[jira] [Commented] (CASSANDRA-18554) mTLS based client and internode authenticators
[ https://issues.apache.org/jira/browse/CASSANDRA-18554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17748294#comment-17748294 ] Jyothsna Konisa commented on CASSANDRA-18554: - circleCI: https://app.circleci.com/pipelines/github/jyothsnakonisa/cassandra/159/workflows/19c0b0ea-6629-419c-aeed-690f67ccb7ac > mTLS based client and internode authenticators > -- > > Key: CASSANDRA-18554 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18554 > Project: Cassandra > Issue Type: New Feature > Components: Feature/Authorization >Reporter: Jyothsna Konisa >Assignee: Jyothsna Konisa >Priority: Normal > Time Spent: 3h 20m > Remaining Estimate: 0h > > Cassandra currently doesn't have any certificate based authenticator for both > client connections and internode connections. If one wants to use certificate > based authentication protocol like TLS, in which clients send their > certificates for the TLS handshake, we can leverage the information from the > client certificate to identify a client. Using this authentication mechanism > one can avoid the pain of password generations, sharing and rotation. > Introducing following certificate based mTLS authenticators for internode and > client connections > MutualTlsAuthenticator (client authentication) > MutualTlsInternodeAuthenticator (internode authentication) > MutualTlsWithPasswordFallbackAuthenticator (for optional mode operation for > client authentication) > An implementation of MutualTlsCertificateValidator called > SpiffeCertificateValidator whose identity is SPIFFE that is embedded in SAN > of the client certificate. One can implement their own CertificateValidator > to match their needs and configure it in Cassandra.yaml -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18554) mTLS based client and internode authenticators
[ https://issues.apache.org/jira/browse/CASSANDRA-18554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17747749#comment-17747749 ] Dinesh Joshi commented on CASSANDRA-18554: -- Please add CI run. > mTLS based client and internode authenticators > -- > > Key: CASSANDRA-18554 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18554 > Project: Cassandra > Issue Type: New Feature > Components: Feature/Authorization >Reporter: Jyothsna Konisa >Assignee: Jyothsna Konisa >Priority: Normal > Time Spent: 2.5h > Remaining Estimate: 0h > > Cassandra currently doesn't have any certificate based authenticator for both > client connections and internode connections. If one wants to use certificate > based authentication protocol like TLS, in which clients send their > certificates for the TLS handshake, we can leverage the information from the > client certificate to identify a client. Using this authentication mechanism > one can avoid the pain of password generations, sharing and rotation. > Introducing following certificate based mTLS authenticators for internode and > client connections > MutualTlsAuthenticator (client authentication) > MutualTlsInternodeAuthenticator (internode authentication) > MutualTlsWithPasswordFallbackAuthenticator (for optional mode operation for > client authentication) > An implementation of MutualTlsCertificateValidator called > SpiffeCertificateValidator whose identity is SPIFFE that is embedded in SAN > of the client certificate. One can implement their own CertificateValidator > to match their needs and configure it in Cassandra.yaml -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18554) mTLS based client and internode authenticators
[ https://issues.apache.org/jira/browse/CASSANDRA-18554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17747658#comment-17747658 ] Yifan Cai commented on CASSANDRA-18554: --- I reviewed the changes since last time did. Left some minor comments, and they were addressed. +1 on the patch. > mTLS based client and internode authenticators > -- > > Key: CASSANDRA-18554 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18554 > Project: Cassandra > Issue Type: New Feature > Components: Feature/Authorization >Reporter: Jyothsna Konisa >Assignee: Jyothsna Konisa >Priority: Normal > Time Spent: 2.5h > Remaining Estimate: 0h > > Cassandra currently doesn't have any certificate based authenticator for both > client connections and internode connections. If one wants to use certificate > based authentication protocol like TLS, in which clients send their > certificates for the TLS handshake, we can leverage the information from the > client certificate to identify a client. Using this authentication mechanism > one can avoid the pain of password generations, sharing and rotation. > Introducing following certificate based mTLS authenticators for internode and > client connections > MutualTlsAuthenticator (client authentication) > MutualTlsInternodeAuthenticator (internode authentication) > MutualTlsWithPasswordFallbackAuthenticator (for optional mode operation for > client authentication) > An implementation of MutualTlsCertificateValidator called > SpiffeCertificateValidator whose identity is SPIFFE that is embedded in SAN > of the client certificate. One can implement their own CertificateValidator > to match their needs and configure it in Cassandra.yaml -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18554) mTLS based client and internode authenticators
[ https://issues.apache.org/jira/browse/CASSANDRA-18554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17732122#comment-17732122 ] Jeremiah Jordan commented on CASSANDRA-18554: - I was just looking over the JIRA and noticed this adds new CQL syntax. I think we should at the least have a VOTE on dev@ approving new CQL syntax, and at the most there should be a CEP about it. > mTLS based client and internode authenticators > -- > > Key: CASSANDRA-18554 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18554 > Project: Cassandra > Issue Type: New Feature > Components: Feature/Authorization >Reporter: Jyothsna Konisa >Assignee: Jyothsna Konisa >Priority: Normal > Time Spent: 0.5h > Remaining Estimate: 0h > > Cassandra currently doesn't have any certificate based authenticator for both > client connections and internode connections. If one wants to use certificate > based authentication protocol like TLS, in which clients send their > certificates for the TLS handshake, we can leverage the information from the > client certificate to identify a client. Using this authentication mechanism > one can avoid the pain of password generations, sharing and rotation. > Introducing following certificate based mTLS authenticators for internode and > client connections > MutualTlsAuthenticator (client authentication) > MutualTlsInternodeAuthenticator (internode authentication) > MutualTlsWithPasswordFallbackAuthenticator (for optional mode operation for > client authentication) > An implementation of MutualTlsCertificateValidator called > SpiffeCertificateValidator whose identity is SPIFFE that is embedded in SAN > of the client certificate. One can implement their own CertificateValidator > to match their needs and configure it in Cassandra.yaml -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18554) mTLS based client and internode authenticators
[ https://issues.apache.org/jira/browse/CASSANDRA-18554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17731771#comment-17731771 ] Yifan Cai commented on CASSANDRA-18554: --- +1 on the patch. Thank you for addressing my comments! > mTLS based client and internode authenticators > -- > > Key: CASSANDRA-18554 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18554 > Project: Cassandra > Issue Type: New Feature > Components: Feature/Authorization >Reporter: Jyothsna Konisa >Assignee: Jyothsna Konisa >Priority: Normal > Time Spent: 0.5h > Remaining Estimate: 0h > > Cassandra currently doesn't have any certificate based authenticator for both > client connections and internode connections. If one wants to use certificate > based authentication protocol like TLS, in which clients send their > certificates for the TLS handshake, we can leverage the information from the > client certificate to identify a client. Using this authentication mechanism > one can avoid the pain of password generations, sharing and rotation. > Introducing following certificate based mTLS authenticators for internode and > client connections > MutualTlsAuthenticator (client authentication) > MutualTlsInternodeAuthenticator (internode authentication) > MutualTlsWithPasswordFallbackAuthenticator (for optional mode operation for > client authentication) > An implementation of MutualTlsCertificateValidator called > SpiffeCertificateValidator whose identity is SPIFFE that is embedded in SAN > of the client certificate. One can implement their own CertificateValidator > to match their needs and configure it in Cassandra.yaml -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org