You are viewing a plain text version of this content. The canonical link for it is here.
Posted to pr@cassandra.apache.org by "yukim (via GitHub)" <gi...@apache.org> on 2023/06/29 03:58:17 UTC
[GitHub] [cassandra] yukim commented on a diff in pull request #2372: CASSANDRA-18554 Adding Mutual Tls authenticators for client & internode connections
yukim commented on code in PR #2372:
URL: https://github.com/apache/cassandra/pull/2372#discussion_r1246069002
##########
src/java/org/apache/cassandra/auth/MutualTlsAuthenticator.java:
##########
@@ -0,0 +1,208 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cassandra.auth;
+
+import java.net.InetAddress;
+import java.security.cert.Certificate;
+import java.util.Arrays;
+import java.util.Map;
+import java.util.Set;
+import java.util.concurrent.TimeUnit;
+
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.collect.ImmutableSet;
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.slf4j.helpers.MessageFormatter;
+
+import org.apache.cassandra.config.Config;
+import org.apache.cassandra.config.DatabaseDescriptor;
+import org.apache.cassandra.config.ParameterizedClass;
+import org.apache.cassandra.exceptions.AuthenticationException;
+import org.apache.cassandra.exceptions.ConfigurationException;
+import org.apache.cassandra.schema.SchemaConstants;
+import org.apache.cassandra.utils.NoSpamLogger;
+
+/*
+ * Performs mTLS authentication for client connections by extracting identities from client certificate
+ * and verifying them against the authorized identities in IdentityCache. IdentityCache is a loading cache that
+ * refreshes values on timely basis.
+ *
+ * During a client connection, after SSL handshake, identity of certificate is extracted using the certificate validator
+ * and is verified whether the value exists in the cache or not. If it exists access is granted, otherwise, the connection
+ * is rejected.
+ *
+ * Authenticator & Certificate validator can be configured using cassandra.yaml, one can write their own mTLS certificate
+ * validator and configure it in cassandra.yaml.Below is an example on how to configure validator.
+ * note that this example uses SPIFFE based validator, It could be any other validator with any defined identifier format.
+ *
+ * Example:
+ * authenticator:
+ * class_name : org.apache.cassandra.auth.MutualTlsAuthenticator
+ * parameters :
+ * validator_class_name: org.apache.cassandra.auth.SpiffeCertificateValidator
+ */
+public class MutualTlsAuthenticator implements IAuthenticator
+{
+ private static final Logger logger = LoggerFactory.getLogger(MutualTlsAuthenticator.class);
+ private static final NoSpamLogger nospamLogger = NoSpamLogger.getLogger(logger, 1L, TimeUnit.MINUTES);
+ private static final String VALIDATOR_CLASS_NAME = "validator_class_name";
+ private static final String CACHE_NAME = "IdentitiesCache";
+ private final IdentityCache identityCache = new IdentityCache();
+ private final MutualTlsCertificateValidator certificateValidator;
+
+ public MutualTlsAuthenticator(Map<String, String> parameters)
+ {
+ final String certificateValidatorClassName = parameters.get(VALIDATOR_CLASS_NAME);
+ if (StringUtils.isEmpty(certificateValidatorClassName))
+ {
+ String message ="authenticator.parameters.validator_class_name is not set";
+ logger.error(message);
+ throw new ConfigurationException(message);
+ }
+ certificateValidator = ParameterizedClass.newInstance(new ParameterizedClass(certificateValidatorClassName),
+ Arrays.asList("", AuthConfig.class.getPackage().getName()));
+ checkMtlsConfigurationIsValid(DatabaseDescriptor.getRawConfig());
+ AuthCacheService.instance.register(identityCache);
+ }
+
+ @Override
+ public boolean requireAuthentication()
+ {
+ return true;
+ }
+
+ @Override
+ public Set<? extends IResource> protectedResources()
+ {
+ return ImmutableSet.of(DataResource.table(SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLES));
+ }
+
+ @Override
+ public void validateConfiguration() throws ConfigurationException
+ {
+
+ }
+
+ @Override
+ public void setup()
+ {
+ identityCache.warm();
+ }
+
+ @Override
+ public SaslNegotiator newSaslNegotiator(InetAddress clientAddress)
+ {
+ return null;
+ }
+
+ @Override
+ public SaslNegotiator newSaslNegotiator(InetAddress clientAddress, Certificate[] certificates)
+ {
+ return new CertificateNegotiator(certificates);
+ }
+
+ @Override
+ public AuthenticatedUser legacyAuthenticate(Map<String, String> credentials) throws AuthenticationException
+ {
+ return null;
Review Comment:
This shouldn't be `null`, otherwise, when the node is using `CassandraLoginModule` for JMX auth, it throws NullPointerException. Should return `AuthenticatedUser.ANONYMOUS_USER` like `AllowAllAuthenticator`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: pr-unsubscribe@cassandra.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: pr-unsubscribe@cassandra.apache.org
For additional commands, e-mail: pr-help@cassandra.apache.org