Hi - I've been doing some exploration in Cassandra's client
authentication workflow and got tripped up by surprising (to me)
behavior regarding role name case sensitivity.
I made an implementation of IAuthenticator and SaslNegotiator. After
evaluateResponse(), when the client responds successfully to the node's
auth challenge, getAuthenticatedUser() returns the user name in the
letter-case provided by my authentication provider (external to
Cassandra), which actually performs the authentication. I.e., if my
authn provider successfully auths the caller, it returns a corresponding
user name/identity like 'Susie' (without the quotes); now my
SaslNegotiator will return 'Susie' (without quotes) when
getAuthenticatedUser() is called.
My understanding is that unquoted user/role names in Cassandra are
case-insensitive and are forced to lowercase when stored.
However, when Cassandra's AuthUtil.handleLogin() goes to login the
authn'd user, it will fail to find any roles for Susie because the role
name as stored (susie) doesn't match the rolename returned by
getAuthenticatedUser() (Susie): it makes a case-sensitive comparison.
I was surprised by this and I'm wondering, during the authentication and
login process, where does responsibility for appropriately casing the
authn'd user/role name live? Is that intended to be with the node
authenticator (i.e., I need to force Susie to susie for
getAuthenticatedUser()), or should it be happening outside the
authenticator and in the central Cassandra login implementation? Or is
my understanding wrong?
Thanks! -- Joel.
