Hi Dinesh, This is awesome. I'm certain myself and the folks on the K8ssandra project will be following along with this ticket. I had a few questions after looking at the JIRA and attached PR:
1. Is there an expectation that this would be used alongside internode and client TLS? Would the certificates be the same, different, or is that an implementation detail for the specific deployment to determine? 2. For some reason I'm having trouble understanding the internode authentication portion of this ticket (authenticating a client with a certificate makes sense vs just authenticating the connection). Why is this needed on top of the connection-level TLS we have now? 3. When an operator or DBA is looking to add a new identity is that just handled as part of the new CQL statement or is there some certificate management required on the nodes? I assume it's just the CA that needs to be placed on the nodes to establish trust in the certificate itself then authz happening within C* after determining the certificate can be trusted, but want to be certain. 4. As a minor nit, should we include static certificates in the test data? I see they expire in 2033 which is a fair way off, but I wonder if it would make sense to generate the certificates as part of the test setup. Thanks for the contribution (along with the ping on dev@) and I look forward to seeing this functionality. Cheers, ~Chris Christopher Bradford On Fri, Jun 2, 2023 at 11:03 AM Dinesh Joshi <djo...@apache.org> wrote: > Hi dev@, > > We're planning to add mTLS client authentication as well as internode > authentication in CASSANDRA-18554. While this is all backward compatible, > we thought it would be a good idea to notify the dev list. If anybody is > interested please take a look at the JIRA. > > Thanks, > > Dinesh