[jira] [Updated] (CASSANDRA-21226) Rate Limiting and execution isolation needed for ALTER/CREATE ROLE password hashing to prevent CPU starvation

Wed, 18 Mar 2026 00:02:06 -0700 


     [ 
https://issues.apache.org/jira/browse/CASSANDRA-21226?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Stefan Miklosovic updated CASSANDRA-21226:
------------------------------------------
    Resolution: Duplicate
        Status: Resolved  (was: Triage Needed)

> Rate Limiting and execution isolation needed for ALTER/CREATE ROLE password 
> hashing to prevent CPU starvation
> -------------------------------------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-21226
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-21226
>             Project: Apache Cassandra
>          Issue Type: Bug
>            Reporter: Cyl
>            Priority: Normal
>
> Hi team,
> Following up on the discussion regarding CASSANDRA-17812 (which rate-limited 
> AUTH_RESPONSE to avoid overwhelming the request executor with bcrypt 
> computations), there is a similar resource exhaustion gap in the role 
> modification path. 
> Currently, operations like ALTER ROLE ... WITH PASSWORD and <CREATE/ALTER> 
> ROLE ... WITH HASHED PASSWORD compute the BCrypt hashes synchronously on 
> Dispatcher.requestExecutor. 
> If an authenticated user triggers multiple role modifications concurrently, 
> or supplies an artificially high cost factor in HASHED PASSWORD (e.g., 
> $2a$30$...), the requestExecutor threads will be blocked for seconds to 
> minutes, leading to severe latency spikes and OperationTimedOut errors for 
> all legitimate queries. This leads to an Authenticated DoS without rate 
> restrictions.
> Suggestions for improvement:
> 1. Rate Limiting: Apply connection/global rate limiters to ALTER/CREATE ROLE 
> statements, similar to the login safeguards.
> 2. Max Cost Factor: Set a hardcoded upper bound for the BCrypt cost factor 
> accepted in HASHED PASSWORD arguments to prevent single-request thread 
> locking.
> 3. Execution Offloading: Optionally offload these operations to the 
> authExecutor rather than blocking the main query execution thread pool.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to