Hello Justin and thank you for your answer. Yes, I am aware of that mechanism.
What we need to accomplish is to add some extra validations to the certificate in a new Authenticator and in order to get the certificates for the current connection we need the ServerConnection object or the sslHandler. Regards, Horia On tor, 2017-10-26 at 22:33 +0000, Justin Cameron wrote: > Hi Horia, > > Are you aware that Cassandra already supports two-way SSL certificate > authentication? Take a look at the require_client_auth option under > client_encryption_options in cassandra.yaml: http://cassandra.apache. > org/doc/latest/configuration/cassandra_config_file.html#client- > encryption-options > > The caveat is that Cassandra role authorisation is not possible via > this mechanism. If you need this then I suspect you're correct in > that that some code will need to change. > > Cheers, > Justin > > On Thu, 26 Oct 2017 at 17:50 Horia Mocioi <horia.moc...@ericsson.com> > wrote: > > Thank you Jeff & Harika. > > > > Yes, I am aware of that mechanism. What we need to do is to add > > some > > extra validations on the certificate used for securing the > > connection. > > > > So, in order to do this in our Authenticator, we need a way to grab > > the > > sslHandler which can be obtained from the ServerConnection. The > > certificates can be obtained then from the sslHandler. > > > > My question was if there was any other way to grab the > > ServerConnection > > in an Authenticator besides passing it as a parameter when building > > the > > negotiator, thus changing IAuthenticator and ServerConnection. > > > > Thank you again, > > Horia > > > > On ons, 2017-10-25 at 17:13 +0000, Harika Vangapelli -T (hvangape - > > AKRAYA INC at Cisco) wrote: > > > Horia, > > > > > > By just changing Authenticator and Authorizer in cassandra.yaml > > and > > > adding custom libraries in /usr/share/cassandra/ you can plugin > > to > > > custom authentication > > > > > > sed -ri \ > > > -e 's/^(authenticator:).*/\1 > > > 'com.cassandra.LdapCassandraAuthenticator'/' \ > > > -e 's/^(authorizer:).*/\1 > > > 'com.cassandra.LdapCassandraAuthorizer'/' \ > > > "cassandra.yaml" > > > > > > Copy custom jars ----> /usr/share/cassandra/ > > > > > > > > > > > > Harika Vangapelli > > > Engineer - IT > > > hvang...@cisco.com > > > Tel: > > > Cisco Systems, Inc. > > > > > > > > > > > > United States > > > cisco.com > > > > > > > > > Think before you print. > > > This email may contain confidential and privileged material for > > the > > > sole use of the intended recipient. Any review, use, distribution > > or > > > disclosure by others is strictly prohibited. If you are not the > > > intended recipient (or authorized to receive for the recipient), > > > please contact the sender by reply email and delete all copies of > > > this message. > > > Please click here for Company Registration Information. > > > > > > > > > -----Original Message----- > > > From: Horia Mocioi [mailto:horia.moc...@ericsson.com] > > > Sent: Wednesday, October 25, 2017 3:38 AM > > > To: user@cassandra.apache.org > > > Subject: server connection in authenticator > > > > > > Hello guys, > > > > > > We are building up an authenticator using certificates. So far we > > > came up with a solution, but implies changing some files in > > Cassandra > > > code base in order to have the connection in the new > > Authenticator. > > > > > > So, here are my questions: > > > * how are you guys doing this? > > > * is it possible to obtain the connection on the Authenticator > > > without changing other files in the Cassandra code base, in that > > > sense just creating a new Authenticator and set it up in > > > cassandra.yaml? > > > > > > Regards, > > > Horia > -- > Justin Cameron > Senior Software Engineer > > > > This email has been sent on behalf of Instaclustr Pty. Limited > (Australia) and Instaclustr Inc (USA). > > This email and any attachments may contain confidential and legally > privileged information. If you are not the intended recipient, do > not copy or disclose its content, but please reply to this > email immediately and highlight the error to the sender and then > immediately delete the message.
