[jira] [Created] (CASSANDRA-20061) Case-insensitivity in IAuthenticator impls and AuthUtil.handleLogin()

Wed, 06 Nov 2024 16:38:50 -0800 

Joel Shepherd created CASSANDRA-20061:
-----------------------------------------

             Summary: Case-insensitivity in IAuthenticator impls and 
AuthUtil.handleLogin()
                 Key: CASSANDRA-20061
                 URL: https://issues.apache.org/jira/browse/CASSANDRA-20061
             Project: Cassandra
          Issue Type: Bug
            Reporter: Joel Shepherd


Hi - I'm working on a proof-of-concept plugin for using a 3rd party IDP to 
support client-node and node-node authentication (in Cassandra 5). I noticed 
something a little confusing in AuthUtil.handleLogin() and am not sure if it's 
intentional, or an oversight (which I'm happy to try to correct). Would like to 
get some guidance first.

The tl;dr question is: Are implementations of 
SaslNegotiator.getAuthenticatedUser() supposed to return either a quoted 
user/role name, or a bare user name forced to lowercase (to match with 
case-insensitive rolenames created via CREATE ROLE), or should that forcing be 
happening somewhere in the path of AuthUtil.handleLogin()? (Here: 
[https://github.com/apache/cassandra/blob/7b33e91852aee7af2e995273237d0f3828cd9e4b/src/java/org/apache/cassandra/transport/messages/AuthUtil.java#L73|https://github.com/apache/cassandra/blob/7b33e91852aee7af2e995273237d0f3828cd9e4b/src/java/org/apache/cassandra/transport/messages/AuthUtil.java#L73),]).

Current behavior is that nowhere in AuthUtil.handleLogin() is a bare user name 
returned by a SaslNegotiator forced to lowercase for case-insensitive matching. 
In my case, the IDP considers user names to be case-insensitive but it may 
return authenticated user names in mixed case (e.g. "Susie"). In that case, the 
SaslNegotiator considers authentication successful, but the core Cassandra code 
fails the login attempt because (for example) "Susie" != "susie".

Is this expected behavior, or should bare user names be normalized to all 
lowercase somewhere in the AuthUtil.handleLogin() implementation to perform a 
case-insensitive lookup for associated roles?

Thanks - Joel.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to