Hi Horia, Are you aware that Cassandra already supports two-way SSL certificate authentication? Take a look at the require_client_auth option under client_encryption_options in cassandra.yaml: http://cassandra.apache.org/doc/latest/configuration/cassandra_config_file.html#client-encryption-options
The caveat is that Cassandra role authorisation is not possible via this mechanism. If you need this then I suspect you're correct in that that some code will need to change. Cheers, Justin On Thu, 26 Oct 2017 at 17:50 Horia Mocioi <horia.moc...@ericsson.com> wrote: > Thank you Jeff & Harika. > > Yes, I am aware of that mechanism. What we need to do is to add some > extra validations on the certificate used for securing the connection. > > So, in order to do this in our Authenticator, we need a way to grab the > sslHandler which can be obtained from the ServerConnection. The > certificates can be obtained then from the sslHandler. > > My question was if there was any other way to grab the ServerConnection > in an Authenticator besides passing it as a parameter when building the > negotiator, thus changing IAuthenticator and ServerConnection. > > Thank you again, > Horia > > On ons, 2017-10-25 at 17:13 +0000, Harika Vangapelli -T (hvangape - > AKRAYA INC at Cisco) wrote: > > Horia, > > > > By just changing Authenticator and Authorizer in cassandra.yaml and > > adding custom libraries in /usr/share/cassandra/ you can plugin to > > custom authentication > > > > sed -ri \ > > -e 's/^(authenticator:).*/\1 > > 'com.cassandra.LdapCassandraAuthenticator'/' \ > > -e 's/^(authorizer:).*/\1 > > 'com.cassandra.LdapCassandraAuthorizer'/' \ > > "cassandra.yaml" > > > > Copy custom jars ----> /usr/share/cassandra/ > > > > > > > > Harika Vangapelli > > Engineer - IT > > hvang...@cisco.com > > Tel: > > Cisco Systems, Inc. > > > > > > > > United States > > cisco.com > > > > > > Think before you print. > > This email may contain confidential and privileged material for the > > sole use of the intended recipient. Any review, use, distribution or > > disclosure by others is strictly prohibited. If you are not the > > intended recipient (or authorized to receive for the recipient), > > please contact the sender by reply email and delete all copies of > > this message. > > Please click here for Company Registration Information. > > > > > > -----Original Message----- > > From: Horia Mocioi [mailto:horia.moc...@ericsson.com] > > Sent: Wednesday, October 25, 2017 3:38 AM > > To: user@cassandra.apache.org > > Subject: server connection in authenticator > > > > Hello guys, > > > > We are building up an authenticator using certificates. So far we > > came up with a solution, but implies changing some files in Cassandra > > code base in order to have the connection in the new Authenticator. > > > > So, here are my questions: > > * how are you guys doing this? > > * is it possible to obtain the connection on the Authenticator > > without changing other files in the Cassandra code base, in that > > sense just creating a new Authenticator and set it up in > > cassandra.yaml? > > > > Regards, > > Horia -- *Justin Cameron*Senior Software Engineer <https://www.instaclustr.com/> This email has been sent on behalf of Instaclustr Pty. Limited (Australia) and Instaclustr Inc (USA). This email and any attachments may contain confidential and legally privileged information. If you are not the intended recipient, do not copy or disclose its content, but please reply to this email immediately and highlight the error to the sender and then immediately delete the message.
