CASSANDRA-18554 - mTLS based client and internode authenticators

Hi dev@, We're planning to add mTLS client authentication as well as internode authentication in CASSANDRA-18554. While this is all backward compatible, we thought it would be a good idea to notify the dev list. If anybody is interested please take a look at the JIRA. Thanks, Dinesh

Re: CASSANDRA-18554 - mTLS based client and internode authenticators

Hi Dinesh, This is awesome. I'm certain myself and the folks on the K8ssandra project will be following along with this ticket. I had a few questions after looking at the JIRA and attached PR: 1. Is there an expectation that this would be used alongside internode and client TLS? Would the

Re: CASSANDRA-18554 - mTLS based client and internode authenticators

> Is there an expectation that this would be used alongside internode and > client TLS? Would the certificates be the same, different, or is that an > implementation detail for the specific deployment to determine? I am not sure what you mean by this would be used alongside internode and client

Re: CASSANDRA-18554 - mTLS based client and internode authenticators

> I am not sure what you mean by this would be used alongside internode and > client TLS? The mutual TLS authentication allows the server to authenticate > the client's identity using a client TLS certificate. The authenticators > we're adding enable this functionality. There isn't an expectation t

Re: CASSANDRA-18554 - mTLS based client and internode authenticators

> On Jun 2, 2023, at 1:56 PM, Christopher Bradford wrote: > > I am not sure what you mean by this would be used alongside internode and > client TLS? The mutual TLS authentication allows the server to authenticate > the client's identity using a client TLS certificate. The authenticators > we'

RE: Re: CASSANDRA-18554 - mTLS based client and internode authenticators

Hi Christopher, Thanks for all the questions. I want to add some details about internode mTLS connection & internode mTLS authenticator that we are adding in this patch. SSL/TLS related configuration for internode connections are present in “server_encryption_options” section of cassandra.yam

Re: CASSANDRA-18554 - mTLS based client and internode authenticators

Hi Dinesh, This certainly looks like a nice addition to the operator's tools for securing cluster access. Out of curiosity, is there anything in this work that would *preclude* a different authentication scheme for internode at some point in the future? Has there ever been discussion of pluggabili

Re: CASSANDRA-18554 - mTLS based client and internode authenticators

> On Jun 2, 2023, at 9:06 PM, Derek Chen-Becker wrote: > > This certainly looks like a nice addition to the operator's tools for > securing cluster access. Out of curiosity, is there anything in this work > that would *preclude* a different authentication scheme for internode at some > point i