Details
-
New Feature
-
Status: Resolved
-
Normal
-
Resolution: Won't Fix
-
None
-
None
Description
The SASL plain text protocol supports the concept of an authorization ID that is used for any authorization requests during the authenticated session.
This authorization ID is (optionally) passed during the SASL exchange as part of the SASL plain text message. It is currently ignored by the PasswordAuthenticator.
This field is typically used by web applications to authenticate using a fixed set of authentication credentials but allow authorization of resources based another user id. It allows the application to authenticate users using their own authentication mechanism without having to store the users credentials to log into the downstream system.
It would be useful if the PasswordAuthenticator could use this field (if present) as the user id for the AuthenticatedUser instead of the authentication ID currently used.
This would need a mechanism to allow / deny one user to proxy to another and the ability to check whether proxying is allowed for a user / proxy pair.
Attachments
Issue Links
- Is contained by
-
CASSANDRA-8394 Cassandra 3.0 Auth changes
- Resolved