility.=C2=A0

The eventuality of= having multiple sockets open without the query input for long durations of= time isn't something that was architected...because...Cassnadra was bu= ilt to take massive quantities of=C2=A0queries both=C2=A0in volume and velo= city.=C2=A0

Your expectation of the database isn&#= 39;t in line with how our why it was designed. Generally, security solution= s are architected around=C2=A0Cassandra,=C2=A0baked into the data model, ma= ny solutions are=C2=A0home-brewed, written=C2=A0into the application=C2=A0o= r provided by using another security=C2=A0client.=C2=A0
<= div>
DSE has different security=C2=A0aspects rolling out in t= he next release as=C2=A0addressed earlier by Jack,=C2=A0like=C2=A0commit lo= g and hint=C2=A0encryptions, as well as, unified authentication...but secui= rty labels aren't on anyone's=C2=A0radar as a pressing "need.&= quot; It's not something I've heard about as a priority=C2=A0before= anyway.=C2=A0

Hope this helps!
=

Cheers,
Dani

On Friday, January 29, 20= 16, oleg yusim <olegyusim@gmail.com> wrote:
Jack,

Thanks for your s= uggestion. I'm familiar with Cassandra documentation, and I'm aware= of differences between DSE and Cassandra.=C2=A0

Q= uestions I ask here are those, I found no mention about in documentation. L= et's take security labels for instance. Cassandra documentation is comp= letely silent on this regard and so is Google. I assume, based on it, Cassa= ndra doesn't support it. But I can't create federal compliance secu= rity document for Cassandra basing it of my assumptions and lack of informa= tion solely. That is where my questions stem from.

Thanks,

Oleg=C2=A0

On Fri, Jan 29, 2016 at 10:17 AM, Ja= ck Krupansky <jack.krupansky@gmail.com> wrote:
To answer any = future questions along these same lines, I suggest that you start by simply= searching the doc and search the github repo for the source code for the r= elevant keywords. That will give you the definitive answers quickly. If som= ething is missing, feel free to propose that it be added (if you really nee= d it). And feel free to confirm here if a quick search doesn't give you= a solid answer.

Here's the root page for security i= n the Cassandra doc:

-- Jack Krupansky

On Thu, Jan 28, 2016 at 8:37 PM, oleg yusim = <olegyusim@gmail.com> wrote:
Patrick,

Abso= lutely. Security label is mechanism of access control, utilized by MAC (man= datory access control) model, and not utilized by DAC (discretionary access= control) model, we all are used to. In database content it is illustrated = for instance here:=C2=A0http://www.postgresql.org/= docs/current/static/sql-security-label.html

No= w, as per my goals, I'm making a security assessment for Cassandra DB w= ith a goal to produce STIG on this product. That is one of the parameters i= n database SRG I have to assess against.

Thanks,

Oleg


On Thu, Jan 28, 2016 at 6:3= 2 PM, Patrick McFadin <pmcfadin@gmail.com> wrote:
Cassandra h= as support for authentication security, but I'm not familiar with a sec= urity label. Can you describe what you want to do?

Patrick

On Thu, Jan 28, 2016 at = 2:26 PM, oleg yusim <olegyusim@gmail.com> wrote:
Greetings,
Does Cassandra support security label concept? If so, whe= re can I read on how it should be applied?

Thanks,=

Oleg






--
Sent from mobile -- apologizes for brevity or errors.


--
Sent from mobile -- apologizes for brevity or e= rrors.




<= /div>--
3D"datastax_logo.png"

DANI TRAPHAGEN

Technical Ena= blement Lead | dani.traphagen@datastax.com


3D"twi= 3D"linkedin.png"= 3D""<= /span>



--
=
3D"datasta=

DANI TRAPHAGEN

Technical Enablement Lead <= font color=3D"#000000">| dani.traphagen@datastax.com


3D"twitter.png" 3D"linkedin.png" 3D""

--001a113faa5a18105f052b849c99--