[jira] [Updated] (CASSANDRA-5545) Add SASL authentication to CQL native protocol
[ https://issues.apache.org/jira/browse/CASSANDRA-5545?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sam Tunnicliffe updated CASSANDRA-5545: --- Attachment: 0001-CASSANDRA-5545-Fix-compliation-errors.patch 0002-CASSANDRA-5545-Rename-auth-messages-for-consistency.patch That final patch broke the build. I've attached 2 further patches: 0001 fixes compilation errors from 0001-Adds-AUTH_SUCCESS... 0002 renames SASL_CHALLENGE & SASL_RESPONSE to be consistent with AUTH_SUCCESS > Add SASL authentication to CQL native protocol > -- > > Key: CASSANDRA-5545 > URL: https://issues.apache.org/jira/browse/CASSANDRA-5545 > Project: Cassandra > Issue Type: Improvement >Reporter: Sam Tunnicliffe >Assignee: Sam Tunnicliffe > Fix For: 2.0 > > Attachments: > 0001-Add-SASL-authentication-to-CQL-native-protocol.patch, > 0001-Add-SASL-hooks-to-CQL-native-protocol.patch, > 0001-Add-SASL-hooks-to-CQL-native-protocol-v3.patch, > 0001-Adds-AUTH_SUCCESS-message-as-follow-up-to-5545.txt, > 0001-CASSANDRA-5545-Fix-compliation-errors.patch, > 0002-CASSANDRA-5545-Rename-auth-messages-for-consistency.patch > > > Adding hooks for SASL authentication would make it much easier to integrate > with external auth providers, such as Kerberos & NTLM. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CASSANDRA-5545) Add SASL authentication to CQL native protocol
[ https://issues.apache.org/jira/browse/CASSANDRA-5545?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sylvain Lebresne updated CASSANDRA-5545: Attachment: 0001-Adds-AUTH_SUCCESS-message-as-follow-up-to-5545.txt Actually, I've just realized that we were throwing away the last challenge of the server (once authentication is complete), but SASL requires that we sent it to the client since it may contains final information required by the client to finalize authentication on its size. So I think for completeness sake we need a new AUTH_SUCCESS message that ships that last information rather than just a READY message. My bad for suggesting otherwise. Anyway, I've committed the patch that I attach here for the record that adds this AUTH_SUCCESS message. The patch also allow tokens to be > 64k (it uses an int instead of a short for the size) because that's what I wrote in the spec, and while I doubt any authenticator would need more than 64K tokens, there is no point in risking it in that case. If someone disagrees with that last patch, please feel free to voice yourself. > Add SASL authentication to CQL native protocol > -- > > Key: CASSANDRA-5545 > URL: https://issues.apache.org/jira/browse/CASSANDRA-5545 > Project: Cassandra > Issue Type: Improvement >Reporter: Sam Tunnicliffe >Assignee: Sam Tunnicliffe > Fix For: 2.0 > > Attachments: > 0001-Add-SASL-authentication-to-CQL-native-protocol.patch, > 0001-Add-SASL-hooks-to-CQL-native-protocol.patch, > 0001-Add-SASL-hooks-to-CQL-native-protocol-v3.patch, > 0001-Adds-AUTH_SUCCESS-message-as-follow-up-to-5545.txt > > > Adding hooks for SASL authentication would make it much easier to integrate > with external auth providers, such as Kerberos & NTLM. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CASSANDRA-5545) Add SASL authentication to CQL native protocol
[ https://issues.apache.org/jira/browse/CASSANDRA-5545?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sam Tunnicliffe updated CASSANDRA-5545: --- Attachment: 0001-Add-SASL-hooks-to-CQL-native-protocol-v3.patch Version 3 patch with comments addressed > Add SASL authentication to CQL native protocol > -- > > Key: CASSANDRA-5545 > URL: https://issues.apache.org/jira/browse/CASSANDRA-5545 > Project: Cassandra > Issue Type: Improvement >Reporter: Sam Tunnicliffe >Assignee: Sam Tunnicliffe > Fix For: 2.0 > > Attachments: > 0001-Add-SASL-authentication-to-CQL-native-protocol.patch, > 0001-Add-SASL-hooks-to-CQL-native-protocol.patch, > 0001-Add-SASL-hooks-to-CQL-native-protocol-v3.patch > > > Adding hooks for SASL authentication would make it much easier to integrate > with external auth providers, such as Kerberos & NTLM. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CASSANDRA-5545) Add SASL authentication to CQL native protocol
[ https://issues.apache.org/jira/browse/CASSANDRA-5545?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jonathan Ellis updated CASSANDRA-5545: -- Reviewer: slebresne Assignee: Sam Tunnicliffe > Add SASL authentication to CQL native protocol > -- > > Key: CASSANDRA-5545 > URL: https://issues.apache.org/jira/browse/CASSANDRA-5545 > Project: Cassandra > Issue Type: Improvement >Reporter: Sam Tunnicliffe >Assignee: Sam Tunnicliffe > Fix For: 2.0 > > Attachments: > 0001-Add-SASL-authentication-to-CQL-native-protocol.patch, > 0001-Add-SASL-hooks-to-CQL-native-protocol.patch > > > Adding hooks for SASL authentication would make it much easier to integrate > with external auth providers, such as Kerberos & NTLM. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CASSANDRA-5545) Add SASL authentication to CQL native protocol
[ https://issues.apache.org/jira/browse/CASSANDRA-5545?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sam Tunnicliffe updated CASSANDRA-5545: --- Attachment: 0001-Add-SASL-hooks-to-CQL-native-protocol.patch As per the previous comment, the new patch extends IAuthenticator & adds a SaslAuthenticator interface, although this is very slightly different to the one Sylvain describes. It also adds a very simple SaslAuthenticator implementation to be used by PasswordAuthenticator. Also, a check in o.a.c.transport.Server.run() so that we don't inadvertedly start the server if it requires authentication but the configured IAuthenticator doesn't provide a SaslAuthenticator. > Add SASL authentication to CQL native protocol > -- > > Key: CASSANDRA-5545 > URL: https://issues.apache.org/jira/browse/CASSANDRA-5545 > Project: Cassandra > Issue Type: Improvement >Reporter: Sam Tunnicliffe > Fix For: 2.0 > > Attachments: > 0001-Add-SASL-authentication-to-CQL-native-protocol.patch, > 0001-Add-SASL-hooks-to-CQL-native-protocol.patch > > > Adding hooks for SASL authentication would make it much easier to integrate > with external auth providers, such as Kerberos & NTLM. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CASSANDRA-5545) Add SASL authentication to CQL native protocol
[ https://issues.apache.org/jira/browse/CASSANDRA-5545?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sam Tunnicliffe updated CASSANDRA-5545: --- Attachment: 0001-Add-SASL-authentication-to-CQL-native-protocol.patch The attached patch adds new message types for SASL negotiation between CQL client & server. In this patch, SaslAuthBridge represents the interface between SASL & IAuthencator, while the helper class org.apache.cassandra.transport.sasl.Sasl acts as a registry of which SaslAuthBridge implementation goes with which IAuthenticator. PasswordAuthenticator, and any other custom IAuthenticator implementation which receives a username/password pair via Credentials message or thrift login() call, can be associated with PlainTextSaslAuthBridge. This is done automatically for PasswordAuthenticator, so there should be no server side changes for clusters without custom authentication. Implementors of custom authenticators which do not receive credentials in the same way & format as PasswordAuthenticator will need to provide their own SaslAuthBridge to extract the credentials from a SaslServer instance. Depending on the format required by the IAuthenticaor, this may involve creating or wrapping a SaslServer implementation. See AbstractSaslServer/AbstractSaslAuthBridge & the PlainText* implementations for an example. > Add SASL authentication to CQL native protocol > -- > > Key: CASSANDRA-5545 > URL: https://issues.apache.org/jira/browse/CASSANDRA-5545 > Project: Cassandra > Issue Type: Improvement >Reporter: Sam Tunnicliffe > Fix For: 2.0 > > Attachments: 0001-Add-SASL-authentication-to-CQL-native-protocol.patch > > > Adding hooks for SASL authentication would make it much easier to integrate > with external auth providers, such as Kerberos & NTLM. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira