[jira] [Comment Edited] (CASSANDRA-18554) mTLS based client and internode authenticators

Fri, 28 Jul 2023 10:55:05 -0700 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-18554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17748294#comment-17748294
 ] 

Jyothsna Konisa edited comment on CASSANDRA-18554 at 7/28/23 5:54 PM:
----------------------------------------------------------------------

circleCI: 
https://app.circleci.com/pipelines/github/yifan-c/cassandra/434/workflows/9afdd37e-6342-4a5f-b090-cf06a5b2cde1


was (Author: jyothsnakonisa):
circleCI: 
https://app.circleci.com/pipelines/github/jyothsnakonisa/cassandra/159/workflows/19c0b0ea-6629-419c-aeed-690f67ccb7ac

> mTLS based client and internode authenticators
> ----------------------------------------------
>
>                 Key: CASSANDRA-18554
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-18554
>             Project: Cassandra
>          Issue Type: New Feature
>          Components: Feature/Authorization
>            Reporter: Jyothsna Konisa
>            Assignee: Jyothsna Konisa
>            Priority: Normal
>          Time Spent: 3.5h
>  Remaining Estimate: 0h
>
> Cassandra currently doesn't have any certificate based authenticator for both 
> client connections and internode connections. If one wants to use certificate 
> based authentication protocol like TLS, in which clients send their 
> certificates for the TLS handshake, we can leverage the information from the 
> client certificate to identify a client. Using this authentication mechanism 
> one can avoid the pain of password generations, sharing and rotation.
> Introducing following certificate based mTLS authenticators for internode and 
> client connections
> MutualTlsAuthenticator (client authentication)
> MutualTlsInternodeAuthenticator (internode authentication)
> MutualTlsWithPasswordFallbackAuthenticator (for optional mode operation for 
> client authentication)
> An implementation of MutualTlsCertificateValidator called 
> SpiffeCertificateValidator whose identity is SPIFFE that is embedded in SAN 
> of the client certificate. One can implement their own CertificateValidator 
> to match their needs and configure it in Cassandra.yaml 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to