> On Sep 22, 2021, at 8:03 AM, Bowen Song <bo...@bso.ng> wrote:
> 
> Interesting. The better approach is to match the certificate's common name or 
> SAN to the CQL username. This way the authorisation part, which depends on 
> the CQL username, will continue to work as usual.
> 
Yes, that is one way of deriving an identity. The other "standard" mechanism is 
to use spiffe ids[1] to encode an identity and to derive your 
username/principal from it.

Dinesh

[1] 
https://github.com/spiffe/spiffe/blob/main/standards/X509-SVID.md#2-spiffe-id

> On 22/09/2021 15:40, Dinesh Joshi wrote:
>>> On Sep 22, 2021, at 2:02 AM, Bowen Song <bo...@bso.ng 
>>> <mailto:bo...@bso.ng>> wrote:
>>> Out of curiosity, I have two further questions.
>>> 
>>> 1. I know the client can optionally provider a certificate for the TLS 
>>> handshake, but is it possible to require the client to provide a 
>>> certificate?
>>> 
>> 
>> Yep, you can turn on require_client_auth under the client_encyrption_options 
>> in Cassandra YAML to 
>> https://github.com/apache/cassandra/blob/trunk/conf/cassandra.yaml#L1160 
>> <https://github.com/apache/cassandra/blob/trunk/conf/cassandra.yaml#L1160> 
>> This requires the CQL client to provide client certificates.
>> 
>>> 2. Does Cassandra check that the username matches the client certificate? 
>>> E.g. TLS client certificate is issued to "bob", but logging in CQL using 
>>> the username "charol".
>>> 
>> no. The client certificates that you provide should be trusted by the 
>> server's truststore for the connection to succeed. Thats it. AFAIK there 
>> isn't an accepted secure standard to encode a "username" inside a TLS client 
>> certificate that we can use to derive a principal. 
>>> If the answer to Q2 is "no", it would mean that the TLS client certificate 
>>> is used for primary authentication (but not authorisation), and the CQL 
>>> username & password will be used for secondary authentication and 
>>> authorisation. Anyone who has a valid client certificate and private key 
>>> pair can impersonate any CQL user if they know the username and password. 
>>> Depending on the threat model, this may or may not pose a security risk.
>>> 
>> The client certificate can be used to ensure that it is a trusted client. If 
>> a bad actor is able to not only obtain a valid client certificate but also 
>> the private key pair then you have bigger issues :)
>> 
>> In 4.0 the IAuthenticator interface has changed slightly to pass down the 
>> client certificates that the server receives. In theory one can create an 
>> implementation of this interface that can derive an identity from the client 
>> certificates and then use that to perform authentication. This would give 
>> you what you're looking for. If you'd like, you can go as far as ignoring 
>> the username/password passed down from the cilent and only rely on the 
>> identity encoded in the certificate as your source of truth.
>> 
>> Dinesh
>>> 
>>> On 21/09/2021 23:16, Dinesh Joshi wrote:
>>>> It sort of supports it. You still need to send in the username/password 
>>>> credentials along with the client certificate to authenticate. Cassandra 
>>>> will not derive the identity purely from the client certificate.
>>>> 
>>>> Dinesh
>>>> 
>>>>> On Sep 21, 2021, at 11:59 AM, S G <sg.online.em...@gmail.com> 
>>>>> <mailto:sg.online.em...@gmail.com> wrote:
>>>>> 
>>>>> Hello,
>>>>> 
>>>>> Does anyone know if opensource Cassandra support mutual-TLS ?
>>>>> The documentation doesn't conclusively deny or accept the support for the 
>>>>> same.
>>>>> 
>>>>> Thanks !
>> 

Reply via email to