Re: [PR] CASSANDRA-18857 Allow CQL cert authentication without an AUTHENTICATE request [cassandra]

Mon, 08 Jan 2024 08:53:39 -0800 


tolbertam commented on code in PR #2969:
URL: https://github.com/apache/cassandra/pull/2969#discussion_r1445002933


##########
src/java/org/apache/cassandra/transport/messages/StartupMessage.java:
##########
@@ -118,8 +121,29 @@ else if (compression.equals("lz4"))
             clientState.setDriverVersion(options.get(DRIVER_VERSION));
         }
 
-        if (DatabaseDescriptor.getAuthenticator().requireAuthentication())
+        IAuthenticator authenticator = DatabaseDescriptor.getAuthenticator();
+        if (authenticator.requireAuthentication()) {
+            // If the authenticator supports early certificate authentication, 
attempt to authenticate with certificates.
+            if (authenticator.supportsEarlyCertificateAuthentication()) {
+                IAuthenticator.SaslNegotiator negotiator = ((ServerConnection) 
connection).getSaslNegotiator(state);
+                // If the negotiator determines that certificate 
authentication is required, attempt to authenticate on it.
+                if (negotiator.requiresCertificateAuthentication()) {
+                    // Attempt to authenticate the user.
+                    return AuthUtil.handleLogin(connection, state, 
EMPTY_CLIENT_RESPONSE, (negotiationComplete, challenge) ->
+                    {
+                        if (negotiationComplete) {
+                            // Authentication was successful, proceed.
+                            return new ReadyMessage();
+                        } else {
+                            // It's expected that any negotiator that requires 
a challenge will likely not support early
+                            // certificate authentication, in this case we can 
just go through the traditional auth flow.
+                            return new 
AuthenticateMessage(DatabaseDescriptor.getAuthenticator().getClass().getName());

Review Comment:
   Yeah I think that's right - Most client implementations don't event look at 
the authenticator class name, e.g. I see that the java driver gets passed this 
value, but its default authenticator doesn't do anything with it:
   
   
https://github.com/apache/cassandra-java-driver/blob/4.x/core/src/main/java/com/datastax/oss/driver/internal/core/auth/PlainTextAuthProvider.java#L69-L70



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to