Re: server connection in authenticator
Hello Justin and thank you for your answer. Yes, I am aware of that mechanism. What we need to accomplish is to add some extra validations to the certificate in a new Authenticator and in order to get the certificates for the current connection we need the ServerConnection object or the sslHandler. Regards, Horia On tor, 2017-10-26 at 22:33 +, Justin Cameron wrote: > Hi Horia, > > Are you aware that Cassandra already supports two-way SSL certificate > authentication? Take a look at the require_client_auth option under > client_encryption_options in cassandra.yaml: http://cassandra.apache. > org/doc/latest/configuration/cassandra_config_file.html#client- > encryption-options > > The caveat is that Cassandra role authorisation is not possible via > this mechanism. If you need this then I suspect you're correct in > that that some code will need to change. > > Cheers, > Justin > > On Thu, 26 Oct 2017 at 17:50 Horia Mocioi > wrote: > > Thank you Jeff & Harika. > > > > Yes, I am aware of that mechanism. What we need to do is to add > > some > > extra validations on the certificate used for securing the > > connection. > > > > So, in order to do this in our Authenticator, we need a way to grab > > the > > sslHandler which can be obtained from the ServerConnection. The > > certificates can be obtained then from the sslHandler. > > > > My question was if there was any other way to grab the > > ServerConnection > > in an Authenticator besides passing it as a parameter when building > > the > > negotiator, thus changing IAuthenticator and ServerConnection. > > > > Thank you again, > > Horia > > > > On ons, 2017-10-25 at 17:13 +, Harika Vangapelli -T (hvangape - > > AKRAYA INC at Cisco) wrote: > > > Horia, > > > > > > By just changing Authenticator and Authorizer in cassandra.yaml > > and > > > adding custom libraries in /usr/share/cassandra/ you can plugin > > to > > > custom authentication > > > > > > sed -ri \ > > > -e 's/^(authenticator:).*/\1 > > > 'com.cassandra.LdapCassandraAuthenticator'/' \ > > > -e 's/^(authorizer:).*/\1 > > > 'com.cassandra.LdapCassandraAuthorizer'/' \ > > > "cassandra.yaml" > > > > > > Copy custom jars > /usr/share/cassandra/ > > > > > > > > > > > > Harika Vangapelli > > > Engineer - IT > > > hvang...@cisco.com > > > Tel: > > > Cisco Systems, Inc. > > > > > > > > > > > > United States > > > cisco.com > > > > > > > > > Think before you print. > > > This email may contain confidential and privileged material for > > the > > > sole use of the intended recipient. Any review, use, distribution > > or > > > disclosure by others is strictly prohibited. If you are not the > > > intended recipient (or authorized to receive for the recipient), > > > please contact the sender by reply email and delete all copies of > > > this message. > > > Please click here for Company Registration Information. > > > > > > > > > -Original Message- > > > From: Horia Mocioi [mailto:horia.moc...@ericsson.com] > > > Sent: Wednesday, October 25, 2017 3:38 AM > > > To: user@cassandra.apache.org > > > Subject: server connection in authenticator > > > > > > Hello guys, > > > > > > We are building up an authenticator using certificates. So far we > > > came up with a solution, but implies changing some files in > > Cassandra > > > code base in order to have the connection in the new > > Authenticator. > > > > > > So, here are my questions: > > > * how are you guys doing this? > > > * is it possible to obtain the connection on the Authenticator > > > without changing other files in the Cassandra code base, in that > > > sense just creating a new Authenticator and set it up in > > > cassandra.yaml? > > > > > > Regards, > > > Horia > -- > Justin Cameron > Senior Software Engineer > > > > This email has been sent on behalf of Instaclustr Pty. Limited > (Australia) and Instaclustr Inc (USA). > > This email and any attachments may contain confidential and legally > privileged information. If you are not the intended recipient, do > not copy or disclose its content, but please reply to this > email immediately and highlight the error to the sender and then > immediately delete the message.
Re: server connection in authenticator
Hi Horia, Are you aware that Cassandra already supports two-way SSL certificate authentication? Take a look at the require_client_auth option under client_encryption_options in cassandra.yaml: http://cassandra.apache.org/doc/latest/configuration/cassandra_config_file.html#client-encryption-options The caveat is that Cassandra role authorisation is not possible via this mechanism. If you need this then I suspect you're correct in that that some code will need to change. Cheers, Justin On Thu, 26 Oct 2017 at 17:50 Horia Mocioi wrote: > Thank you Jeff & Harika. > > Yes, I am aware of that mechanism. What we need to do is to add some > extra validations on the certificate used for securing the connection. > > So, in order to do this in our Authenticator, we need a way to grab the > sslHandler which can be obtained from the ServerConnection. The > certificates can be obtained then from the sslHandler. > > My question was if there was any other way to grab the ServerConnection > in an Authenticator besides passing it as a parameter when building the > negotiator, thus changing IAuthenticator and ServerConnection. > > Thank you again, > Horia > > On ons, 2017-10-25 at 17:13 +, Harika Vangapelli -T (hvangape - > AKRAYA INC at Cisco) wrote: > > Horia, > > > > By just changing Authenticator and Authorizer in cassandra.yaml and > > adding custom libraries in /usr/share/cassandra/ you can plugin to > > custom authentication > > > > sed -ri \ > >-e 's/^(authenticator:).*/\1 > > 'com.cassandra.LdapCassandraAuthenticator'/' \ > >-e 's/^(authorizer:).*/\1 > > 'com.cassandra.LdapCassandraAuthorizer'/' \ > >"cassandra.yaml" > > > > Copy custom jars > /usr/share/cassandra/ > > > > > > > > Harika Vangapelli > > Engineer - IT > > hvang...@cisco.com > > Tel: > > Cisco Systems, Inc. > > > > > > > > United States > > cisco.com > > > > > > Think before you print. > > This email may contain confidential and privileged material for the > > sole use of the intended recipient. Any review, use, distribution or > > disclosure by others is strictly prohibited. If you are not the > > intended recipient (or authorized to receive for the recipient), > > please contact the sender by reply email and delete all copies of > > this message. > > Please click here for Company Registration Information. > > > > > > -Original Message- > > From: Horia Mocioi [mailto:horia.moc...@ericsson.com] > > Sent: Wednesday, October 25, 2017 3:38 AM > > To: user@cassandra.apache.org > > Subject: server connection in authenticator > > > > Hello guys, > > > > We are building up an authenticator using certificates. So far we > > came up with a solution, but implies changing some files in Cassandra > > code base in order to have the connection in the new Authenticator. > > > > So, here are my questions: > > * how are you guys doing this? > > * is it possible to obtain the connection on the Authenticator > > without changing other files in the Cassandra code base, in that > > sense just creating a new Authenticator and set it up in > > cassandra.yaml? > > > > Regards, > > Horia -- *Justin Cameron*Senior Software Engineer <https://www.instaclustr.com/> This email has been sent on behalf of Instaclustr Pty. Limited (Australia) and Instaclustr Inc (USA). This email and any attachments may contain confidential and legally privileged information. If you are not the intended recipient, do not copy or disclose its content, but please reply to this email immediately and highlight the error to the sender and then immediately delete the message.
Re: server connection in authenticator
Thank you Jeff & Harika. Yes, I am aware of that mechanism. What we need to do is to add some extra validations on the certificate used for securing the connection. So, in order to do this in our Authenticator, we need a way to grab the sslHandler which can be obtained from the ServerConnection. The certificates can be obtained then from the sslHandler. My question was if there was any other way to grab the ServerConnection in an Authenticator besides passing it as a parameter when building the negotiator, thus changing IAuthenticator and ServerConnection. Thank you again, Horia On ons, 2017-10-25 at 17:13 +, Harika Vangapelli -T (hvangape - AKRAYA INC at Cisco) wrote: > Horia, > > By just changing Authenticator and Authorizer in cassandra.yaml and > adding custom libraries in /usr/share/cassandra/ you can plugin to > custom authentication > > sed -ri \ > -e 's/^(authenticator:).*/\1 > 'com.cassandra.LdapCassandraAuthenticator'/' \ > -e 's/^(authorizer:).*/\1 > 'com.cassandra.LdapCassandraAuthorizer'/' \ > "cassandra.yaml" > > Copy custom jars > /usr/share/cassandra/ > > > > Harika Vangapelli > Engineer - IT > hvang...@cisco.com > Tel: > Cisco Systems, Inc. > > > > United States > cisco.com > > > Think before you print. > This email may contain confidential and privileged material for the > sole use of the intended recipient. Any review, use, distribution or > disclosure by others is strictly prohibited. If you are not the > intended recipient (or authorized to receive for the recipient), > please contact the sender by reply email and delete all copies of > this message. > Please click here for Company Registration Information. > > > -Original Message- > From: Horia Mocioi [mailto:horia.moc...@ericsson.com] > Sent: Wednesday, October 25, 2017 3:38 AM > To: user@cassandra.apache.org > Subject: server connection in authenticator > > Hello guys, > > We are building up an authenticator using certificates. So far we > came up with a solution, but implies changing some files in Cassandra > code base in order to have the connection in the new Authenticator. > > So, here are my questions: > * how are you guys doing this? > * is it possible to obtain the connection on the Authenticator > without changing other files in the Cassandra code base, in that > sense just creating a new Authenticator and set it up in > cassandra.yaml? > > Regards, > Horia
RE: server connection in authenticator
Horia, By just changing Authenticator and Authorizer in cassandra.yaml and adding custom libraries in /usr/share/cassandra/ you can plugin to custom authentication sed -ri \ -e 's/^(authenticator:).*/\1 'com.cassandra.LdapCassandraAuthenticator'/' \ -e 's/^(authorizer:).*/\1 'com.cassandra.LdapCassandraAuthorizer'/' \ "cassandra.yaml" Copy custom jars > /usr/share/cassandra/ Harika Vangapelli Engineer - IT hvang...@cisco.com Tel: Cisco Systems, Inc. United States cisco.com Think before you print. This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. Please click here for Company Registration Information. -Original Message- From: Horia Mocioi [mailto:horia.moc...@ericsson.com] Sent: Wednesday, October 25, 2017 3:38 AM To: user@cassandra.apache.org Subject: server connection in authenticator Hello guys, We are building up an authenticator using certificates. So far we came up with a solution, but implies changing some files in Cassandra code base in order to have the connection in the new Authenticator. So, here are my questions: * how are you guys doing this? * is it possible to obtain the connection on the Authenticator without changing other files in the Cassandra code base, in that sense just creating a new Authenticator and set it up in cassandra.yaml? Regards, Horia
Re: server connection in authenticator
This might be better on the dev list, but the Authenticator and Authorizer interfaces should let you drop a jar in the classpath and turn them on in the yaml - you shouldn’t NEED to change much code, but that doesn’t mean the the interfaces have considered your use case. If the interfaces are insufficient for your needs, or you’re bumping up against visibility / access problems, we may be able to change things in the next major to facilitate the changes you need. -- Jeff Jirsa > On Oct 25, 2017, at 3:37 AM, Horia Mocioi wrote: > > Hello guys, > > We are building up an authenticator using certificates. So far we came > up with a solution, but implies changing some files in Cassandra code > base in order to have the connection in the new Authenticator. > > So, here are my questions: > * how are you guys doing this? > * is it possible to obtain the connection on the Authenticator without > changing other files in the Cassandra code base, in that sense just > creating a new Authenticator and set it up in cassandra.yaml? > > Regards, > HoriaТÐÐ¥FòVç7V'67&–&RÂRÖ֖âW6W"×Vç7V'67&–&T676æG&æ6†Ræ÷&pФf÷"FF—F–öæÂ6öÖÖæG2ÂRÖ֖âW6W"Ö†VÇ676æG&æ6†Ræ÷&pÐ - To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org For additional commands, e-mail: user-h...@cassandra.apache.org
server connection in authenticator
Hello guys, We are building up an authenticator using certificates. So far we came up with a solution, but implies changing some files in Cassandra code base in order to have the connection in the new Authenticator. So, here are my questions: * how are you guys doing this? * is it possible to obtain the connection on the Authenticator without changing other files in the Cassandra code base, in that sense just creating a new Authenticator and set it up in cassandra.yaml? Regards, Horia