[jira] [Commented] (CASSANDRA-5545) Add SASL authentication to CQL native protocol

Tue, 07 May 2013 09:57:17 -0700 

    [ 
https://issues.apache.org/jira/browse/CASSANDRA-5545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13651049#comment-13651049
 ] 

Sylvain Lebresne commented on CASSANDRA-5545:
---------------------------------------------

We initially suggested to add SASL indeed but skipped it initially mainly for 
lack of time/effort. So I definitively agree that switching to SASL exchanges 
instead of our current custom one way message for the protocol v2 is a good 
idea.

On the patch, the principle looks good to me, but I would suggest going with a 
much simpler interface on our end and let people deal with all the subtlety of 
the java SASL API. After all, the only authentication we provide out the box is 
plain text authentication. Schematically, all that "supporting" SASL require is 
an interface to issue byte[] challenges from byte[] client responses. So I 
would suggest simply adding 2 new methods to IAuthenticator:
{noformat}
SASLAuthenticator newAuthenticator();
{noformat}
where {{SASLAuthenticator}} would be something like:
{noformat}
public interface SASLAuthenticator
{
    public String getMechanismName();
    public byte[] evaluateResponse(byte[] clientResponse);
}
{noformat}
and the current plain text authenticator could add a very simple implementation 
of that (without creating a full blown java.security.sasl.SaslServer).

This *will* change the IAuthenticator interface to add a new method, but I 
think supporting a new method is not a lot to ask for people having custom 
authenticator today, especially since if you don't care about the binary 
protocol SASL authentication, you can just have that method return null to 
start with.
                
> Add SASL authentication to CQL native protocol
> ----------------------------------------------
>
>                 Key: CASSANDRA-5545
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-5545
>             Project: Cassandra
>          Issue Type: Improvement
>            Reporter: Sam Tunnicliffe
>             Fix For: 2.0
>
>         Attachments: 0001-Add-SASL-authentication-to-CQL-native-protocol.patch
>
>
> Adding hooks for SASL authentication would make it much easier to integrate 
> with external auth providers, such as Kerberos & NTLM.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to