Re: [PR] CASSANDRA-18857 Allow CQL cert authentication without an AUTHENTICATE request [cassandra]

Mon, 08 Jan 2024 13:20:33 -0800 


jyothsnakonisa commented on code in PR #2969:
URL: https://github.com/apache/cassandra/pull/2969#discussion_r1445298774


##########
src/java/org/apache/cassandra/auth/IAuthenticator.java:
##########
@@ -145,5 +167,18 @@ public interface SaslNegotiator
          * @throws AuthenticationException
          */
         public AuthenticatedUser getAuthenticatedUser() throws 
AuthenticationException;
+
+        /**
+         * Whether its determined if this negotiator requires certificates.  
This is used in conjunction with
+         * {@link #supportsEarlyCertificateAuthentication()} in determining if 
authentication can be done with
+         * client certificates when handling a Startup message.
+         *
+         * If <code>true</code>, will attempt to authenticate while handling a 
Startup, otherwise will not attempt
+         * there and defer authentication to when handling an AuthResponse 
message.
+         */
+        default boolean requiresCertificateAuthentication()

Review Comment:
   Do we need both `requiresCertificateAuthentication` & 
`supportsEarlyCertificateAuthentication`? can we not have just one method?



##########
src/java/org/apache/cassandra/transport/SimpleClientSslContextFactory.java:
##########
@@ -0,0 +1,68 @@
+/*

Review Comment:
   If this is only used in test cases can we not move it to test package?



##########
src/java/org/apache/cassandra/auth/MutualTlsWithPasswordFallbackAuthenticator.java:
##########
@@ -46,13 +46,21 @@ public void setup()
         mutualTlsAuthenticator.setup();
     }
 
+    @Override
+    public boolean supportsEarlyCertificateAuthentication()

Review Comment:
   Incase of client making password based authentication this wold be false, 
Also I am curious about what values will be returned for 
`supportsEarlyCertificateAuthentication` & `requiresCertificateAuthentication` 
in case of fallback authenticator.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to