[jira] [Updated] (CASSANDRA-18857) Allow CQL client certificate authentication to work without sending an AUTHENTICATE request

Mon, 08 Jan 2024 08:16:05 -0800 


     [ 
https://issues.apache.org/jira/browse/CASSANDRA-18857?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andy Tolbert updated CASSANDRA-18857:
-------------------------------------
                        Impacts: Security  (was: None)
    Test and Documentation Plan: 
Test included in PR:

* {{AuthenticationTest}} tests existing code path that ensures {{AUTHENTICATE}} 
request is sent in response to {{STARTUP}} with {{PasswordAuthenticator}}
* {{EarlyCertificateAuthenticationTest}} which validates authentication path 
where certificate is provided (or not) with MutualTlsAuthenticator.
* 
{{MutualTlsWithPasswordFallbackAuthenticatorEarlyCertificateAuthenticationTest}}
 additionally validates authentication path where certificate is optionally 
provided with credentials.
                         Status: Patch Available  (was: Open)

Patch available at: https://github.com/apache/cassandra/pull/2969

> Allow CQL client certificate authentication to work without sending an 
> AUTHENTICATE request
> -------------------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-18857
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-18857
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Feature/Encryption
>            Reporter: Andy Tolbert
>            Assignee: Andy Tolbert
>            Priority: Normal
>          Time Spent: 50m
>  Remaining Estimate: 0h
>
> Currently when using {{MutualTlsAuthenticator}} or 
> {{MutualTlsWithPasswordFallbackAuthenticator}} a client is prompted with an 
> {{AUTHENTICATE}} message to which they must respond with an {{AUTH_RESPONSE}} 
> (e.g. a user name and password).  This shouldn't be needed as the role can be 
> identified using only the certificate.
> To address this, we could add the capability to authenticate early in 
> processing of a {{STARTUP}} message if we can determine that both the 
> configured authenticator supports certificate authentication and a client 
> certificate was provided.  If the certificate can be authenticated, a 
> {{READY}} response is returned, otherwise an {{ERROR}} is returned.
> This change can be done done in a fully backwards compatible way and requires 
> no protocol or driver changes;  I will supply a patch shortly!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to