Uploaded image for project: 'Cassandra'
  1. Cassandra
  2. CASSANDRA-18857

Allow CQL client certificate authentication to work without sending an AUTHENTICATE request

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Normal
    • Resolution: Fixed
    • 5.1
    • Feature/Encryption
    • None
    • Operability
    • Normal
    • All
    • Security
    • Hide

      Test included in PR:

      • AuthenticationTest tests existing code path that ensures AUTHENTICATE request is sent in response to STARTUP with PasswordAuthenticator
      • EarlyCertificateAuthenticationTest which validates authentication path where certificate is provided (or not) with MutualTlsAuthenticator.
      • MutualTlsWithPasswordFallbackAuthenticatorEarlyCertificateAuthenticationTest additionally validates authentication path where certificate is optionally provided with credentials.
      Show
      Test included in PR: AuthenticationTest tests existing code path that ensures AUTHENTICATE request is sent in response to STARTUP with PasswordAuthenticator EarlyCertificateAuthenticationTest which validates authentication path where certificate is provided (or not) with MutualTlsAuthenticator. MutualTlsWithPasswordFallbackAuthenticatorEarlyCertificateAuthenticationTest additionally validates authentication path where certificate is optionally provided with credentials.

    Description

      Currently when using MutualTlsAuthenticator or MutualTlsWithPasswordFallbackAuthenticator a client is prompted with an AUTHENTICATE message to which they must respond with an AUTH_RESPONSE (e.g. a user name and password). This shouldn't be needed as the role can be identified using only the certificate.

      To address this, we could add the capability to authenticate early in processing of a STARTUP message if we can determine that both the configured authenticator supports certificate authentication and a client certificate was provided. If the certificate can be authenticated, a READY response is returned, otherwise an ERROR is returned.

      This change can be done done in a fully backwards compatible way and requires no protocol or driver changes; I will supply a patch shortly!

      Attachments

        1. ci_summary.html
          7 kB
          Andy Tolbert
        2. result_details.tar.gz
          39.04 MB
          Andy Tolbert

        Issue Links

          Dependency

          Bug - A problem which impairs or prevents the functions of the product. CASSANDRA-18811 Set right client auth for creating SSL context in mTLS optional mode

          • Normal -
          • Resolved
          links to

          Web Link GitHub Pull Request #2969

          Activity

            People

              andrew.tolbert Andy Tolbert
              andrew.tolbert Andy Tolbert
              Andy Tolbert
              Abe Ratnofsky, Dinesh Joshi, Francisco Guerrero, Jyothsna Konisa
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 4h 40m
                  4h 40m