[jira] [Commented] (CASSANDRA-18857) Allow CQL client certificate authentication to work without sending an AUTHENTICATE request

2024-01-30 Thread Dinesh Joshi (Jira) 


[ 
https://issues.apache.org/jira/browse/CASSANDRA-18857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17812450#comment-17812450
 ] 

Dinesh Joshi commented on CASSANDRA-18857:
--

+1, thanks for the patch!

> Allow CQL client certificate authentication to work without sending an 
> AUTHENTICATE request
> ---
>
> Key: CASSANDRA-18857
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18857
> Project: Cassandra
>  Issue Type: Improvement
>  Components: Feature/Encryption
>Reporter: Andy Tolbert
>Assignee: Andy Tolbert
>Priority: Normal
> Attachments: ci_summary.html, result_details.tar.gz
>
>  Time Spent: 4h 40m
>  Remaining Estimate: 0h
>
> Currently when using {{MutualTlsAuthenticator}} or 
> {{MutualTlsWithPasswordFallbackAuthenticator}} a client is prompted with an 
> {{AUTHENTICATE}} message to which they must respond with an {{AUTH_RESPONSE}} 
> (e.g. a user name and password).  This shouldn't be needed as the role can be 
> identified using only the certificate.
> To address this, we could add the capability to authenticate early in 
> processing of a {{STARTUP}} message if we can determine that both the 
> configured authenticator supports certificate authentication and a client 
> certificate was provided.  If the certificate can be authenticated, a 
> {{READY}} response is returned, otherwise an {{ERROR}} is returned.
> This change can be done done in a fully backwards compatible way and requires 
> no protocol or driver changes;  I will supply a patch shortly!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18857) Allow CQL client certificate authentication to work without sending an AUTHENTICATE request

2024-01-19 Thread Andy Tolbert (Jira) 


[ 
https://issues.apache.org/jira/browse/CASSANDRA-18857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17808807#comment-17808807
 ] 

Andy Tolbert commented on CASSANDRA-18857:
--

Thanks everyone! Test results attached, things came back mostly clean:

[^ci_summary.html] 
[^result_details.tar.gz]

The failing tests appear to be unrelated/flakes:
 * largecolumn_test.TestLargeColumn#test_cleanup - looks like a common flake 
that has come up a number of times; I'll look into seeing if something i can 
help with if not already handled, but high confidence it's not related to my 
change.
 * 
upgrade_tests.upgrade_through_versions_test.TestUpgrade_indev_4_1_x_To_indev_trunk
test_bootstrap_multidc ([CASSANDRA-17893])
 * 
upgrade_tests.upgrade_through_versions_test.TestUpgrade_indev_4_1_x_To_indev_trunk
test_parallel_upgrade_with_internode_ssl ([CASSANDRA-17893])

 

> Allow CQL client certificate authentication to work without sending an 
> AUTHENTICATE request
> ---
>
> Key: CASSANDRA-18857
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18857
> Project: Cassandra
>  Issue Type: Improvement
>  Components: Feature/Encryption
>Reporter: Andy Tolbert
>Assignee: Andy Tolbert
>Priority: Normal
> Attachments: ci_summary.html, result_details.tar.gz
>
>  Time Spent: 4h 40m
>  Remaining Estimate: 0h
>
> Currently when using {{MutualTlsAuthenticator}} or 
> {{MutualTlsWithPasswordFallbackAuthenticator}} a client is prompted with an 
> {{AUTHENTICATE}} message to which they must respond with an {{AUTH_RESPONSE}} 
> (e.g. a user name and password).  This shouldn't be needed as the role can be 
> identified using only the certificate.
> To address this, we could add the capability to authenticate early in 
> processing of a {{STARTUP}} message if we can determine that both the 
> configured authenticator supports certificate authentication and a client 
> certificate was provided.  If the certificate can be authenticated, a 
> {{READY}} response is returned, otherwise an {{ERROR}} is returned.
> This change can be done done in a fully backwards compatible way and requires 
> no protocol or driver changes;  I will supply a patch shortly!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18857) Allow CQL client certificate authentication to work without sending an AUTHENTICATE request

2024-01-18 Thread Francisco Guerrero (Jira) 


[ 
https://issues.apache.org/jira/browse/CASSANDRA-18857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17808415#comment-17808415
 ] 

Francisco Guerrero commented on CASSANDRA-18857:


+1 Thanks for the patch. Can you share CI results? 

> Allow CQL client certificate authentication to work without sending an 
> AUTHENTICATE request
> ---
>
> Key: CASSANDRA-18857
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18857
> Project: Cassandra
>  Issue Type: Improvement
>  Components: Feature/Encryption
>Reporter: Andy Tolbert
>Assignee: Andy Tolbert
>Priority: Normal
>  Time Spent: 4h 40m
>  Remaining Estimate: 0h
>
> Currently when using {{MutualTlsAuthenticator}} or 
> {{MutualTlsWithPasswordFallbackAuthenticator}} a client is prompted with an 
> {{AUTHENTICATE}} message to which they must respond with an {{AUTH_RESPONSE}} 
> (e.g. a user name and password).  This shouldn't be needed as the role can be 
> identified using only the certificate.
> To address this, we could add the capability to authenticate early in 
> processing of a {{STARTUP}} message if we can determine that both the 
> configured authenticator supports certificate authentication and a client 
> certificate was provided.  If the certificate can be authenticated, a 
> {{READY}} response is returned, otherwise an {{ERROR}} is returned.
> This change can be done done in a fully backwards compatible way and requires 
> no protocol or driver changes;  I will supply a patch shortly!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18857) Allow CQL client certificate authentication to work without sending an AUTHENTICATE request

2024-01-08 Thread Abe Ratnofsky (Jira) 


[ 
https://issues.apache.org/jira/browse/CASSANDRA-18857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17804372#comment-17804372
 ] 

Abe Ratnofsky commented on CASSANDRA-18857:
---

+1

> Allow CQL client certificate authentication to work without sending an 
> AUTHENTICATE request
> ---
>
> Key: CASSANDRA-18857
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18857
> Project: Cassandra
>  Issue Type: Improvement
>  Components: Feature/Encryption
>Reporter: Andy Tolbert
>Assignee: Andy Tolbert
>Priority: Normal
>  Time Spent: 1h
>  Remaining Estimate: 0h
>
> Currently when using {{MutualTlsAuthenticator}} or 
> {{MutualTlsWithPasswordFallbackAuthenticator}} a client is prompted with an 
> {{AUTHENTICATE}} message to which they must respond with an {{AUTH_RESPONSE}} 
> (e.g. a user name and password).  This shouldn't be needed as the role can be 
> identified using only the certificate.
> To address this, we could add the capability to authenticate early in 
> processing of a {{STARTUP}} message if we can determine that both the 
> configured authenticator supports certificate authentication and a client 
> certificate was provided.  If the certificate can be authenticated, a 
> {{READY}} response is returned, otherwise an {{ERROR}} is returned.
> This change can be done done in a fully backwards compatible way and requires 
> no protocol or driver changes;  I will supply a patch shortly!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18857) Allow CQL client certificate authentication to work without sending an AUTHENTICATE request

2023-12-21 Thread Andy Tolbert (Jira) 


[ 
https://issues.apache.org/jira/browse/CASSANDRA-18857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17799627#comment-17799627
 ] 

Andy Tolbert commented on CASSANDRA-18857:
--

Ran through dtests and didn't run into any issues

> Allow CQL client certificate authentication to work without sending an 
> AUTHENTICATE request
> ---
>
> Key: CASSANDRA-18857
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18857
> Project: Cassandra
>  Issue Type: Improvement
>  Components: Feature/Encryption
>Reporter: Andy Tolbert
>Priority: Normal
>  Time Spent: 50m
>  Remaining Estimate: 0h
>
> Currently when using {{MutualTlsAuthenticator}} or 
> {{MutualTlsWithPasswordFallbackAuthenticator}} a client is prompted with an 
> {{AUTHENTICATE}} message to which they must respond with an {{AUTH_RESPONSE}} 
> (e.g. a user name and password).  This shouldn't be needed as the role can be 
> identified using only the certificate.
> To address this, we could add the capability to authenticate early in 
> processing of a {{STARTUP}} message if we can determine that both the 
> configured authenticator supports certificate authentication and a client 
> certificate was provided.  If the certificate can be authenticated, a 
> {{READY}} response is returned, otherwise an {{ERROR}} is returned.
> This change can be done done in a fully backwards compatible way and requires 
> no protocol or driver changes;  I will supply a patch shortly!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18857) Allow CQL client certificate authentication to work without sending an AUTHENTICATE request

2023-12-21 Thread Andy Tolbert (Jira) 


[ 
https://issues.apache.org/jira/browse/CASSANDRA-18857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17799573#comment-17799573
 ] 

Andy Tolbert commented on CASSANDRA-18857:
--

I've rebased [#2969|https://github.com/apache/cassandra/pull/2969] on trunk 
after [CASSANDRA-18811] has been merged, unit tests appear to be passing.  This 
should be ready for review, although I'm looking to run this through some 
dtests to further vet things.

> Allow CQL client certificate authentication to work without sending an 
> AUTHENTICATE request
> ---
>
> Key: CASSANDRA-18857
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18857
> Project: Cassandra
>  Issue Type: Improvement
>  Components: Feature/Encryption
>Reporter: Andy Tolbert
>Priority: Normal
>  Time Spent: 50m
>  Remaining Estimate: 0h
>
> Currently when using {{MutualTlsAuthenticator}} or 
> {{MutualTlsWithPasswordFallbackAuthenticator}} a client is prompted with an 
> {{AUTHENTICATE}} message to which they must respond with an {{AUTH_RESPONSE}} 
> (e.g. a user name and password).  This shouldn't be needed as the role can be 
> identified using only the certificate.
> To address this, we could add the capability to authenticate early in 
> processing of a {{STARTUP}} message if we can determine that both the 
> configured authenticator supports certificate authentication and a client 
> certificate was provided.  If the certificate can be authenticated, a 
> {{READY}} response is returned, otherwise an {{ERROR}} is returned.
> This change can be done done in a fully backwards compatible way and requires 
> no protocol or driver changes;  I will supply a patch shortly!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

[jira] [Commented] (CASSANDRA-18857) Allow CQL client certificate authentication to work without sending an AUTHENTICATE request

2023-12-06 Thread Andy Tolbert (Jira) 


[ 
https://issues.apache.org/jira/browse/CASSANDRA-18857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17793913#comment-17793913
 ] 

Andy Tolbert commented on CASSANDRA-18857:
--

Apologies for the late follow up here.  Realized that for this to fully work 
[CASSANDRA-18811] is needed.  I've created a [pull 
request|https://github.com/apache/cassandra/pull/2969] that I will update as 
soon as [CASSANDRA-18811] lands in trunk.

> Allow CQL client certificate authentication to work without sending an 
> AUTHENTICATE request
> ---
>
> Key: CASSANDRA-18857
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18857
> Project: Cassandra
>  Issue Type: Improvement
>  Components: Feature/Encryption
>Reporter: Andy Tolbert
>Priority: Normal
>  Time Spent: 50m
>  Remaining Estimate: 0h
>
> Currently when using {{MutualTlsAuthenticator}} or 
> {{MutualTlsWithPasswordFallbackAuthenticator}} a client is prompted with an 
> {{AUTHENTICATE}} message to which they must respond with an {{AUTH_RESPONSE}} 
> (e.g. a user name and password).  This shouldn't be needed as the role can be 
> identified using only the certificate.
> To address this, we could add the capability to authenticate early in 
> processing of a {{STARTUP}} message if we can determine that both the 
> configured authenticator supports certificate authentication and a client 
> certificate was provided.  If the certificate can be authenticated, a 
> {{READY}} response is returned, otherwise an {{ERROR}} is returned.
> This change can be done done in a fully backwards compatible way and requires 
> no protocol or driver changes;  I will supply a patch shortly!



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org