[
https://issues.apache.org/jira/browse/CASSANDRA-7686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14237688#comment-14237688
]
Sam Tunnicliffe commented on CASSANDRA-7686:
--------------------------------------------
A custom IAuthenticator which supports the SASL PLAIN mechanism would be a
better way to do this. It could extend PasswordAuthenticator if necessary but
it's going to require additional configuration to handle the permitted proxying
between users.
> Add proxy authentication to PasswordAuthenticator
> -------------------------------------------------
>
> Key: CASSANDRA-7686
> URL: https://issues.apache.org/jira/browse/CASSANDRA-7686
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Mike Adamson
> Fix For: 3.0
>
>
> The SASL plain text protocol supports the concept of an authorization ID that
> is used for any authorization requests during the authenticated session.
>
> This authorization ID is (optionally) passed during the SASL exchange as part
> of the SASL plain text message. It is currently ignored by the
> PasswordAuthenticator.
> This field is typically used by web applications to authenticate using a
> fixed set of authentication credentials but allow authorization of resources
> based another user id. It allows the application to authenticate users using
> their own authentication mechanism without having to store the users
> credentials to log into the downstream system.
> It would be useful if the PasswordAuthenticator could use this field (if
> present) as the user id for the AuthenticatedUser instead of the
> authentication ID currently used.
> This would need a mechanism to allow / deny one user to proxy to another and
> the ability to check whether proxying is allowed for a user / proxy pair.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
