[jira] [Commented] (CASSANDRA-18857) Allow CQL client certificate authentication to work without sending an AUTHENTICATE request
[ https://issues.apache.org/jira/browse/CASSANDRA-18857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17812450#comment-17812450 ] Dinesh Joshi commented on CASSANDRA-18857: -- +1, thanks for the patch! > Allow CQL client certificate authentication to work without sending an > AUTHENTICATE request > --- > > Key: CASSANDRA-18857 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18857 > Project: Cassandra > Issue Type: Improvement > Components: Feature/Encryption >Reporter: Andy Tolbert >Assignee: Andy Tolbert >Priority: Normal > Attachments: ci_summary.html, result_details.tar.gz > > Time Spent: 4h 40m > Remaining Estimate: 0h > > Currently when using {{MutualTlsAuthenticator}} or > {{MutualTlsWithPasswordFallbackAuthenticator}} a client is prompted with an > {{AUTHENTICATE}} message to which they must respond with an {{AUTH_RESPONSE}} > (e.g. a user name and password). This shouldn't be needed as the role can be > identified using only the certificate. > To address this, we could add the capability to authenticate early in > processing of a {{STARTUP}} message if we can determine that both the > configured authenticator supports certificate authentication and a client > certificate was provided. If the certificate can be authenticated, a > {{READY}} response is returned, otherwise an {{ERROR}} is returned. > This change can be done done in a fully backwards compatible way and requires > no protocol or driver changes; I will supply a patch shortly! -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18857) Allow CQL client certificate authentication to work without sending an AUTHENTICATE request
[ https://issues.apache.org/jira/browse/CASSANDRA-18857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17808807#comment-17808807 ] Andy Tolbert commented on CASSANDRA-18857: -- Thanks everyone! Test results attached, things came back mostly clean: [^ci_summary.html] [^result_details.tar.gz] The failing tests appear to be unrelated/flakes: * largecolumn_test.TestLargeColumn#test_cleanup - looks like a common flake that has come up a number of times; I'll look into seeing if something i can help with if not already handled, but high confidence it's not related to my change. * upgrade_tests.upgrade_through_versions_test.TestUpgrade_indev_4_1_x_To_indev_trunk test_bootstrap_multidc ([CASSANDRA-17893]) * upgrade_tests.upgrade_through_versions_test.TestUpgrade_indev_4_1_x_To_indev_trunk test_parallel_upgrade_with_internode_ssl ([CASSANDRA-17893]) > Allow CQL client certificate authentication to work without sending an > AUTHENTICATE request > --- > > Key: CASSANDRA-18857 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18857 > Project: Cassandra > Issue Type: Improvement > Components: Feature/Encryption >Reporter: Andy Tolbert >Assignee: Andy Tolbert >Priority: Normal > Attachments: ci_summary.html, result_details.tar.gz > > Time Spent: 4h 40m > Remaining Estimate: 0h > > Currently when using {{MutualTlsAuthenticator}} or > {{MutualTlsWithPasswordFallbackAuthenticator}} a client is prompted with an > {{AUTHENTICATE}} message to which they must respond with an {{AUTH_RESPONSE}} > (e.g. a user name and password). This shouldn't be needed as the role can be > identified using only the certificate. > To address this, we could add the capability to authenticate early in > processing of a {{STARTUP}} message if we can determine that both the > configured authenticator supports certificate authentication and a client > certificate was provided. If the certificate can be authenticated, a > {{READY}} response is returned, otherwise an {{ERROR}} is returned. > This change can be done done in a fully backwards compatible way and requires > no protocol or driver changes; I will supply a patch shortly! -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18857) Allow CQL client certificate authentication to work without sending an AUTHENTICATE request
[ https://issues.apache.org/jira/browse/CASSANDRA-18857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17808415#comment-17808415 ] Francisco Guerrero commented on CASSANDRA-18857: +1 Thanks for the patch. Can you share CI results? > Allow CQL client certificate authentication to work without sending an > AUTHENTICATE request > --- > > Key: CASSANDRA-18857 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18857 > Project: Cassandra > Issue Type: Improvement > Components: Feature/Encryption >Reporter: Andy Tolbert >Assignee: Andy Tolbert >Priority: Normal > Time Spent: 4h 40m > Remaining Estimate: 0h > > Currently when using {{MutualTlsAuthenticator}} or > {{MutualTlsWithPasswordFallbackAuthenticator}} a client is prompted with an > {{AUTHENTICATE}} message to which they must respond with an {{AUTH_RESPONSE}} > (e.g. a user name and password). This shouldn't be needed as the role can be > identified using only the certificate. > To address this, we could add the capability to authenticate early in > processing of a {{STARTUP}} message if we can determine that both the > configured authenticator supports certificate authentication and a client > certificate was provided. If the certificate can be authenticated, a > {{READY}} response is returned, otherwise an {{ERROR}} is returned. > This change can be done done in a fully backwards compatible way and requires > no protocol or driver changes; I will supply a patch shortly! -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18857) Allow CQL client certificate authentication to work without sending an AUTHENTICATE request
[ https://issues.apache.org/jira/browse/CASSANDRA-18857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17804372#comment-17804372 ] Abe Ratnofsky commented on CASSANDRA-18857: --- +1 > Allow CQL client certificate authentication to work without sending an > AUTHENTICATE request > --- > > Key: CASSANDRA-18857 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18857 > Project: Cassandra > Issue Type: Improvement > Components: Feature/Encryption >Reporter: Andy Tolbert >Assignee: Andy Tolbert >Priority: Normal > Time Spent: 1h > Remaining Estimate: 0h > > Currently when using {{MutualTlsAuthenticator}} or > {{MutualTlsWithPasswordFallbackAuthenticator}} a client is prompted with an > {{AUTHENTICATE}} message to which they must respond with an {{AUTH_RESPONSE}} > (e.g. a user name and password). This shouldn't be needed as the role can be > identified using only the certificate. > To address this, we could add the capability to authenticate early in > processing of a {{STARTUP}} message if we can determine that both the > configured authenticator supports certificate authentication and a client > certificate was provided. If the certificate can be authenticated, a > {{READY}} response is returned, otherwise an {{ERROR}} is returned. > This change can be done done in a fully backwards compatible way and requires > no protocol or driver changes; I will supply a patch shortly! -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18857) Allow CQL client certificate authentication to work without sending an AUTHENTICATE request
[ https://issues.apache.org/jira/browse/CASSANDRA-18857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17799627#comment-17799627 ] Andy Tolbert commented on CASSANDRA-18857: -- Ran through dtests and didn't run into any issues > Allow CQL client certificate authentication to work without sending an > AUTHENTICATE request > --- > > Key: CASSANDRA-18857 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18857 > Project: Cassandra > Issue Type: Improvement > Components: Feature/Encryption >Reporter: Andy Tolbert >Priority: Normal > Time Spent: 50m > Remaining Estimate: 0h > > Currently when using {{MutualTlsAuthenticator}} or > {{MutualTlsWithPasswordFallbackAuthenticator}} a client is prompted with an > {{AUTHENTICATE}} message to which they must respond with an {{AUTH_RESPONSE}} > (e.g. a user name and password). This shouldn't be needed as the role can be > identified using only the certificate. > To address this, we could add the capability to authenticate early in > processing of a {{STARTUP}} message if we can determine that both the > configured authenticator supports certificate authentication and a client > certificate was provided. If the certificate can be authenticated, a > {{READY}} response is returned, otherwise an {{ERROR}} is returned. > This change can be done done in a fully backwards compatible way and requires > no protocol or driver changes; I will supply a patch shortly! -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18857) Allow CQL client certificate authentication to work without sending an AUTHENTICATE request
[ https://issues.apache.org/jira/browse/CASSANDRA-18857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17799573#comment-17799573 ] Andy Tolbert commented on CASSANDRA-18857: -- I've rebased [#2969|https://github.com/apache/cassandra/pull/2969] on trunk after [CASSANDRA-18811] has been merged, unit tests appear to be passing. This should be ready for review, although I'm looking to run this through some dtests to further vet things. > Allow CQL client certificate authentication to work without sending an > AUTHENTICATE request > --- > > Key: CASSANDRA-18857 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18857 > Project: Cassandra > Issue Type: Improvement > Components: Feature/Encryption >Reporter: Andy Tolbert >Priority: Normal > Time Spent: 50m > Remaining Estimate: 0h > > Currently when using {{MutualTlsAuthenticator}} or > {{MutualTlsWithPasswordFallbackAuthenticator}} a client is prompted with an > {{AUTHENTICATE}} message to which they must respond with an {{AUTH_RESPONSE}} > (e.g. a user name and password). This shouldn't be needed as the role can be > identified using only the certificate. > To address this, we could add the capability to authenticate early in > processing of a {{STARTUP}} message if we can determine that both the > configured authenticator supports certificate authentication and a client > certificate was provided. If the certificate can be authenticated, a > {{READY}} response is returned, otherwise an {{ERROR}} is returned. > This change can be done done in a fully backwards compatible way and requires > no protocol or driver changes; I will supply a patch shortly! -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18857) Allow CQL client certificate authentication to work without sending an AUTHENTICATE request
[ https://issues.apache.org/jira/browse/CASSANDRA-18857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17793913#comment-17793913 ] Andy Tolbert commented on CASSANDRA-18857: -- Apologies for the late follow up here. Realized that for this to fully work [CASSANDRA-18811] is needed. I've created a [pull request|https://github.com/apache/cassandra/pull/2969] that I will update as soon as [CASSANDRA-18811] lands in trunk. > Allow CQL client certificate authentication to work without sending an > AUTHENTICATE request > --- > > Key: CASSANDRA-18857 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18857 > Project: Cassandra > Issue Type: Improvement > Components: Feature/Encryption >Reporter: Andy Tolbert >Priority: Normal > Time Spent: 50m > Remaining Estimate: 0h > > Currently when using {{MutualTlsAuthenticator}} or > {{MutualTlsWithPasswordFallbackAuthenticator}} a client is prompted with an > {{AUTHENTICATE}} message to which they must respond with an {{AUTH_RESPONSE}} > (e.g. a user name and password). This shouldn't be needed as the role can be > identified using only the certificate. > To address this, we could add the capability to authenticate early in > processing of a {{STARTUP}} message if we can determine that both the > configured authenticator supports certificate authentication and a client > certificate was provided. If the certificate can be authenticated, a > {{READY}} response is returned, otherwise an {{ERROR}} is returned. > This change can be done done in a fully backwards compatible way and requires > no protocol or driver changes; I will supply a patch shortly! -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org