[
https://issues.apache.org/jira/browse/CASSANDRA-5545?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13663074#comment-13663074
]
Sylvain Lebresne commented on CASSANDRA-5545:
---------------------------------------------
It feels weird to have SaslAuthenticator return a string map and go through the
"old style" authenticate method since true SASL mechanism will do the actual
authentication during the evaluateResponse() call (and so may have to hack the
return of getCredentials() to make their authenticate() method work properly).
Instead, I'd prefer changing the SaslAuthenticator API to:
{noformat}
public interface SaslAuthenticator
{
public byte[] evaluateResponse(byte[] clientResponse) throws
AuthenticationException;
public boolean isComplete();
public AuthenticatedUser getAuthenticatedUser();
}
{noformat}
We would then change ClientState.login to just take an AuthenticatedUser
parameters, and the call to authenticate() would be moved to the thrift sid
(and in CredentialsMessage).
That way authenticate() is a thrift/protocol v1 only method and can be made to
throw an error for authenticator that don't care about that (of course, in the
case of PlainTextSaslAuthenticator, it can just call authenticate internally).
Other small remarks/nits:
* We really need authentication to throw AuthenticationException (as in my
suggestion above), not SaslException since the later is not known by the
protocol (which will send it to the client as a "server error" (i.e. a bug
server side), which is not the case).
* We need to refuse SASL_RESPONSE messages in v1 and AUTHENTICATE messages in
v2 (just throwing a ProtocolException in their respective decode method would
be fine).
* Might be worth reseting the saslAuthenticator to null in ServerConnection
once authentication is comple to have it garbage collected?
* Nit: few minor code style related fix (indentation for try in SaslResponse)
* Nit: I'd have move SaslAuthenticator and PlainTextSaslAuthenticator to the
org.apache.cassandra.auth package directly (and would have make
PlainTextSaslAuthenticator a private static inner class in
PasswordAuthenticator in fact).
> Add SASL authentication to CQL native protocol
> ----------------------------------------------
>
> Key: CASSANDRA-5545
> URL: https://issues.apache.org/jira/browse/CASSANDRA-5545
> Project: Cassandra
> Issue Type: Improvement
> Reporter: Sam Tunnicliffe
> Assignee: Sam Tunnicliffe
> Fix For: 2.0
>
> Attachments:
> 0001-Add-SASL-authentication-to-CQL-native-protocol.patch,
> 0001-Add-SASL-hooks-to-CQL-native-protocol.patch
>
>
> Adding hooks for SASL authentication would make it much easier to integrate
> with external auth providers, such as Kerberos & NTLM.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
