Hi dev@,
We're planning to add mTLS client authentication as well as internode
authentication in CASSANDRA-18554. While this is all backward compatible, we
thought it would be a good idea to notify the dev list. If anybody is
interested please take a look at the JIRA.
Thanks,
Dinesh
Hi Dinesh,
This is awesome. I'm certain myself and the folks on the K8ssandra project
will be following along with this ticket. I had a few questions after
looking at the JIRA and attached PR:
1. Is there an expectation that this would be used alongside internode
and client TLS? Would the
> Is there an expectation that this would be used alongside internode and
> client TLS? Would the certificates be the same, different, or is that an
> implementation detail for the specific deployment to determine?
I am not sure what you mean by this would be used alongside internode and
client
> I am not sure what you mean by this would be used alongside internode and
> client TLS? The mutual TLS authentication allows the server to authenticate
> the client's identity using a client TLS certificate. The authenticators
> we're adding enable this functionality. There isn't an expectation t
> On Jun 2, 2023, at 1:56 PM, Christopher Bradford wrote:
>
> I am not sure what you mean by this would be used alongside internode and
> client TLS? The mutual TLS authentication allows the server to authenticate
> the client's identity using a client TLS certificate. The authenticators
> we'
Hi Christopher,
Thanks for all the questions. I want to add some details about internode mTLS
connection & internode mTLS authenticator that we are adding in this patch.
SSL/TLS related configuration for internode connections are present in
“server_encryption_options” section of cassandra.yam
Hi Dinesh,
This certainly looks like a nice addition to the operator's tools for
securing cluster access. Out of curiosity, is there anything in this work
that would *preclude* a different authentication scheme for internode at
some point in the future? Has there ever been discussion of pluggabili
> On Jun 2, 2023, at 9:06 PM, Derek Chen-Becker wrote:
>
> This certainly looks like a nice addition to the operator's tools for
> securing cluster access. Out of curiosity, is there anything in this work
> that would *preclude* a different authentication scheme for internode at some
> point i