[ https://issues.apache.org/jira/browse/CASSANDRA-18554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17747658#comment-17747658 ]
Yifan Cai commented on CASSANDRA-18554: --------------------------------------- I reviewed the changes since last time did. Left some minor comments, and they were addressed. +1 on the patch. > mTLS based client and internode authenticators > ---------------------------------------------- > > Key: CASSANDRA-18554 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18554 > Project: Cassandra > Issue Type: New Feature > Components: Feature/Authorization > Reporter: Jyothsna Konisa > Assignee: Jyothsna Konisa > Priority: Normal > Time Spent: 2.5h > Remaining Estimate: 0h > > Cassandra currently doesn't have any certificate based authenticator for both > client connections and internode connections. If one wants to use certificate > based authentication protocol like TLS, in which clients send their > certificates for the TLS handshake, we can leverage the information from the > client certificate to identify a client. Using this authentication mechanism > one can avoid the pain of password generations, sharing and rotation. > Introducing following certificate based mTLS authenticators for internode and > client connections > MutualTlsAuthenticator (client authentication) > MutualTlsInternodeAuthenticator (internode authentication) > MutualTlsWithPasswordFallbackAuthenticator (for optional mode operation for > client authentication) > An implementation of MutualTlsCertificateValidator called > SpiffeCertificateValidator whose identity is SPIFFE that is embedded in SAN > of the client certificate. One can implement their own CertificateValidator > to match their needs and configure it in Cassandra.yaml -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org