frankgh commented on code in PR #2969:
URL: https://github.com/apache/cassandra/pull/2969#discussion_r1458031465
##########
src/java/org/apache/cassandra/transport/messages/StartupMessage.java:
##########
@@ -118,8 +121,34 @@ else if (compression.equals("lz4"))
clientState.setDriverVersion(options.get(DRIVER_VERSION));
}
- if (DatabaseDescriptor.getAuthenticator().requireAuthentication())
+ IAuthenticator authenticator = DatabaseDescriptor.getAuthenticator();
+ if (authenticator.requireAuthentication())
+ {
+ // If the authenticator supports early certificate authentication,
attempt to authenticate with certificates.
+ if (authenticator.supportsEarlyCertificateAuthentication())
Review Comment:
> The SaslNegotiator returned from
MutualTlsWithPasswordFallbackAuthenticator.newSaslNegotiator will return an
implementation that evaluates to false for requiresCertificateAuthentication()
if no certs are present on the connection, and true if certificates are present
which will then cause it to attempt to authenticate (line 135 below).
Ah yes, I see that now, it is based on whether the certificates are present.
This makes sense
> Are there other kinds of authentication that you could envision of that we
could do eventually without sending an AUTHENTICATE message?
I was trying to think of other use cases, but I couldn't come up with
anything for now. But I think making the method name generic could open it up
for future improvements (maybe). We don't really need to _tie_ the
implementation to certificates.
+1 to renaming it as proposed above
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
