[jira] [Commented] (CASSANDRA-18857) Allow CQL client certificate authentication to work without sending an AUTHENTICATE request

[Andy Tolbert (Jira)]

    [ 
https://issues.apache.org/jira/browse/CASSANDRA-18857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17808807#comment-17808807
 ] 

Andy Tolbert commented on CASSANDRA-18857:
------------------------------------------

Thanks everyone! Test results attached, things came back mostly clean:

[^ci_summary.html] 
[^result_details.tar.gz]

The failing tests appear to be unrelated/flakes:
 * largecolumn_test.TestLargeColumn#test_cleanup - looks like a common flake 
that has come up a number of times; I'll look into seeing if something i can 
help with if not already handled, but high confidence it's not related to my 
change.
 * 
upgrade_tests.upgrade_through_versions_test.TestUpgrade_indev_4_1_x_To_indev_trunk
test_bootstrap_multidc ([CASSANDRA-17893])
 * 
upgrade_tests.upgrade_through_versions_test.TestUpgrade_indev_4_1_x_To_indev_trunk
test_parallel_upgrade_with_internode_ssl ([CASSANDRA-17893])

 

> Allow CQL client certificate authentication to work without sending an 
> AUTHENTICATE request
> -------------------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-18857
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-18857
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Feature/Encryption
>            Reporter: Andy Tolbert
>            Assignee: Andy Tolbert
>            Priority: Normal
>         Attachments: ci_summary.html, result_details.tar.gz
>
>          Time Spent: 4h 40m
>  Remaining Estimate: 0h
>
> Currently when using {{MutualTlsAuthenticator}} or 
> {{MutualTlsWithPasswordFallbackAuthenticator}} a client is prompted with an 
> {{AUTHENTICATE}} message to which they must respond with an {{AUTH_RESPONSE}} 
> (e.g. a user name and password).  This shouldn't be needed as the role can be 
> identified using only the certificate.
> To address this, we could add the capability to authenticate early in 
> processing of a {{STARTUP}} message if we can determine that both the 
> configured authenticator supports certificate authentication and a client 
> certificate was provided.  If the certificate can be authenticated, a 
> {{READY}} response is returned, otherwise an {{ERROR}} is returned.
> This change can be done done in a fully backwards compatible way and requires 
> no protocol or driver changes;  I will supply a patch shortly!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org