Andy Tolbert created CASSANDRA-19366:
----------------------------------------
Summary: Expose mode of authentication in system_views.clients,
nodetool clientstats, and ClientMetrics
Key: CASSANDRA-19366
URL: https://issues.apache.org/jira/browse/CASSANDRA-19366
Project: Cassandra
Issue Type: Improvement
Components: Feature/Encryption, Messaging/Client, Observability/JMX,
Observability/Metrics, Tool/nodetool
Reporter: Andy Tolbert
CASSANDRA-18554 added support for mTLS-authenticated clients. Part of this
contribution introduced {{{}MutualTlsWithPasswordFallbackAuthenticator{}}},
which enables Cassandra to support either password and mTLS-authenticated
connections.
As an operator, it would be useful to know which connections are mTLS
authenticated, and which are password authenticated, as a possible mode of
operation is migrating users from one from of authentication to another. It
would also be useful to know if that if authentication attempts are failing
which mode of authentication is unsuccessful.
Proposing to add the following:
* Add a {{mode: string}} and {{metadata: map<string, string>}} to
{{{}AuthenticatedUser{}}}. Update existing {{IAuthenticator}} implementations
to pass {{mode}} (e.g. {{password}} , {{{}mtls{}}}), and optionally pass a
{{metadata}} map (e.g. this can include the extracted {{identity}} from a
client certificate for {{mtls}} authentication).
* Update nodetool clientstats to add a new option flag {{{}--metadata{}}},
which when passed exposes these new fields on {{{}AuthenticatedUser{}}}. (Not
added to existing output to maintain compatibility, much like
{{-client-options}} did.
* Update {{system_views.clients}} to include columns for these new fields.
* Add new metrics to {{{}ClientMetrics{}}}:
** Track authentication success and failures by mode. (Note: The metrics
present by authentication mode scope are contextual based on the Authenticator
used (e.g. only {{scope=Password}} will be present for
{{{}PasswordAuthenticator{}}})
{noformat}
Existing:
org.apache.cassandra.metrics:name=AuthSuccess,type=Client
org.apache.cassandra.metrics:name=AuthFailure,type=Client
New:
org.apache.cassandra.metrics:name=AuthSuccess,scope=Mtls,type=Client
org.apache.cassandra.metrics:name=AuthSuccess,scope=Password,type=Client
org.apache.cassandra.metrics:name=AuthFailure,scope=Mtls,type=Client
org.apache.cassandra.metrics:name=AuthFailure,scope=Password,type=Client
{noformat}
*
** Track connection counts by mode:
{noformat}
Existing:
org.apache.cassandra.metrics:name=ConnectedNativeClients,type=Client
org.apache.cassandra.metrics:name=connectedNativeClients,type=Client
(previously deprecated but still maintained)
New:
org.apache.cassandra.metrics:name=ConnectedNativeClients,scope=Mtls,type=Client
org.apache.cassandra.metrics:name=ConnectedNativeClients,scope=Password,type=Client
{noformat}
*
** A metric to track encrypted vs. non-encrypted connections:
{noformat}
org.apache.cassandra.metrics:name=ConnectedNativeClients,scope=Encrypted,type=Client
org.apache.cassandra.metrics:name=ConnectedNativeClients,scope=Unencrypted,type=Client
{noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
