Andy Tolbert created CASSANDRA-19366: ----------------------------------------
Summary: Expose mode of authentication in system_views.clients, nodetool clientstats, and ClientMetrics Key: CASSANDRA-19366 URL: https://issues.apache.org/jira/browse/CASSANDRA-19366 Project: Cassandra Issue Type: Improvement Components: Feature/Encryption, Messaging/Client, Observability/JMX, Observability/Metrics, Tool/nodetool Reporter: Andy Tolbert CASSANDRA-18554 added support for mTLS-authenticated clients. Part of this contribution introduced {{{}MutualTlsWithPasswordFallbackAuthenticator{}}}, which enables Cassandra to support either password and mTLS-authenticated connections. As an operator, it would be useful to know which connections are mTLS authenticated, and which are password authenticated, as a possible mode of operation is migrating users from one from of authentication to another. It would also be useful to know if that if authentication attempts are failing which mode of authentication is unsuccessful. Proposing to add the following: * Add a {{mode: string}} and {{metadata: map<string, string>}} to {{{}AuthenticatedUser{}}}. Update existing {{IAuthenticator}} implementations to pass {{mode}} (e.g. {{password}} , {{{}mtls{}}}), and optionally pass a {{metadata}} map (e.g. this can include the extracted {{identity}} from a client certificate for {{mtls}} authentication). * Update nodetool clientstats to add a new option flag {{{}--metadata{}}}, which when passed exposes these new fields on {{{}AuthenticatedUser{}}}. (Not added to existing output to maintain compatibility, much like {{-client-options}} did. * Update {{system_views.clients}} to include columns for these new fields. * Add new metrics to {{{}ClientMetrics{}}}: ** Track authentication success and failures by mode. (Note: The metrics present by authentication mode scope are contextual based on the Authenticator used (e.g. only {{scope=Password}} will be present for {{{}PasswordAuthenticator{}}}) {noformat} Existing: org.apache.cassandra.metrics:name=AuthSuccess,type=Client org.apache.cassandra.metrics:name=AuthFailure,type=Client New: org.apache.cassandra.metrics:name=AuthSuccess,scope=Mtls,type=Client org.apache.cassandra.metrics:name=AuthSuccess,scope=Password,type=Client org.apache.cassandra.metrics:name=AuthFailure,scope=Mtls,type=Client org.apache.cassandra.metrics:name=AuthFailure,scope=Password,type=Client {noformat} * ** Track connection counts by mode: {noformat} Existing: org.apache.cassandra.metrics:name=ConnectedNativeClients,type=Client org.apache.cassandra.metrics:name=connectedNativeClients,type=Client (previously deprecated but still maintained) New: org.apache.cassandra.metrics:name=ConnectedNativeClients,scope=Mtls,type=Client org.apache.cassandra.metrics:name=ConnectedNativeClients,scope=Password,type=Client {noformat} * ** A metric to track encrypted vs. non-encrypted connections: {noformat} org.apache.cassandra.metrics:name=ConnectedNativeClients,scope=Encrypted,type=Client org.apache.cassandra.metrics:name=ConnectedNativeClients,scope=Unencrypted,type=Client {noformat} -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org