tolbertam opened a new pull request, #2969: URL: https://github.com/apache/cassandra/pull/2969
If we detect that an Authenticator supports certificate authentication, we should be able to skip sending an AUTHENTICATE message to the client if we are able to successfully authenticate with a certificate. Adds a new interface methods IAuthenticator.supportsEarlyCertificateAuthentication and SaslNegotiator.requiresCertificateAuthentication. When each are evaluated as true in StartupMessage.execute() attempts to authenticate early. If authenticated, a READY response is returned, otherwise ERROR. Default is false for each. Both MutualTlsAuthenticator and MutualTlsWithPasswordFallbackAuthenticator return true for supportsEarlyCertificateAuthenticator. MutualTlsAuthenticator will always return a SaslNegotiator that returns true for requiresCertificateAuthentication. MutualTlsWithPasswordFallbackAuthenticator will return a SaslNegotiator that returns true for requiresCertificateAuthentication only if the connection provides a certificate, otherwise it will use PlainTextSaslNegotiator, which will cause StartupMessage.execute to defer authentication by sending an AUTHENTICATE response to the client. This enables a client to connect with a certificate without having to configure an authenticator (e.g. a username and password). Also consolidates authentication handling into AuthUtil.handleLogin. Finally, adds a series of unit tests utilizing SimpleClient to validate these authentication flows. patch by Andy Tolbert; reviewed by Jon Meredith and Stefan Podkowinski for [CASSANDRA-18857](https://issues.apache.org/jira/projects/CASSANDRA/issues/CASSANDRA-18857) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
