Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id AD00D200C41 for ; Fri, 24 Mar 2017 21:07:54 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id AB8CE160B93; Fri, 24 Mar 2017 20:07:54 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id CB23F160B75 for ; Fri, 24 Mar 2017 21:07:53 +0100 (CET) Received: (qmail 67816 invoked by uid 500); 24 Mar 2017 20:07:53 -0000 Mailing-List: contact commits-help@cassandra.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cassandra.apache.org Delivered-To: mailing list commits@cassandra.apache.org Received: (qmail 67805 invoked by uid 99); 24 Mar 2017 20:07:52 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 24 Mar 2017 20:07:52 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 8C7F9C147E for ; Fri, 24 Mar 2017 20:07:52 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -99.201 X-Spam-Level: X-Spam-Status: No, score=-99.201 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id gkfMYoZPhJ7c for ; Fri, 24 Mar 2017 20:07:51 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id CB7F75FBB7 for ; Fri, 24 Mar 2017 20:07:45 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 94C11E0BDD for ; Fri, 24 Mar 2017 20:07:42 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id CF12C2406E for ; Fri, 24 Mar 2017 20:07:41 +0000 (UTC) Date: Fri, 24 Mar 2017 20:07:41 +0000 (UTC) From: "Ben Bromhead (JIRA)" To: commits@cassandra.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Comment Edited] (CASSANDRA-11471) Add SASL mechanism negotiation to the native protocol MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Fri, 24 Mar 2017 20:07:54 -0000 [ https://issues.apache.org/jira/browse/CASSANDRA-11471?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15941051#comment-15941051 ] Ben Bromhead edited comment on CASSANDRA-11471 at 3/24/17 8:06 PM: ------------------------------------------------------------------- Sorry for the delay, the joy of a new baby :) Addressed all the comments except one. bq. Only if encryption is optional? Basically because the authenticator can only work if the certificates are there? It seems like this can NPE? Currently getSaslNegotiator will try to get the certificate chain from the channel if client encryption is enabled and connecting on an encrypted session is not optional. This means null instead of a certificate chain will be passed in when getting the new SASL authenticator. I couldn't think of a nice way to pass the certificate chain to the authenticator but still respect the fact there are authenticators that just don't care about them. Originally my thinking was that Optional does not appear to be used in the project and I didn't want to add even more more methods to IAuthenticator. Thinking about it again, it probably just makes sense to overload newV5SaslNegotiator and not have to pass in certificates, which would reduce the chance of someone implementing a new Authenticator getting an NPE. ||4.0|| |[Branch|https://github.com/apache/cassandra/compare/trunk...benbromhead:11471]| was (Author: benbromhead): Sorry for the delay, the joy of a new baby :) Addressed all the comments except one. bq. Only if encryption is optional? Basically because the authenticator can only work if the certificates are there? It seems like this can NPE? Currently getSaslNegotiator will try to get the certificate chain from the channel if client encryption is enabled and connecting on an encrypted session is not optional. This means null instead of a certificate chain will be passed in when getting the new SASL authenticator. I couldn't think of a nice way to pass the certificate chain to the authenticator but still respect the fact there are authenticators that just don't care about them. Given that Optional does not appear to be used in the project and I didn't want to add even more more methods to IAuthenticator. Thinking about it again, it probably just makes sense to overload newV5SaslNegotiator and not have to pass in certificates, which would reduce the chance of someone implementing a new Authenticator getting an NPE. ||4.0|| |[Branch|https://github.com/apache/cassandra/compare/trunk...benbromhead:11471]| > Add SASL mechanism negotiation to the native protocol > ----------------------------------------------------- > > Key: CASSANDRA-11471 > URL: https://issues.apache.org/jira/browse/CASSANDRA-11471 > Project: Cassandra > Issue Type: Sub-task > Components: CQL > Reporter: Sam Tunnicliffe > Assignee: Ben Bromhead > Labels: client-impacting > Attachments: CASSANDRA-11471 > > > Introducing an additional message exchange into the authentication sequence would allow us to support multiple authentication schemes and [negotiation of SASL mechanisms|https://tools.ietf.org/html/rfc4422#section-3.2]. > The current {{AUTHENTICATE}} message sent from Client to Server includes the java classname of the configured {{IAuthenticator}}. This could be superceded by a new message which lists the SASL mechanisms supported by the server. The client would then respond with a new message which indicates it's choice of mechanism. This would allow the server to support multiple mechanisms, for example enabling both {{PLAIN}} for username/password authentication and {{EXTERNAL}} for a mechanism for extracting credentials from SSL certificates\* (see the example in [RFC-4422|https://tools.ietf.org/html/rfc4422#appendix-A]). Furthermore, the server could tailor the list of supported mechanisms on a per-connection basis, e.g. only offering certificate based auth to encrypted clients. > The client's response should include the selected mechanism and any initial response data. This is mechanism-specific; the {{PLAIN}} mechanism consists of a single round in which the client sends encoded credentials as the initial response data and the server response indicates either success or failure with no futher challenges required. > From a protocol perspective, after the mechanism negotiation the exchange would continue as in protocol v4, with one or more rounds of {{AUTH_CHALLENGE}} and {{AUTH_RESPONSE}} messages, terminated by an {{AUTH_SUCCESS}} sent from Server to Client upon successful authentication or an {{ERROR}} on auth failure. > XMPP performs mechanism negotiation in this way, [RFC-3920|http://tools.ietf.org/html/rfc3920#section-6] includes a good overview. > \* Note: this would require some a priori agreement between client and server over the implementation of the {{EXTERNAL}} mechanism. -- This message was sent by Atlassian JIRA (v6.3.15#6346)