[
https://issues.apache.org/jira/browse/CASSANDRA-18554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17747658#comment-17747658
]
Yifan Cai commented on CASSANDRA-18554:
---------------------------------------
I reviewed the changes since last time did. Left some minor comments, and they
were addressed.
+1 on the patch.
> mTLS based client and internode authenticators
> ----------------------------------------------
>
> Key: CASSANDRA-18554
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18554
> Project: Cassandra
> Issue Type: New Feature
> Components: Feature/Authorization
> Reporter: Jyothsna Konisa
> Assignee: Jyothsna Konisa
> Priority: Normal
> Time Spent: 2.5h
> Remaining Estimate: 0h
>
> Cassandra currently doesn't have any certificate based authenticator for both
> client connections and internode connections. If one wants to use certificate
> based authentication protocol like TLS, in which clients send their
> certificates for the TLS handshake, we can leverage the information from the
> client certificate to identify a client. Using this authentication mechanism
> one can avoid the pain of password generations, sharing and rotation.
> Introducing following certificate based mTLS authenticators for internode and
> client connections
> MutualTlsAuthenticator (client authentication)
> MutualTlsInternodeAuthenticator (internode authentication)
> MutualTlsWithPasswordFallbackAuthenticator (for optional mode operation for
> client authentication)
> An implementation of MutualTlsCertificateValidator called
> SpiffeCertificateValidator whose identity is SPIFFE that is embedded in SAN
> of the client certificate. One can implement their own CertificateValidator
> to match their needs and configure it in Cassandra.yaml
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
