Details
-
Improvement
-
Status: Resolved
-
Normal
-
Resolution: Fixed
-
None
-
Operability
-
Normal
-
All
-
Docs
-
Description
CASSANDRA-18554 added support for mTLS-authenticated clients. Part of this contribution introduced MutualTlsWithPasswordFallbackAuthenticator, which enables Cassandra to support either password and mTLS-authenticated connections.
As an operator, it would be useful to know which connections are mTLS authenticated, and which are password authenticated, as a possible mode of operation is migrating users from one from of authentication to another. It would also be useful to know if that if authentication attempts are failing which mode of authentication is unsuccessful.
Proposing to add the following:
- Add a mode: string and metadata: map<string, string> to AuthenticatedUser. Update existing IAuthenticator implementations to pass mode (e.g. password , mtls), and optionally pass a metadata map (e.g. this can include the extracted identity from a client certificate for mtls authentication).
- Update nodetool clientstats to add a new option flag --metadata, which when passed exposes these new fields on AuthenticatedUser. (Not added to existing output to maintain compatibility, much like -client-options did.
- Update system_views.clients to include columns for these new fields.
- Add new metrics to ClientMetrics:
- Track authentication success and failures by mode. (Note: The metrics present by authentication mode scope are contextual based on the Authenticator used (e.g. only scope=Password will be present for PasswordAuthenticator)
Existing: org.apache.cassandra.metrics:name=AuthSuccess,type=Client org.apache.cassandra.metrics:name=AuthFailure,type=Client New: org.apache.cassandra.metrics:name=AuthSuccess,scope=MutualTls,type=Client org.apache.cassandra.metrics:name=AuthSuccess,scope=Password,type=Client org.apache.cassandra.metrics:name=AuthFailure,scope=MutualTls,type=Client org.apache.cassandra.metrics:name=AuthFailure,scope=Password,type=Client
-
- Track connection counts by mode:
Existing: org.apache.cassandra.metrics:name=ConnectedNativeClients,type=Client org.apache.cassandra.metrics:name=connectedNativeClients,type=Client (previously deprecated but still maintained) New: org.apache.cassandra.metrics:name=ConnectedNativeClients,scope=MutualTls,type=Client org.apache.cassandra.metrics:name=ConnectedNativeClients,scope=Password,type=Client
-
- A metric to track encrypted vs. non-encrypted connections:
org.apache.cassandra.metrics:name=ConnectedNativeClients,scope=Encrypted,type=Client org.apache.cassandra.metrics:name=ConnectedNativeClients,scope=Unencrypted,type=Client
Attachments
Attachments
Issue Links
- links to