[jira] [Commented] (CASSANDRA-20061) Case-insensitivity in IAuthenticator impls and AuthUtil.handleLogin()

Thu, 07 Nov 2024 09:45:20 -0800 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-20061?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17896304#comment-17896304
 ] 

Brandon Williams commented on CASSANDRA-20061:
----------------------------------------------

/cc [~tolbertam]

> Case-insensitivity in IAuthenticator impls and AuthUtil.handleLogin()
> ---------------------------------------------------------------------
>
>                 Key: CASSANDRA-20061
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-20061
>             Project: Cassandra
>          Issue Type: Bug
>            Reporter: Joel Shepherd
>            Priority: Normal
>
> Hi - I'm working on a proof-of-concept plugin for using a 3rd party IDP to 
> support client-node and node-node authentication (in Cassandra 5). I noticed 
> something a little confusing in AuthUtil.handleLogin() and am not sure if 
> it's intentional, or an oversight (which I'm happy to try to correct). Would 
> like to get some guidance first.
> The tl;dr question is: Are implementations of 
> SaslNegotiator.getAuthenticatedUser() supposed to return either a quoted 
> user/role name, or a bare user name forced to lowercase (to match with 
> case-insensitive rolenames created via CREATE ROLE), or should that forcing 
> be happening somewhere in the path of AuthUtil.handleLogin()? (Here: 
> [https://github.com/apache/cassandra/blob/7b33e91852aee7af2e995273237d0f3828cd9e4b/src/java/org/apache/cassandra/transport/messages/AuthUtil.java#L73|https://github.com/apache/cassandra/blob/7b33e91852aee7af2e995273237d0f3828cd9e4b/src/java/org/apache/cassandra/transport/messages/AuthUtil.java#L73),]).
> Current behavior is that nowhere in AuthUtil.handleLogin() is a bare user 
> name returned by a SaslNegotiator forced to lowercase for case-insensitive 
> matching. In my case, the IDP considers user names to be case-insensitive but 
> it may return authenticated user names in mixed case (e.g. "Susie"). In that 
> case, the SaslNegotiator considers authentication successful, but the core 
> Cassandra code fails the login attempt because (for example) "Susie" != 
> "susie".
> Is this expected behavior, or should bare user names be normalized to all 
> lowercase somewhere in the AuthUtil.handleLogin() implementation to perform a 
> case-insensitive lookup for associated roles?
> Thanks - Joel.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to