Handle changing passwords in cassandra.role

ansible-collections / community.cassandra

Cassandra Ansible Collection

http://galaxy.ansible.com/community/cassandra

GNU General Public License v3.0

25 stars 19 forks source link

Handle changing passwords in cassandra.role #265

Closed itskarlsson closed 4 months ago

itskarlsson commented 8 months ago

SUMMARY

It would be nice to be able to change a role's password with cassandra.role. Currently we simply ignore the password if it differs from the password in the database. The problem is that the password is salted and hashed, so to be able to compare it we need to use bcrypt and know how many hashing rounds the server uses.

ISSUE TYPE

Feature Idea

COMPONENT NAME

cassandra.role

ADDITIONAL INFORMATION

Rerunning the same role twice with different passwords would change the password of the role.

- name: update some existing role
  community.cassandra.cassandra_role:
    name: "SomeExistingRole"
    state: present
    login: yes
    password: "ANewPassword"
    super_user: no
    login_user: <login user>
    login_password: <login password>
  run_once: true

rhysmeister commented 8 months ago

Hello @itskarlsson,

Is this something you plan to work on yourself?

I know that some people have looked into the same thing for the mongodb_user module. Not possible...

https://jira.mongodb.org/browse/SERVER-22848

I don't know the situation with Cassandra but I'd be surprised if it's any different.

Cheers,

Rhys

itskarlsson commented 7 months ago

It's certainly possible to check if the pw has changed from a purely technical standpoint, since we have the salted_hash, the hashing mechanism and the password. However, much like the post you put forth, there is the aspect of security as you mentioned. It would allow someone with access to ansible to test passwords. (Although that is true even if they didn't have ansible but had access to the salted hash/nr of rounds)

Alternatively, one could just change the password whether it's the same or different. It's also not very clean, but at least this would align the behavior with what an ansible user expects would happen.

I'd be able to put up a patch if we can agree on a proper solution, but if someone else wants to take a swing at it then I am fine with that as well.

On a side note, we should probably add which parameters are ignored in the documentation.

rhysmeister commented 7 months ago

The mongodb_user module uses a parameter called update_password to control this behaviour. Best not to change the default. Feel free to submit a PR. Tests should be included.

Cheers,

Rhys

rhysmeister commented 4 months ago

Resolved in #269. Closing