Andy Tolbert created CASSANDRA-18857:
----------------------------------------
Summary: Allow CQL client-certificate authentication to work
without sending an AUTHENTICATE request to client
Key: CASSANDRA-18857
URL: https://issues.apache.org/jira/browse/CASSANDRA-18857
Project: Cassandra
Issue Type: Improvement
Components: Feature/Encryption
Reporter: Andy Tolbert
Currently when using {{MutualTlsAuthenticator}} or
{{MutualTlsWithPasswordFallbackAuthenticator}} a client is prompted with an
{{AUTHENTICATE}} message to which they must respond with an {{AUTH_RESPONSE}}
(e.g. a user name and password). This shouldn't be needed as the role can be
identified using only the certificate.
To address this, we could add the capability to authenticate early in
processing of a {{STARTUP}} message if we can determine that both the
configured authenticator supports certificate authentication and a client
certificate was provided. If the certificate can be authenticated, a {{READY}}
response is returned, otherwise an {{ERROR}} is returned.
This change can be done done in a fully backwards compatible way and requires
no protocol or driver changes; I will supply a patch shortly!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
