Re: [PR] CASSANDRA-18857 Allow CQL cert authentication without an AUTHENTICATE request [cassandra]

Mon, 08 Jan 2024 13:01:42 -0800 


tolbertam commented on code in PR #2969:
URL: https://github.com/apache/cassandra/pull/2969#discussion_r1445327438


##########
src/java/org/apache/cassandra/transport/messages/StartupMessage.java:
##########
@@ -118,8 +121,29 @@ else if (compression.equals("lz4"))
             clientState.setDriverVersion(options.get(DRIVER_VERSION));
         }
 
-        if (DatabaseDescriptor.getAuthenticator().requireAuthentication())
+        IAuthenticator authenticator = DatabaseDescriptor.getAuthenticator();
+        if (authenticator.requireAuthentication()) {
+            // If the authenticator supports early certificate authentication, 
attempt to authenticate with certificates.
+            if (authenticator.supportsEarlyCertificateAuthentication()) {
+                IAuthenticator.SaslNegotiator negotiator = ((ServerConnection) 
connection).getSaslNegotiator(state);
+                // If the negotiator determines that certificate 
authentication is required, attempt to authenticate on it.
+                if (negotiator.requiresCertificateAuthentication()) {
+                    // Attempt to authenticate the user.
+                    return AuthUtil.handleLogin(connection, state, 
EMPTY_CLIENT_RESPONSE, (negotiationComplete, challenge) ->
+                    {
+                        if (negotiationComplete) {
+                            // Authentication was successful, proceed.
+                            return new ReadyMessage();
+                        } else {
+                            // It's expected that any negotiator that requires 
a challenge will likely not support early
+                            // certificate authentication, in this case we can 
just go through the traditional auth flow.
+                            return new 
AuthenticateMessage(DatabaseDescriptor.getAuthenticator().getClass().getName());

Review Comment:
   yeah - although we didn't change anything here in this PR; it's fully 
compatible with existing behavior, should behave like it did before :+1:



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to