THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
internode_authenticator:
class_name : org.apache.cassandra.auth.MutualTlsInternodeAuthenticator
parameters :
validator_class_name: org.apache.cassandra.auth.SpiffeCertificateValidator
trusted_peer_identities: "spiffe1,spiffe2"
node_identity: "spiffe1"
- MutualTlsInternodeAuthenticator
- Trusts all identities configured in
trusted_peer_identitiesif configured and ignores all other configurations - otherwise, it extracts identity from outbound_keystore of server_encryption_options (the identity that the node uses for making outbound connections) and trusts connections with that identity
- optionally
node_identitycan be configured in the yaml, to validate extracted identity from the outbound keystore, if it doesn't match C* will not start
- Trusts all identities configured in
- MutualTlsInternodeAuthenticator trusts all identities that are same as the node’s identity.
- During start of the node Identities are extracted from the outbound keystore of the node and the authenticator trusts only those identities
- After the SSL/TLS handshake for internode connections, identity is extracted from other node’s certificate using the validator configured for
validator_class_namein cassandra.yaml for internode_authenticator
...