[
https://issues.apache.org/jira/browse/CASSANDRA-20416?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17940798#comment-17940798
]
Michael Semb Wever commented on CASSANDRA-20416:
------------------------------------------------
I'm ok with the limitations in (1), if we know negotiated authn is the way
forward afterward.
wrt (4)
bq. Having to take a dependency on cassandra-all for the server-side plug-in
opens the door to a lot of dependency abuse, and there are runtime concerns too.
how about you just start with relying on cassandra-all, and we'll try to
separate address pulling out interfaces. if it lands then you have the benefit
and joy of using a simpler dependency, but if not we're still not delayed.
> AWS IAM-based client authenticator
> ----------------------------------
>
> Key: CASSANDRA-20416
> URL: https://issues.apache.org/jira/browse/CASSANDRA-20416
> Project: Apache Cassandra
> Issue Type: New Feature
> Components: Client/java-driver, Feature/Authorization
> Reporter: Joel Shepherd
> Priority: Normal
> Attachments: STS-Based Authentication for Apache Cassandra.pdf
>
>
> Enable Cassandra clients to authenticate to nodes using AWS IAM credentials,
> with minimal required AWS dependencies. Use of IAM credentials allows secure
> and centralized management of those credentials, and also enables use of
> secure credential distribution mechanisms like EC2 instance roles (for
> clients running on EC2).
> I've drafted Java driver- and node-side plug-ins [1] [2] for early review.
> This authenticator follows an approach initially developed by Heptio for
> authenticating to Kubernetes clusters on AWS:
> [https://github.com/kubernetes-sigs/aws-iam-authenticator] . The client uses
> IAM credentials to create a pre-signed URL that invokes the GetCallerIdentity
> API on the AWS Security Token Service (STS). The URL is passed to the node in
> response to an authentication challenge. The node GETs the URL: if
> successful, STS responds with the AWS account id, IAM principal name and IAM
> principal ARN associated with the client's signing credentials. The principal
> ARN is the client identity returned to Cassandra by the authenticator. The
> attached PDF provides more detail on the approach.
> I'm seeking feedback on the proposal and approach, feedback on the code, and
> suggestions for preparing it for release (if folks believe it will be useful).
> [1] Node authenticator plugin:
> [https://github.com/jcshepherd/aws-sts-auth-cassandra-authenticator-plugin]
> [2] Java driver plugin:
> https://github.com/jcshepherd/aws-sts-auth-cassandra-java-driver-plugin
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
