Andy Tolbert created CASSANDRA-18857: ----------------------------------------
Summary: Allow CQL client-certificate authentication to work without sending an AUTHENTICATE request to client Key: CASSANDRA-18857 URL: https://issues.apache.org/jira/browse/CASSANDRA-18857 Project: Cassandra Issue Type: Improvement Components: Feature/Encryption Reporter: Andy Tolbert Currently when using {{MutualTlsAuthenticator}} or {{MutualTlsWithPasswordFallbackAuthenticator}} a client is prompted with an {{AUTHENTICATE}} message to which they must respond with an {{AUTH_RESPONSE}} (e.g. a user name and password). This shouldn't be needed as the role can be identified using only the certificate. To address this, we could add the capability to authenticate early in processing of a {{STARTUP}} message if we can determine that both the configured authenticator supports certificate authentication and a client certificate was provided. If the certificate can be authenticated, a {{READY}} response is returned, otherwise an {{ERROR}} is returned. This change can be done done in a fully backwards compatible way and requires no protocol or driver changes; I will supply a patch shortly! -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org