Re: server connection in authenticator

2017-10-26 Thread Horia Mocioi 
Hello Justin and thank you for your answer.

Yes, I am aware of that mechanism.

What we need to accomplish is to add some extra validations to the
certificate in a new Authenticator and in order to get the certificates
for the current connection we need the ServerConnection object or the
sslHandler.

Regards,
Horia

On tor, 2017-10-26 at 22:33 +, Justin Cameron wrote:
> Hi Horia,
> 
> Are you aware that Cassandra already supports two-way SSL certificate
> authentication? Take a look at the require_client_auth option under
> client_encryption_options in cassandra.yaml: http://cassandra.apache.
> org/doc/latest/configuration/cassandra_config_file.html#client-
> encryption-options 
> 
> The caveat is that Cassandra role authorisation is not possible via
> this mechanism. If you need this then I suspect you're correct in
> that that some code will need to change.
> 
> Cheers,
> Justin
> 
> On Thu, 26 Oct 2017 at 17:50 Horia Mocioi 
> wrote:
> > Thank you Jeff & Harika.
> > 
> > Yes, I am aware of that mechanism. What we need to do is to add
> > some
> > extra validations on the certificate used for securing the
> > connection. 
> > 
> > So, in order to do this in our Authenticator, we need a way to grab
> > the
> > sslHandler which can be obtained from the ServerConnection. The
> > certificates can be obtained then from the sslHandler.
> > 
> > My question was if there was any other way to grab the
> > ServerConnection
> > in an Authenticator besides passing it as a parameter when building
> > the
> > negotiator, thus changing IAuthenticator and ServerConnection.
> > 
> > Thank you again,
> > Horia
> > 
> > On ons, 2017-10-25 at 17:13 +, Harika Vangapelli -T (hvangape -
> > AKRAYA INC at Cisco) wrote:
> > > Horia,
> > >
> > > By just changing Authenticator and Authorizer in cassandra.yaml
> > and
> > > adding custom libraries in /usr/share/cassandra/  you can plugin
> > to
> > > custom authentication
> > >
> > > sed -ri \
> > >    -e 's/^(authenticator:).*/\1
> > > 'com.cassandra.LdapCassandraAuthenticator'/' \
> > >    -e 's/^(authorizer:).*/\1
> > > 'com.cassandra.LdapCassandraAuthorizer'/' \
> > >    "cassandra.yaml"
> > >
> > > Copy custom jars > /usr/share/cassandra/
> > >  
> > >
> > >
> > > Harika Vangapelli
> > > Engineer - IT
> > > hvang...@cisco.com
> > > Tel: 
> > > Cisco Systems, Inc.
> > >
> > >
> > >
> > > United States
> > > cisco.com
> > >
> > >
> > > Think before you print.
> > > This email may contain confidential and privileged material for
> > the
> > > sole use of the intended recipient. Any review, use, distribution
> > or
> > > disclosure by others is strictly prohibited. If you are not the
> > > intended recipient (or authorized to receive for the recipient),
> > > please contact the sender by reply email and delete all copies of
> > > this message.
> > > Please click here for Company Registration Information.
> > >
> > >
> > > -Original Message-
> > > From: Horia Mocioi [mailto:horia.moc...@ericsson.com] 
> > > Sent: Wednesday, October 25, 2017 3:38 AM
> > > To: user@cassandra.apache.org
> > > Subject: server connection in authenticator
> > >
> > > Hello guys,
> > >
> > > We are building up an authenticator using certificates. So far we
> > > came up with a solution, but implies changing some files in
> > Cassandra
> > > code base in order to have the connection in the new
> > Authenticator.
> > >
> > > So, here are my questions:
> > > * how are you guys doing this?
> > > * is it possible to obtain the connection on the Authenticator
> > > without changing other files in the Cassandra code base, in that
> > > sense just creating a new Authenticator and set it up in
> > > cassandra.yaml?
> > >
> > > Regards,
> > > Horia
> -- 
> Justin Cameron
> Senior Software Engineer
> 
> 
> 
> This email has been sent on behalf of Instaclustr Pty. Limited
> (Australia) and Instaclustr Inc (USA).
> 
> This email and any attachments may contain confidential and legally
> privileged information.  If you are not the intended recipient, do
> not copy or disclose its content, but please reply to this
> email immediately and highlight the error to the sender and then
> immediately delete the message.

Re: server connection in authenticator

2017-10-26 Thread Justin Cameron 
Hi Horia,

Are you aware that Cassandra already supports two-way SSL certificate
authentication? Take a look at the require_client_auth option under
client_encryption_options in cassandra.yaml:
http://cassandra.apache.org/doc/latest/configuration/cassandra_config_file.html#client-encryption-options


The caveat is that Cassandra role authorisation is not possible via this
mechanism. If you need this then I suspect you're correct in that that some
code will need to change.

Cheers,
Justin

On Thu, 26 Oct 2017 at 17:50 Horia Mocioi  wrote:

> Thank you Jeff & Harika.
>
> Yes, I am aware of that mechanism. What we need to do is to add some
> extra validations on the certificate used for securing the connection.
>
> So, in order to do this in our Authenticator, we need a way to grab the
> sslHandler which can be obtained from the ServerConnection. The
> certificates can be obtained then from the sslHandler.
>
> My question was if there was any other way to grab the ServerConnection
> in an Authenticator besides passing it as a parameter when building the
> negotiator, thus changing IAuthenticator and ServerConnection.
>
> Thank you again,
> Horia
>
> On ons, 2017-10-25 at 17:13 +, Harika Vangapelli -T (hvangape -
> AKRAYA INC at Cisco) wrote:
> > Horia,
> >
> > By just changing Authenticator and Authorizer in cassandra.yaml and
> > adding custom libraries in /usr/share/cassandra/  you can plugin to
> > custom authentication
> >
> > sed -ri \
> >-e 's/^(authenticator:).*/\1
> > 'com.cassandra.LdapCassandraAuthenticator'/' \
> >-e 's/^(authorizer:).*/\1
> > 'com.cassandra.LdapCassandraAuthorizer'/' \
> >"cassandra.yaml"
> >
> > Copy custom jars > /usr/share/cassandra/
> >
> >
> >
> > Harika Vangapelli
> > Engineer - IT
> > hvang...@cisco.com
> > Tel:
> > Cisco Systems, Inc.
> >
> >
> >
> > United States
> > cisco.com
> >
> >
> > Think before you print.
> > This email may contain confidential and privileged material for the
> > sole use of the intended recipient. Any review, use, distribution or
> > disclosure by others is strictly prohibited. If you are not the
> > intended recipient (or authorized to receive for the recipient),
> > please contact the sender by reply email and delete all copies of
> > this message.
> > Please click here for Company Registration Information.
> >
> >
> > -Original Message-
> > From: Horia Mocioi [mailto:horia.moc...@ericsson.com]
> > Sent: Wednesday, October 25, 2017 3:38 AM
> > To: user@cassandra.apache.org
> > Subject: server connection in authenticator
> >
> > Hello guys,
> >
> > We are building up an authenticator using certificates. So far we
> > came up with a solution, but implies changing some files in Cassandra
> > code base in order to have the connection in the new Authenticator.
> >
> > So, here are my questions:
> > * how are you guys doing this?
> > * is it possible to obtain the connection on the Authenticator
> > without changing other files in the Cassandra code base, in that
> > sense just creating a new Authenticator and set it up in
> > cassandra.yaml?
> >
> > Regards,
> > Horia

-- 


*Justin Cameron*Senior Software Engineer


<https://www.instaclustr.com/>


This email has been sent on behalf of Instaclustr Pty. Limited (Australia)
and Instaclustr Inc (USA).

This email and any attachments may contain confidential and legally
privileged information.  If you are not the intended recipient, do not copy
or disclose its content, but please reply to this email immediately and
highlight the error to the sender and then immediately delete the message.

Re: server connection in authenticator

2017-10-25 Thread Horia Mocioi 
Thank you Jeff & Harika.

Yes, I am aware of that mechanism. What we need to do is to add some
extra validations on the certificate used for securing the connection. 

So, in order to do this in our Authenticator, we need a way to grab the
sslHandler which can be obtained from the ServerConnection. The
certificates can be obtained then from the sslHandler.

My question was if there was any other way to grab the ServerConnection
in an Authenticator besides passing it as a parameter when building the
negotiator, thus changing IAuthenticator and ServerConnection.

Thank you again,
Horia

On ons, 2017-10-25 at 17:13 +, Harika Vangapelli -T (hvangape -
AKRAYA INC at Cisco) wrote:
> Horia,
> 
> By just changing Authenticator and Authorizer in cassandra.yaml and
> adding custom libraries in /usr/share/cassandra/  you can plugin to
> custom authentication
> 
> sed -ri \
>    -e 's/^(authenticator:).*/\1
> 'com.cassandra.LdapCassandraAuthenticator'/' \
>    -e 's/^(authorizer:).*/\1
> 'com.cassandra.LdapCassandraAuthorizer'/' \
>    "cassandra.yaml"
> 
> Copy custom jars > /usr/share/cassandra/
>  
> 
> 
> Harika Vangapelli
> Engineer - IT
> hvang...@cisco.com
> Tel: 
> Cisco Systems, Inc.
> 
> 
> 
> United States
> cisco.com
> 
> 
> Think before you print.
> This email may contain confidential and privileged material for the
> sole use of the intended recipient. Any review, use, distribution or
> disclosure by others is strictly prohibited. If you are not the
> intended recipient (or authorized to receive for the recipient),
> please contact the sender by reply email and delete all copies of
> this message.
> Please click here for Company Registration Information.
> 
> 
> -Original Message-
> From: Horia Mocioi [mailto:horia.moc...@ericsson.com] 
> Sent: Wednesday, October 25, 2017 3:38 AM
> To: user@cassandra.apache.org
> Subject: server connection in authenticator
> 
> Hello guys,
> 
> We are building up an authenticator using certificates. So far we
> came up with a solution, but implies changing some files in Cassandra
> code base in order to have the connection in the new Authenticator.
> 
> So, here are my questions:
> * how are you guys doing this?
> * is it possible to obtain the connection on the Authenticator
> without changing other files in the Cassandra code base, in that
> sense just creating a new Authenticator and set it up in
> cassandra.yaml?
> 
> Regards,
> Horia

RE: server connection in authenticator

2017-10-25 Thread Harika Vangapelli -T (hvangape - AKRAYA INC at Cisco) 
Horia,

By just changing Authenticator and Authorizer in cassandra.yaml and adding 
custom libraries in /usr/share/cassandra/  you can plugin to custom 
authentication

sed -ri \
   -e 's/^(authenticator:).*/\1 
'com.cassandra.LdapCassandraAuthenticator'/' \
   -e 's/^(authorizer:).*/\1 
'com.cassandra.LdapCassandraAuthorizer'/' \
   "cassandra.yaml"

Copy custom jars > /usr/share/cassandra/
 


Harika Vangapelli
Engineer - IT
hvang...@cisco.com
Tel: 
Cisco Systems, Inc.



United States
cisco.com


Think before you print.
This email may contain confidential and privileged material for the sole use of 
the intended recipient. Any review, use, distribution or disclosure by others 
is strictly prohibited. If you are not the intended recipient (or authorized to 
receive for the recipient), please contact the sender by reply email and delete 
all copies of this message.
Please click here for Company Registration Information.


-Original Message-
From: Horia Mocioi [mailto:horia.moc...@ericsson.com] 
Sent: Wednesday, October 25, 2017 3:38 AM
To: user@cassandra.apache.org
Subject: server connection in authenticator

Hello guys,

We are building up an authenticator using certificates. So far we came up with 
a solution, but implies changing some files in Cassandra code base in order to 
have the connection in the new Authenticator.

So, here are my questions:
* how are you guys doing this?
* is it possible to obtain the connection on the Authenticator without changing 
other files in the Cassandra code base, in that sense just creating a new 
Authenticator and set it up in cassandra.yaml?

Regards,
Horia

Re: server connection in authenticator

2017-10-25 Thread Jeff Jirsa 
This might be better on the dev list, but the Authenticator and Authorizer 
interfaces should let you drop a jar in the classpath and turn them on in the 
yaml - you shouldn’t NEED to change much code, but that doesn’t mean the the 
interfaces have considered your use case.

If the interfaces are insufficient for your needs, or you’re bumping up against 
visibility / access problems, we may be able to change things in the next major 
to facilitate the changes you need.


-- 
Jeff Jirsa


> On Oct 25, 2017, at 3:37 AM, Horia Mocioi  wrote:
> 
> Hello guys,
> 
> We are building up an authenticator using certificates. So far we came
> up with a solution, but implies changing some files in Cassandra code
> base in order to have the connection in the new Authenticator.
> 
> So, here are my questions:
> * how are you guys doing this?
> * is it possible to obtain the connection on the Authenticator without
> changing other files in the Cassandra code base, in that sense just
> creating a new Authenticator and set it up in cassandra.yaml?
> 
> Regards,
> HoriaТÐÐ¥FòVç7V'67&–&RÂRÖÖ–âW6W"×Vç7V'67&–&T676æG&æ6†Ræ÷&pФf÷"FF—F–öæÂ6öÖÖæG2ÂRÖÖ–âW6W"Ö†VÇ676æG&æ6†Ræ÷&pÐ

-
To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org
For additional commands, e-mail: user-h...@cassandra.apache.org

server connection in authenticator

2017-10-25 Thread Horia Mocioi 
Hello guys,

We are building up an authenticator using certificates. So far we came
up with a solution, but implies changing some files in Cassandra code
base in order to have the connection in the new Authenticator.

So, here are my questions:
* how are you guys doing this?
* is it possible to obtain the connection on the Authenticator without
changing other files in the Cassandra code base, in that sense just
creating a new Authenticator and set it up in cassandra.yaml?

Regards,
Horia