[jira] [Comment Edited] (CASSANDRA-19366) Expose mode of authentication in system_views.clients, nodetool clientstats, and ClientMetrics

Mon, 12 Feb 2024 23:53:07 -0800 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-19366?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17816883#comment-17816883
 ] 

Stefan Miklosovic edited comment on CASSANDRA-19366 at 2/13/24 7:52 AM:
------------------------------------------------------------------------

[j17 pre 
commit|https://app.circleci.com/pipelines/github/instaclustr/cassandra/3844/workflows/f38ff0af-96f0-4d67-905a-357c346ece92]
[j11 pre 
commit|https://app.circleci.com/pipelines/github/instaclustr/cassandra/3844/workflows/f6c6ad66-f4a0-4396-b629-32078255fc9d]

all looks fine, I do not see anything suspicious among the failures

[~frankgh] approved on the PR already.


was (Author: smiklosovic):
[j17 pre 
commit|https://app.circleci.com/pipelines/github/instaclustr/cassandra/3844/workflows/f38ff0af-96f0-4d67-905a-357c346ece92]
[j11 pre 
commit|https://app.circleci.com/pipelines/github/instaclustr/cassandra/3844/workflows/f6c6ad66-f4a0-4396-b629-32078255fc9d]

all looks fine, I do not see anything suspicious among the failures

[~frankgh] I am waiting for the final +1 from you.

> Expose mode of authentication in system_views.clients, nodetool clientstats, 
> and ClientMetrics
> ----------------------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-19366
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-19366
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Feature/Encryption, Messaging/Client, Observability/JMX, 
> Observability/Metrics, Tool/nodetool
>            Reporter: Andy Tolbert
>            Assignee: Andy Tolbert
>            Priority: Normal
>             Fix For: 5.x
>
>         Attachments: CASSANDRA-19366-trunk-1_test_results-1.tgz, 
> CASSANDRA-19366-trunk-1_test_results.tgz, 
> CASSANDRA-19366-trunk-1_test_results_summary.html, 
> CASSANDRA-19366-trunk-6_ci_summary.html
>
>          Time Spent: 3h 50m
>  Remaining Estimate: 0h
>
> CASSANDRA-18554 added support for mTLS-authenticated clients. Part of this 
> contribution introduced {{{}MutualTlsWithPasswordFallbackAuthenticator{}}}, 
> which enables Cassandra to support either password and mTLS-authenticated 
> connections.
> As an operator, it would be useful to know which connections are mTLS 
> authenticated, and which are password authenticated, as a possible mode of 
> operation is migrating users from one from of authentication to another. It 
> would also be useful to know if that if authentication attempts are failing 
> which mode of authentication is unsuccessful.
> Proposing to add the following:
>  * Add a {{mode: string}} and {{metadata: map<string, string>}} to 
> {{{}AuthenticatedUser{}}}. Update existing {{IAuthenticator}} implementations 
> to pass {{mode}} (e.g. {{password}} , {{{}mtls{}}}), and optionally pass a 
> {{metadata}} map (e.g. this can include the extracted {{identity}} from a 
> client certificate for {{mtls}} authentication).
>  * Update nodetool clientstats to add a new option flag {{{}--metadata{}}}, 
> which when passed exposes these new fields on {{{}AuthenticatedUser{}}}. (Not 
> added to existing output to maintain compatibility, much like 
> {{-client-options}} did.
>  * Update {{system_views.clients}} to include columns for these new fields.
>  * Add new metrics to {{{}ClientMetrics{}}}:
>  ** Track authentication success and failures by mode. (Note: The metrics 
> present by authentication mode scope are contextual based on the 
> Authenticator used (e.g. only {{scope=Password}} will be present for 
> {{{}PasswordAuthenticator{}}})
> {noformat}
> Existing:
> org.apache.cassandra.metrics:name=AuthSuccess,type=Client
> org.apache.cassandra.metrics:name=AuthFailure,type=Client
> New:
> org.apache.cassandra.metrics:name=AuthSuccess,scope=MutualTls,type=Client
> org.apache.cassandra.metrics:name=AuthSuccess,scope=Password,type=Client
> org.apache.cassandra.metrics:name=AuthFailure,scope=MutualTls,type=Client
> org.apache.cassandra.metrics:name=AuthFailure,scope=Password,type=Client
> {noformat}
>  * 
>  ** Track connection counts by mode:
> {noformat}
> Existing:
> org.apache.cassandra.metrics:name=ConnectedNativeClients,type=Client
> org.apache.cassandra.metrics:name=connectedNativeClients,type=Client 
> (previously deprecated but still maintained)
> New:
> org.apache.cassandra.metrics:name=ConnectedNativeClients,scope=MutualTls,type=Client
> org.apache.cassandra.metrics:name=ConnectedNativeClients,scope=Password,type=Client
> {noformat}
>  * 
>  ** A metric to track encrypted vs. non-encrypted connections:
> {noformat}
> org.apache.cassandra.metrics:name=ConnectedNativeClients,scope=Encrypted,type=Client
> org.apache.cassandra.metrics:name=ConnectedNativeClients,scope=Unencrypted,type=Client
> {noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to