[
https://issues.apache.org/jira/browse/CASSANDRA-20416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17940795#comment-17940795
]
Joel Shepherd commented on CASSANDRA-20416:
-------------------------------------------
[~mck] *(1)* "if the server configures this, what happens to all the other
drivers in other languages that don't have this client-side implementation
available ? (python-driver is critical. but regardless this can seriously
handicap a cluster's future capabilities)"
Good question. The short answer: they break (fail to authenticate). I believe
this is a real risk any time the server changes authenticator. There is a
coordination problem with the clients, even if the clients are all using the
same driver and can load the same plug-in. One potential solution is to do
something similar to the mTLS authenticator and provide a second "fallback"
authenticator that supports mTLS or basic auth (user name/password). This
doesn't seem particularly scalable implementation-wise.
Longer answer: While I'm eager to get this out, a bigger overall win would be
enabling negotiated authn. It's more invasive: I think it'd require some
changes in Cassandra to do it well. But it'd make changing authn mechanism and
supporting multiple authn mechanisms much safer and easier. I could probably
have a draft CEP ready in a week or two. Should I do that first?
*(2)* "what dependencies will this introduce ?" - On the server, two AWS SDK
packages (auth and region data). On the client, AWS SDK auth and the
STS-specific SDK.
*(3)* and *(4)* "should we start thinking about how we bundle our plugin
interfaces ?" - IMO it'd be beneficial to the project as a whole to package
those interfaces separately from the main project. Having to take a dependency
on cassandra-all for the server-side plug-in opens the door to a lot of
dependency abuse, and there are runtime concerns too.
I think I'm better equipped to tackle negotiated authn than plug-in management,
but I can draft up an initial proposal for people to bash and let someone more
involved on the build side of things take the ball.
*(5)* - Ack. *(6)* - How did that PDF get there? Will redo as markdown.
Thanks – Joel.
> AWS IAM-based client authenticator
> ----------------------------------
>
> Key: CASSANDRA-20416
> URL: https://issues.apache.org/jira/browse/CASSANDRA-20416
> Project: Apache Cassandra
> Issue Type: New Feature
> Components: Client/java-driver, Feature/Authorization
> Reporter: Joel Shepherd
> Priority: Normal
> Attachments: STS-Based Authentication for Apache Cassandra.pdf
>
>
> Enable Cassandra clients to authenticate to nodes using AWS IAM credentials,
> with minimal required AWS dependencies. Use of IAM credentials allows secure
> and centralized management of those credentials, and also enables use of
> secure credential distribution mechanisms like EC2 instance roles (for
> clients running on EC2).
> I've drafted Java driver- and node-side plug-ins [1] [2] for early review.
> This authenticator follows an approach initially developed by Heptio for
> authenticating to Kubernetes clusters on AWS:
> [https://github.com/kubernetes-sigs/aws-iam-authenticator] . The client uses
> IAM credentials to create a pre-signed URL that invokes the GetCallerIdentity
> API on the AWS Security Token Service (STS). The URL is passed to the node in
> response to an authentication challenge. The node GETs the URL: if
> successful, STS responds with the AWS account id, IAM principal name and IAM
> principal ARN associated with the client's signing credentials. The principal
> ARN is the client identity returned to Cassandra by the authenticator. The
> attached PDF provides more detail on the approach.
> I'm seeking feedback on the proposal and approach, feedback on the code, and
> suggestions for preparing it for release (if folks believe it will be useful).
> [1] Node authenticator plugin:
> [https://github.com/jcshepherd/aws-sts-auth-cassandra-authenticator-plugin]
> [2] Java driver plugin:
> https://github.com/jcshepherd/aws-sts-auth-cassandra-java-driver-plugin
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
