[
https://issues.apache.org/jira/browse/CASSANDRA-18420?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17718862#comment-17718862
]
Sam Tunnicliffe commented on CASSANDRA-18420:
---------------------------------------------
This description is not quite accurate.
{quote}the client needs to send the STARTUP message and then wait for the
AUTHENTICATE message from the Cassandra server
{quote}
This is correct, but not this:
{quote}If there is no username in the STARTUP message, there is no way that the
Cassandra server can send the AUTHENTICATE message.
{quote}
STARTUP never contains a username. If authentication is configured on the
server, it always responds to the STARTUP with an AUTHENTICATE message. The
actual authentication is then performed via the
[SASL|https://datatracker.ietf.org/doc/html/rfc4422] protocol, with
[PLAIN|https://datatracker.ietf.org/doc/html/rfc4616] being the only mechanism
supported by out of the box by the OSS distro.
{quote}The mechanism consists of a single message, a string of [UTF-8]
encoded [Unicode] characters, from the client to the server. The
client presents the authorization identity (identity to act as),
followed by a NUL (U+0000) character, followed by the authentication
identity (identity whose password will be used), followed by a NUL
(U+0000) character, followed by the clear-text password.
{quote}
So the situation I think you're describing is that the client receives the
AUTHENTICATE then simply doesn't respond and this is what is happening in the
cqlsh example posted here. If no credentials are supplied to cqlsh at the
outset, it doesn't configure an {{AuthProvider}} then throws when it receives
the AUTHENTICATE response from the server
([here|https://github.com/datastax/python-driver/blob/master/cassandra/connection.py#L1387-L1395C3]).
> Connection without username not logged in auditlog
> ---------------------------------------------------
>
> Key: CASSANDRA-18420
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18420
> Project: Cassandra
> Issue Type: Bug
> Components: Tool/auditlogging
> Reporter: Yakir Gibraltar
> Assignee: Ningzi Zhan
> Priority: Normal
> Fix For: 4.0.x, 4.1.x, 5.x
>
>
> Hi,
> If making connection *without username* to cassandra cluster with
> PasswordAuthenticator enabled,
> Connection will fail but not logged on auditlog.
> How to reproduce:
> # Enable "authenticator: PasswordAuthenticator" on cluster
> # Enable audit : "nodetool enableauditlog"
> # Open a new screen and run "auditlogviewer -f <log_location>/audit/"
> # Try to connect, and connection will fail:
> {code:java}
> [root@c1 ~]# cqlsh
> Connection error: ('Unable to connect to any servers', {'127.0.0.1:9042':
> AuthenticationFailed('Remote end requires authentication',)}){code}
> # *But nothing in auditlogviewer*.
> Connection with incorrect usernames or password logged correct on auditlog ,
> the problem only on connection without username.
> How it's affecting:
> # Security reason, hard to find unauthorized connections attempt .
> # When migrating cluster into PasswordAuthenticator, hard to find
> applications that didn't add username/password.
> Thank you.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
