[
https://issues.apache.org/jira/browse/CASSANDRA-5545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13650719#comment-13650719
]
Sam Tunnicliffe edited comment on CASSANDRA-5545 at 5/7/13 11:08 AM:
---------------------------------------------------------------------
The attached patch (against trunk) adds new message types for SASL negotiation
between CQL client & server. In this patch, SaslAuthBridge represents the
interface between SASL & IAuthencator, while
the helper class org.apache.cassandra.transport.sasl.Sasl acts as a registry of
which SaslAuthBridge implementation goes with which IAuthenticator.
PasswordAuthenticator, and any other custom IAuthenticator implementation which
receives a username/password pair via Credentials message or thrift login()
call, can be associated with PlainTextSaslAuthBridge. This is done
automatically for PasswordAuthenticator, so there should be no server side
changes for clusters without custom authentication.
Implementors of custom authenticators which do not receive credentials in the
same way & format as PasswordAuthenticator will need to provide their own
SaslAuthBridge to extract the credentials from a SaslServer instance. Depending
on the format required by the IAuthenticaor, this may involve creating or
wrapping a SaslServer implementation. See
AbstractSaslServer/AbstractSaslAuthBridge & the PlainText* implementations for
an example.
was (Author: beobal):
The attached patch adds new message types for SASL negotiation between CQL
client & server. In this patch, SaslAuthBridge represents the interface between
SASL & IAuthencator, while
the helper class org.apache.cassandra.transport.sasl.Sasl acts as a registry of
which SaslAuthBridge implementation goes with which IAuthenticator.
PasswordAuthenticator, and any other custom IAuthenticator implementation which
receives a username/password pair via Credentials message or thrift login()
call, can be associated with PlainTextSaslAuthBridge. This is done
automatically for PasswordAuthenticator, so there should be no server side
changes for clusters without custom authentication.
Implementors of custom authenticators which do not receive credentials in the
same way & format as PasswordAuthenticator will need to provide their own
SaslAuthBridge to extract the credentials from a SaslServer instance. Depending
on the format required by the IAuthenticaor, this may involve creating or
wrapping a SaslServer implementation. See
AbstractSaslServer/AbstractSaslAuthBridge & the PlainText* implementations for
an example.
> Add SASL authentication to CQL native protocol
> ----------------------------------------------
>
> Key: CASSANDRA-5545
> URL: https://issues.apache.org/jira/browse/CASSANDRA-5545
> Project: Cassandra
> Issue Type: Improvement
> Reporter: Sam Tunnicliffe
> Fix For: 2.0
>
> Attachments: 0001-Add-SASL-authentication-to-CQL-native-protocol.patch
>
>
> Adding hooks for SASL authentication would make it much easier to integrate
> with external auth providers, such as Kerberos & NTLM.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
