[CASSANDRA-18554] mTLS based client and internode authenticators - ASF JIRA

XML

Word

Printable

JSON

Details

Type: New Feature
Status: Resolved
Priority: Normal
Resolution: Fixed
Fix Version/s: 5.0-alpha1, 5.0
Component/s: Feature/Authorization
Labels:
None

Change Category:
Performance
Complexity:
Normal
Platform:

All
Impacts:

None
Source Control Link:

https://github.com/apache/cassandra/commit/f078c02cb58bddd735490b07548f7352f0eb09aa
Test and Documentation Plan:
- Added unit tests for all the authenticators
- Testing using CCM

Description

Cassandra currently doesn't have any certificate based authenticator for both client connections and internode connections. If one wants to use certificate based authentication protocol like TLS, in which clients send their certificates for the TLS handshake, we can leverage the information from the client certificate to identify a client. Using this authentication mechanism one can avoid the pain of password generations, sharing and rotation.

Introducing following certificate based mTLS authenticators for internode and client connections
MutualTlsAuthenticator (client authentication)
MutualTlsInternodeAuthenticator (internode authentication)
MutualTlsWithPasswordFallbackAuthenticator (for optional mode operation for client authentication)

An implementation of MutualTlsCertificateValidator called SpiffeCertificateValidator whose identity is SPIFFE that is embedded in SAN of the client certificate. One can implement their own CertificateValidator to match their needs and configure it in Cassandra.yaml

Attachments

Issue Links

links to

GitHub Pull Request #2372

Activity

People

Assignee:: Jyothsna Konisa

Reporter:: Jyothsna Konisa

Authors:: Dinesh Joshi, Jyothsna Konisa

Reviewers:: Dinesh Joshi, Jon Meredith, Yifan Cai

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 26/May/23 16:34

Updated:: 12/Sep/23 13:03

Resolved:: 28/Jul/23 20:59

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

3h 50m