[
https://issues.apache.org/jira/browse/CASSANDRA-5401?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13619231#comment-13619231
]
Brandon Williams commented on CASSANDRA-5401:
---------------------------------------------
To clarify, what we want here is a pluggable way to authenticate nodes that are
trying to join the cluster (in any way, I don't mean just bootstrapping.) SSL
can do this, but maintaining a full CA and dealing with certificate expiration
is cumbersome, plus encryption carries some overhead, so it's kind of an
all-or-nothing solution. Instead, I think we can create some kind of interface
for this and ship our own 'allow all' implementation of it, with a simple hook
into ITC to allow/disallow connections at the TCP level, and anyone wanting to
do this can provide their own implementation. The hardest part is going to be
coming up with names for all these things that aren't already used for client
authentication.
> Pluggable security feature to prevent node from joining a cluster and running
> destructive commands
> --------------------------------------------------------------------------------------------------
>
> Key: CASSANDRA-5401
> URL: https://issues.apache.org/jira/browse/CASSANDRA-5401
> Project: Cassandra
> Issue Type: Improvement
> Components: Config, Core
> Affects Versions: 1.1.10
> Environment: Production
> Reporter: Ahmed Bashir
> Labels: configuration, security
>
> It's possible for a node to join an existing cluster (with perhaps more
> stringent security restrictions i.e. not using AllowAllAuthentication) and
> issue destructive commands that affect the cluster at large (e.g. drop
> keyspace via cassandra-cli, etc).
> This can be circumvented with a pluggable security module that could be used
> to implement basic node vetting/identification/etc.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
