...
As part of the MutualTlsAuthenticator implementation, added a new table system_auth.identity_to_role
to store authorized identities for each role. Only client certificates with on of these identities will be given access.
EX:
Identity | Role |
ID1 | Role1 |
ID2 | Role1 |
ID3 | Role2 |
ID3 | Role3 |
During a client connection after SSL/TLS handshake the following happens
...
- MutualTlsInternodeAuthenticator trusts all identities that are same as the node’s identity.
- During start of the node Identities are extracted from the outbound keystore of the node and the authenticator trusts only those identities
- After the SSL/TLS handshake for internode connections, identity is extracted from other node’s certificate using the validator configured for
validator_class_name
in cassandra.yaml for internode_authenticator
New Cqlsh commands to add identities
Adding the following Cqlsh commands to add add/remove identities to the system_auth.identity_to_role table.
ADD IDENTITY 'testIdentity' TO ROLE 'testRole'; DROP IDENTITY 'testIdentity';
Both the above statements require the users to have appropriate permissions to add/drop identities.
New or Changed Public Interfaces
...
During migrations, these proposed changes should not create any issues. MutualTlsAuthenticators will be used only when an operator configures authenticator
& InternodeAuthenticator
sections of cassandra.yaml file with MutualTlsAutheticator
& MutualTlsInternodeAuthenticator
. However care should be taken to configure server_encryption_options & client_encryption_options appropriately. For example If we do not enable SSL and configure the authenticator to be MutualTlsAuthenticator, the authenticator will throw a configuration exception and will not start C* instance. MutualTlsAuthenticators should be enabled only when require_client_auth
setting is true in both server_encryption_options & client_encryption_options
During rolling upgrades, there might be TLS/SSL issues because of nodes running in mixed, new nodes will fail to connect to old nodes on which mTLS is not enabled. CASSANDRA-17923 was added to address the issue during upgrades. We added fallback to other authentication strategies, when we run C* with optional mode in server_encryption_options
...