You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Sam Tunnicliffe (JIRA)" <ji...@apache.org> on 2014/12/08 10:50:13 UTC
[jira] [Commented] (CASSANDRA-7686) Add proxy authentication to
PasswordAuthenticator
[ https://issues.apache.org/jira/browse/CASSANDRA-7686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14237688#comment-14237688 ]
Sam Tunnicliffe commented on CASSANDRA-7686:
--------------------------------------------
A custom IAuthenticator which supports the SASL PLAIN mechanism would be a better way to do this. It could extend PasswordAuthenticator if necessary but it's going to require additional configuration to handle the permitted proxying between users.
> Add proxy authentication to PasswordAuthenticator
> -------------------------------------------------
>
> Key: CASSANDRA-7686
> URL: https://issues.apache.org/jira/browse/CASSANDRA-7686
> Project: Cassandra
> Issue Type: New Feature
> Components: Core
> Reporter: Mike Adamson
> Fix For: 3.0
>
>
> The SASL plain text protocol supports the concept of an authorization ID that is used for any authorization requests during the authenticated session.
>
> This authorization ID is (optionally) passed during the SASL exchange as part of the SASL plain text message. It is currently ignored by the PasswordAuthenticator.
> This field is typically used by web applications to authenticate using a fixed set of authentication credentials but allow authorization of resources based another user id. It allows the application to authenticate users using their own authentication mechanism without having to store the users credentials to log into the downstream system.
> It would be useful if the PasswordAuthenticator could use this field (if present) as the user id for the AuthenticatedUser instead of the authentication ID currently used.
> This would need a mechanism to allow / deny one user to proxy to another and the ability to check whether proxying is allowed for a user / proxy pair.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)