[ https://issues.apache.org/jira/browse/CASSANDRA-19366?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andy Tolbert updated CASSANDRA-19366: ------------------------------------- Attachment: CASSANDRA-19366-trunk-1_test_results.tgz > Expose mode of authentication in system_views.clients, nodetool clientstats, > and ClientMetrics > ---------------------------------------------------------------------------------------------- > > Key: CASSANDRA-19366 > URL: https://issues.apache.org/jira/browse/CASSANDRA-19366 > Project: Cassandra > Issue Type: Improvement > Components: Feature/Encryption, Messaging/Client, Observability/JMX, > Observability/Metrics, Tool/nodetool > Reporter: Andy Tolbert > Assignee: Andy Tolbert > Priority: Normal > Fix For: 5.1 > > Attachments: CASSANDRA-19366-trunk-1_test_results.tgz > > > CASSANDRA-18554 added support for mTLS-authenticated clients. Part of this > contribution introduced {{{}MutualTlsWithPasswordFallbackAuthenticator{}}}, > which enables Cassandra to support either password and mTLS-authenticated > connections. > As an operator, it would be useful to know which connections are mTLS > authenticated, and which are password authenticated, as a possible mode of > operation is migrating users from one from of authentication to another. It > would also be useful to know if that if authentication attempts are failing > which mode of authentication is unsuccessful. > Proposing to add the following: > * Add a {{mode: string}} and {{metadata: map<string, string>}} to > {{{}AuthenticatedUser{}}}. Update existing {{IAuthenticator}} implementations > to pass {{mode}} (e.g. {{password}} , {{{}mtls{}}}), and optionally pass a > {{metadata}} map (e.g. this can include the extracted {{identity}} from a > client certificate for {{mtls}} authentication). > * Update nodetool clientstats to add a new option flag {{{}--metadata{}}}, > which when passed exposes these new fields on {{{}AuthenticatedUser{}}}. (Not > added to existing output to maintain compatibility, much like > {{-client-options}} did. > * Update {{system_views.clients}} to include columns for these new fields. > * Add new metrics to {{{}ClientMetrics{}}}: > ** Track authentication success and failures by mode. (Note: The metrics > present by authentication mode scope are contextual based on the > Authenticator used (e.g. only {{scope=Password}} will be present for > {{{}PasswordAuthenticator{}}}) > {noformat} > Existing: > org.apache.cassandra.metrics:name=AuthSuccess,type=Client > org.apache.cassandra.metrics:name=AuthFailure,type=Client > New: > org.apache.cassandra.metrics:name=AuthSuccess,scope=Mtls,type=Client > org.apache.cassandra.metrics:name=AuthSuccess,scope=Password,type=Client > org.apache.cassandra.metrics:name=AuthFailure,scope=Mtls,type=Client > org.apache.cassandra.metrics:name=AuthFailure,scope=Password,type=Client > {noformat} > * > ** Track connection counts by mode: > {noformat} > Existing: > org.apache.cassandra.metrics:name=ConnectedNativeClients,type=Client > org.apache.cassandra.metrics:name=connectedNativeClients,type=Client > (previously deprecated but still maintained) > New: > org.apache.cassandra.metrics:name=ConnectedNativeClients,scope=Mtls,type=Client > org.apache.cassandra.metrics:name=ConnectedNativeClients,scope=Password,type=Client > {noformat} > * > ** A metric to track encrypted vs. non-encrypted connections: > {noformat} > org.apache.cassandra.metrics:name=ConnectedNativeClients,scope=Encrypted,type=Client > org.apache.cassandra.metrics:name=ConnectedNativeClients,scope=Unencrypted,type=Client > {noformat} -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org