Open alexrikelm opened 3 months ago
Yes, this behavior was intentional, and is documented in https://github.com/scylladb/scylladb/blob/master/docs/alternator/compatibility.md#authorization
To try to explain in a few words why the salted hash was chosen as the DynamoDB API key: Scylla needs to know this key to run the AWS Signature V4 algorithm on it to check signatures on incoming requests. But Scylla does not know your password so it cannot use that key - it only knows the "salted hash" of your password - so that's what used as the key.
You might wonder if we didn't lose some (aspects of) security in this way - after all, Scylla deliberately doesn't store the password itself and only stores the hash - so now we do store the actual Alternator key verbatim in the database! If you wondered that, you would be right - this is https://github.com/scylladb/scylladb/issues/5206. As that issue explains, there's a way to avoid storing the actual secret key on the regular Scylla node, but it's not trivial, and in any case the actual secret key needs to be stored somewhere - this is how the AWS protocol works.
What happened?
Listing the roles/Users created in cqlsh:
Able to connect using csql db_user and password:
When trying to access the alternator using awscli or boto3 I get this error:
Working:
Seems by using the "salted_hash" as the actual password, the connection works. This seems very counter intuitive, is this by design or a flaw?
What did you expect to happen?
Expecting the password for db_user in scylla and alternator to be the same. Instead alternator uses the value of the salted_hash as the actual password. ie:
How can we reproduce it (as minimally and precisely as possible)?
Scylla Operator version
Scylla-Operator 1.11.3 & 1.12.0
Kubernetes platform name and version
Please attach the must-gather archive.
...
Anything else we need to know?
No response