[
https://issues.apache.org/jira/browse/CASSANDRA-18857?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Francisco Guerrero updated CASSANDRA-18857:
-------------------------------------------
Fix Version/s: 5.1
Source Control Link:
https://github.com/apache/cassandra/commit/c09d0d929baeaa02f3438313c7979ccf6b4b3c5a
Resolution: Fixed
Status: Resolved (was: Ready to Commit)
> Allow CQL client certificate authentication to work without sending an
> AUTHENTICATE request
> -------------------------------------------------------------------------------------------
>
> Key: CASSANDRA-18857
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18857
> Project: Cassandra
> Issue Type: Improvement
> Components: Feature/Encryption
> Reporter: Andy Tolbert
> Assignee: Andy Tolbert
> Priority: Normal
> Fix For: 5.1
>
> Attachments: ci_summary.html, result_details.tar.gz
>
> Time Spent: 4h 40m
> Remaining Estimate: 0h
>
> Currently when using {{MutualTlsAuthenticator}} or
> {{MutualTlsWithPasswordFallbackAuthenticator}} a client is prompted with an
> {{AUTHENTICATE}} message to which they must respond with an {{AUTH_RESPONSE}}
> (e.g. a user name and password). This shouldn't be needed as the role can be
> identified using only the certificate.
> To address this, we could add the capability to authenticate early in
> processing of a {{STARTUP}} message if we can determine that both the
> configured authenticator supports certificate authentication and a client
> certificate was provided. If the certificate can be authenticated, a
> {{READY}} response is returned, otherwise an {{ERROR}} is returned.
> This change can be done done in a fully backwards compatible way and requires
> no protocol or driver changes; I will supply a patch shortly!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
