community.cassandra icon indicating copy to clipboard operation
community.cassandra copied to clipboard

Published 20 hours ago verified publisher icon ansible-collections

Handle changing passwords in cassandra.role

Open itskarlsson opened this issue 1 year ago • 3 comments

SUMMARY

It would be nice to be able to change a role's password with cassandra.role. Currently we simply ignore the password if it differs from the password in the database. The problem is that the password is salted and hashed, so to be able to compare it we need to use bcrypt and know how many hashing rounds the server uses.

ISSUE TYPE
  • Feature Idea
COMPONENT NAME

cassandra.role

ADDITIONAL INFORMATION

Rerunning the same role twice with different passwords would change the password of the role.

- name: update some existing role
  community.cassandra.cassandra_role:
    name: "SomeExistingRole"
    state: present
    login: yes
    password: "ANewPassword"
    super_user: no
    login_user: <login user>
    login_password: <login password>
  run_once: true

itskarlsson avatar Jan 24 '24 07:01 itskarlsson

Hello @itskarlsson,

Is this something you plan to work on yourself?

I know that some people have looked into the same thing for the mongodb_user module. Not possible...

https://jira.mongodb.org/browse/SERVER-22848

I don't know the situation with Cassandra but I'd be surprised if it's any different.

Cheers,

Rhys

rhysmeister avatar Jan 29 '24 15:01 rhysmeister

It's certainly possible to check if the pw has changed from a purely technical standpoint, since we have the salted_hash, the hashing mechanism and the password. However, much like the post you put forth, there is the aspect of security as you mentioned. It would allow someone with access to ansible to test passwords. (Although that is true even if they didn't have ansible but had access to the salted hash/nr of rounds)

Alternatively, one could just change the password whether it's the same or different. It's also not very clean, but at least this would align the behavior with what an ansible user expects would happen.

I'd be able to put up a patch if we can agree on a proper solution, but if someone else wants to take a swing at it then I am fine with that as well.

On a side note, we should probably add which parameters are ignored in the documentation.

itskarlsson avatar Feb 06 '24 09:02 itskarlsson

The mongodb_user module uses a parameter called update_password to control this behaviour. Best not to change the default. Feel free to submit a PR. Tests should be included.

Cheers,

Rhys

rhysmeister avatar Feb 06 '24 13:02 rhysmeister

Resolved in #269. Closing

rhysmeister avatar May 08 '24 18:05 rhysmeister