[ https://issues.apache.org/jira/browse/CASSANDRA-7686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14237688#comment-14237688 ]
Sam Tunnicliffe commented on CASSANDRA-7686: -------------------------------------------- A custom IAuthenticator which supports the SASL PLAIN mechanism would be a better way to do this. It could extend PasswordAuthenticator if necessary but it's going to require additional configuration to handle the permitted proxying between users. > Add proxy authentication to PasswordAuthenticator > ------------------------------------------------- > > Key: CASSANDRA-7686 > URL: https://issues.apache.org/jira/browse/CASSANDRA-7686 > Project: Cassandra > Issue Type: New Feature > Components: Core > Reporter: Mike Adamson > Fix For: 3.0 > > > The SASL plain text protocol supports the concept of an authorization ID that > is used for any authorization requests during the authenticated session. > > This authorization ID is (optionally) passed during the SASL exchange as part > of the SASL plain text message. It is currently ignored by the > PasswordAuthenticator. > This field is typically used by web applications to authenticate using a > fixed set of authentication credentials but allow authorization of resources > based another user id. It allows the application to authenticate users using > their own authentication mechanism without having to store the users > credentials to log into the downstream system. > It would be useful if the PasswordAuthenticator could use this field (if > present) as the user id for the AuthenticatedUser instead of the > authentication ID currently used. > This would need a mechanism to allow / deny one user to proxy to another and > the ability to check whether proxying is allowed for a user / proxy pair. -- This message was sent by Atlassian JIRA (v6.3.4#6332)