cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stefan Podkowinski (JIRA)" <>
Subject [jira] [Commented] (CASSANDRA-10956) Enable authentication of native protocol users via client certificates
Date Tue, 15 Mar 2016 09:26:33 GMT


Stefan Podkowinski commented on CASSANDRA-10956:

I’d assume that authentication should be handled by providing a IAuthenticator implementation,
but I can see how this is not a good fit here as we can’t provide any SASL support.
I also like about the your approach that it can be used on top of regular authentication,
e.g. by falling back to password based authentication if no certificate has been provided.

Two small remarks regards {{cassandra.yaml}}:

bq. Client supplied certificates must be present in the configured truststore when using this

I first read this that each client certificate must be present in the truststore. Maybe explicitly
mention importing a common CA in the truststore works as well.

bq. NOT_REQUIRED : no attempt is made to obtain user identity from the cert chain.

The reason for presenting this option in the yaml config is not really clear to me. It’s
contrary to the idea of using the certificate authenticator.

> Enable authentication of native protocol users via client certificates
> ----------------------------------------------------------------------
>                 Key: CASSANDRA-10956
>                 URL:
>             Project: Cassandra
>          Issue Type: New Feature
>            Reporter: Samuel Klock
>            Assignee: Samuel Klock
>         Attachments: 10956.patch
> Currently, the native protocol only supports user authentication via SASL.  While this
is adequate for many use cases, it may be superfluous in scenarios where clients are required
to present an SSL certificate to connect to the server.  If the certificate presented by a
client is sufficient by itself to specify a user, then an additional (series of) authentication
step(s) via SASL merely add overhead.  Worse, for uses wherein it's desirable to obtain the
identity from the client's certificate, it's necessary to implement a custom SASL mechanism
to do so, which increases the effort required to maintain both client and server and which
also duplicates functionality already provided via SSL/TLS.
> Cassandra should provide a means of using certificates for user authentication in the
native protocol without any effort above configuring SSL on the client and server.  Here's
a possible strategy:
> * Add a new authenticator interface that returns {{AuthenticatedUser}} objects based
on the certificate chain presented by the client.
> * If this interface is in use, the user is authenticated immediately after the server
receives the {{STARTUP}} message.  It then responds with a {{READY}} message.
> * Otherwise, the existing flow of control is used (i.e., if the authenticator requires
authentication, then an {{AUTHENTICATE}} message is sent to the client).
> One advantage of this strategy is that it is backwards-compatible with existing schemes;
current users of SASL/{{IAuthenticator}} are not impacted.  Moreover, it can function as a
drop-in replacement for SASL schemes without requiring code changes (or even config changes)
on the client side.

This message was sent by Atlassian JIRA

View raw message