Cyl created CASSANDRA-21226:
-------------------------------
Summary: Rate Limiting and execution isolation needed for
ALTER/CREATE ROLE password hashing to prevent CPU starvation
Key: CASSANDRA-21226
URL: https://issues.apache.org/jira/browse/CASSANDRA-21226
Project: Apache Cassandra
Issue Type: Bug
Reporter: Cyl
Hi team,
Following up on the discussion regarding CASSANDRA-17812 (which rate-limited
AUTH_RESPONSE to avoid overwhelming the request executor with bcrypt
computations), there is a similar resource exhaustion gap in the role
modification path.
Currently, operations like ALTER ROLE ... WITH PASSWORD and <CREATE/ALTER> ROLE
... WITH HASHED PASSWORD compute the BCrypt hashes synchronously on
Dispatcher.requestExecutor.
If an authenticated user triggers multiple role modifications concurrently, or
supplies an artificially high cost factor in HASHED PASSWORD (e.g.,
$2a$30$...), the requestExecutor threads will be blocked for seconds to
minutes, leading to severe latency spikes and OperationTimedOut errors for all
legitimate queries. This leads to an Authenticated DoS without rate
restrictions.
Suggestions for improvement:
1. Rate Limiting: Apply connection/global rate limiters to ALTER/CREATE ROLE
statements, similar to the login safeguards.
2. Max Cost Factor: Set a hardcoded upper bound for the BCrypt cost factor
accepted in HASHED PASSWORD arguments to prevent single-request thread locking.
3. Execution Offloading: Optionally offload these operations to the
authExecutor rather than blocking the main query execution thread pool.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
