[ https://issues.apache.org/jira/browse/CASSANDRA-10956?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15218031#comment-15218031 ]
Samuel Klock commented on CASSANDRA-10956: ------------------------------------------ Revisiting the native protocol's SASL implementation definitely sounds like the right solution, at least in the abstract. If that can be done in 4.0 in a way that supports this authentication strategy, then I think we're comfortable closing this ticket. (We could also have the ticket wait until the new SASL implementation is available, at which point we could consider contributing a new solution that works with it.) It's worth noting that the EXTERNAL mechanism is potentially very open-ended, though; it's not clear to me what system state is potentially relevant or how Cassandra would expose it. If it turns out that it's impractical to implement SASL in such a way that this strategy is supported, it may be wise to revisit the decision to close this ticket. > Enable authentication of native protocol users via client certificates > ---------------------------------------------------------------------- > > Key: CASSANDRA-10956 > URL: https://issues.apache.org/jira/browse/CASSANDRA-10956 > Project: Cassandra > Issue Type: New Feature > Reporter: Samuel Klock > Assignee: Samuel Klock > Attachments: 10956.patch > > > Currently, the native protocol only supports user authentication via SASL. > While this is adequate for many use cases, it may be superfluous in scenarios > where clients are required to present an SSL certificate to connect to the > server. If the certificate presented by a client is sufficient by itself to > specify a user, then an additional (series of) authentication step(s) via > SASL merely add overhead. Worse, for uses wherein it's desirable to obtain > the identity from the client's certificate, it's necessary to implement a > custom SASL mechanism to do so, which increases the effort required to > maintain both client and server and which also duplicates functionality > already provided via SSL/TLS. > Cassandra should provide a means of using certificates for user > authentication in the native protocol without any effort above configuring > SSL on the client and server. Here's a possible strategy: > * Add a new authenticator interface that returns {{AuthenticatedUser}} > objects based on the certificate chain presented by the client. > * If this interface is in use, the user is authenticated immediately after > the server receives the {{STARTUP}} message. It then responds with a > {{READY}} message. > * Otherwise, the existing flow of control is used (i.e., if the authenticator > requires authentication, then an {{AUTHENTICATE}} message is sent to the > client). > One advantage of this strategy is that it is backwards-compatible with > existing schemes; current users of SASL/{{IAuthenticator}} are not impacted. > Moreover, it can function as a drop-in replacement for SASL schemes without > requiring code changes (or even config changes) on the client side. -- This message was sent by Atlassian JIRA (v6.3.4#6332)