Uploaded image for project: 'Cassandra'
  1. Cassandra
  2. CASSANDRA-18554

mTLS based client and internode authenticators

    XMLWordPrintableJSON

Details

    Description

      Cassandra currently doesn't have any certificate based authenticator for both client connections and internode connections. If one wants to use certificate based authentication protocol like TLS, in which clients send their certificates for the TLS handshake, we can leverage the information from the client certificate to identify a client. Using this authentication mechanism one can avoid the pain of password generations, sharing and rotation.

      Introducing following certificate based mTLS authenticators for internode and client connections
      MutualTlsAuthenticator (client authentication)
      MutualTlsInternodeAuthenticator (internode authentication)
      MutualTlsWithPasswordFallbackAuthenticator (for optional mode operation for client authentication)

      An implementation of MutualTlsCertificateValidator called SpiffeCertificateValidator whose identity is SPIFFE that is embedded in SAN of the client certificate. One can implement their own CertificateValidator to match their needs and configure it in Cassandra.yaml

      Attachments

        Issue Links

          Activity

            People

              Jyothsnakonisa Jyothsna Konisa
              Jyothsnakonisa Jyothsna Konisa
              Dinesh Joshi, Jyothsna Konisa
              Dinesh Joshi, Jon Meredith, Yifan Cai
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 3h 50m
                  3h 50m