aratno commented on code in PR #2969:
URL: https://github.com/apache/cassandra/pull/2969#discussion_r1445328699
##########
src/java/org/apache/cassandra/transport/messages/StartupMessage.java:
##########
@@ -118,8 +121,29 @@ else if (compression.equals("lz4"))
clientState.setDriverVersion(options.get(DRIVER_VERSION));
}
- if (DatabaseDescriptor.getAuthenticator().requireAuthentication())
+ IAuthenticator authenticator = DatabaseDescriptor.getAuthenticator();
+ if (authenticator.requireAuthentication()) {
+ // If the authenticator supports early certificate authentication,
attempt to authenticate with certificates.
+ if (authenticator.supportsEarlyCertificateAuthentication()) {
+ IAuthenticator.SaslNegotiator negotiator = ((ServerConnection)
connection).getSaslNegotiator(state);
+ // If the negotiator determines that certificate
authentication is required, attempt to authenticate on it.
+ if (negotiator.requiresCertificateAuthentication()) {
+ // Attempt to authenticate the user.
+ return AuthUtil.handleLogin(connection, state,
EMPTY_CLIENT_RESPONSE, (negotiationComplete, challenge) ->
+ {
+ if (negotiationComplete) {
+ // Authentication was successful, proceed.
+ return new ReadyMessage();
+ } else {
+ // It's expected that any negotiator that requires
a challenge will likely not support early
+ // certificate authentication, in this case we can
just go through the traditional auth flow.
+ return new
AuthenticateMessage(DatabaseDescriptor.getAuthenticator().getClass().getName());
Review Comment:
Yep, this was all adjacent curiosity. PR LGTM.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
