cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Samuel Klock (JIRA)" <>
Subject [jira] [Created] (CASSANDRA-10956) Enable authentication of native protocol users via client certificates
Date Wed, 30 Dec 2015 20:57:49 GMT
Samuel Klock created CASSANDRA-10956:

             Summary: Enable authentication of native protocol users via client certificates
                 Key: CASSANDRA-10956
             Project: Cassandra
          Issue Type: New Feature
            Reporter: Samuel Klock
            Assignee: Samuel Klock

Currently, the native protocol only supports user authentication via SASL.  While this is
adequate for many use cases, it may be superfluous in scenarios where clients are required
to present an SSL certificate to connect to the server.  If the certificate presented by a
client is sufficient by itself to specify a user, then an additional (series of) authentication
step(s) via SASL merely add overhead.  Worse, for uses wherein it's desirable to obtain the
identity from the client's certificate, it's necessary to implement a custom SASL mechanism
to do so, which increases the effort required to maintain both client and server and which
also duplicates functionality already provided via SSL/TLS.

Cassandra should provide a means of using certificates for user authentication in the native
protocol without any effort above configuring SSL on the client and server.  Here's a possible

* Add a new authenticator interface that returns {{AuthenticatedUser}} objects based on the
certificate chain presented by the client.
* If this interface is in use, the user is authenticated immediately after the server receives
the {{STARTUP}} message.  It then responds with a {{READY}} message.
* Otherwise, the existing flow of control is used (i.e., if the authenticator requires authentication,
then an {{AUTHENTICATE}} message is sent to the client).

One advantage of this strategy is that it is backwards-compatible with existing schemes; current
users of SASL/{{IAuthenticator}} are not impacted.  Moreover, it can function as a drop-in
replacement for SASL schemes without requiring code changes (or even config changes) on the
client side.

This message was sent by Atlassian JIRA

View raw message