16 Collaborator |
Brandon Williams , Mick Semb Wever , Štefan Miklošovič , Francisco Guerrero , Bret McGuire , Jon Meredith , Dinesh Joshi , Ariel Weisberg , Chris Lohfink , Alexandre Dutra , Abe Ratnofsky , Jyothsna Konisa , Lukasz Antoniak , Tiago Alves , Jason Koch , Christian Aistleitner |
7 Patch |
8 Review |
4120b8ce4f1bc7bd7ce101e4e298fc2211a21fe0,
c09d0d929baeaa02f3438313c7979ccf6b4b3c5a,
b47bee42d3b15020fbae72b173e873fa57c8e0c8,
3bdd2caa22a0413929188536b41d8117177574fa,
4c7133c72e136d23dbcea795e0041df764568931,
445d97428fb6eb28de06a06e24743caf4c479270,
f9b495bceaff82f2d0a05e6cb88f2b454ac8e0a4 |
50d94f4b462b7a3c4415cf508d6a8eff7bd5d32f,
25291ff3fd99f92cdb0a7d5d2125442282d42ff8,
a0af41f666c23a840d9df3f06729ed5fd2c06cd1,
f98e3433b91b49e0facfbce8e94e01e304714968,
8ebcd9f85afb548f38e953fb1190d9ff04d8df5a,
a40e7587b175cc198fb533eadabd31e94f837369,
6d3ba47631ebde78460168a2d33c4facde0bd731,
432e107bc6a2dda19385b7c423d2768e3a879965 |
50d94f4b462b7a3c4415cf508d6a8eff7bd5d32f | Author: Tiago Alves <tiago.alves@datastax.com>
| 2024-10-07 10:56:46+01:00
Enables IAuthenticator's to return own AuthenticateMessage
Allows custom implementations of IAuthenticator to return their own
AuthenticateMessage based on ClientState information.
ClientState contains information about driver's name and version which
could be used to determine the contents of the AuthenticateMessage that
is sent back to the clients. This enables, for instance, returning
driver's known authenticator implementations (e.g. DseAuthenticator)
which enables SASL negotiation.
patch by Tiago Alves; reviewed by Mick Semb Wever, Andy Tolbert for CASSANDRA-19984
f9b495bceaff82f2d0a05e6cb88f2b454ac8e0a4 | Author: Andy Tolbert <6889771+tolbertam@users.noreply.github.com>
| 2024-08-25 19:53:09-05:00
Regenerate testdata/pki and include script for regenerating
The existing certificates in testdata/pki expire on September 16 2024.
This commit includes a 'generate_certs.sh' script for regenerating
private keys and certificates as needed.
As I couldn't find the original steps used to generate these, it's
possible these certificates are generated differently, but they are
done in a nominal way.
One slight derivation with the original certificates is that I have
opted to use PKCS12 format instead of the propertiary java JKS format
for the .truststore and .keystore file. The cassandra and gocql
certificates also embed a spiffe in the SAN so they can eventually
be used for mTLS authentication testing.
patch by Andy Tolbert; reviewed by Bret McGuire for CASSANDRA-19862
445d97428fb6eb28de06a06e24743caf4c479270 | Author: Andy Tolbert <6889771+tolbertam@users.noreply.github.com>
| 2024-08-22 22:49:15-05:00
Don't restrict server authenticator in PasswordAuthenticator
Currently gocql will only allow authenticating with authenticators
defined in defaultApprovedAuthenticators in conn.go.
There have been multiple occurrences of implementers needing to update
this list, either when a vendor would like to add their authenticator,
or a new authenticator being added.
It would probably reduce friction to just accept any authenticator
provided by the server. From what I know, other drivers behave in this
way.
If a user wanted to restrict this, they could use the existing
configuration PasswordAuthenticator.AllowedAuthenticators.
patch by Andy Tolbert; reviewed by Joao Reis, Lukasz Antoniak for CASSGO-19
6d3ba47631ebde78460168a2d33c4facde0bd731 | Author: Jason Koch <jkoch@netflix.com>
| 2024-08-12 22:52:13-07:00
Reduce lock held duration in ConcurrencyLimitingRequestThrottler
It might take some (small) time for callback handling when the
throttler request proceeds to submission.
Before this change, the throttler proceed request will happen while
holding the lock, preventing other tasks from proceeding when there is
spare capacity and even preventing tasks from enqueuing until the
callback completes.
By tracking the expected outcome, we can perform the callback outside
of the lock. This means that request registration and submission can
proceed even when a long callback is being processed.
patch by Jason Koch; Reviewed by Andy Tolbert and Chris Lohfink for CASSANDRA-19922
a40e7587b175cc198fb533eadabd31e94f837369 | Author: Christian Aistleitner <christian.aistleitner@outlook.com>
| 2024-06-06 09:14:16+02:00
Fix uncaught exception during graceful channel shutdown
after exceeding max orphan ids
patch by Christian Aistleitner; reviewed by Andy Tolbert, and Bret McGuire for #1938
a0af41f666c23a840d9df3f06729ed5fd2c06cd1 | Author: Francisco Guerrero <frank.guerrero@gmail.com>
| 2024-02-15 13:19:28-08:00
CASSANDRA-18951: Add option for MutualTlsAuthenticator to restrict the certificate validity period
In this commit, we introduce two new optional options for the `server_encryption_options`
and the `client_encryption_options`. The options are `max_certificate_validity_period` and
`certificate_validity_warn_threshold`. Both options can be configured as a duration
configuration parameter as defined by the `DurationSpec` (see CASSANDRA-15234). The resolution
for these new properties is minutes.
When specified, the certificate validation implementation will take that information
and reject certificates that are older than the maximum allowed certificate validity period,
translating into a rejection from the authenticating user.
The `certificate_validity_warn_threshold` option can be configured to emit warnings (log entries)
when the certificate exceeds the validity threshold.
patch by Francisco Guerrero; reviewed by Andy Tolbert, Abe Ratnofsky, Dinesh Joshi for CASSANDRA-18951
4120b8ce4f1bc7bd7ce101e4e298fc2211a21fe0 | Author: Andy Tolbert <6889771+tolbertam@users.noreply.github.com>
| 2024-01-31 11:06:59-06:00
Expose auth mode in system_views.clients, nodetool clientstats, metrics
Adds 'authenticationMode' and 'metadata' fields to AuthenticatedUser to add context
about how the user was authenticated and updates system_views.clients,
nodetool clientstats (behind --verbose flag) to include this information.
Also adds new metrics to ClientMetrics to help operators identify which
authentication modes are being used.
patch by Andy Tolbert; reviewed by Francisco Guerrero, Stefan Miklosovic for CASSANDRA-19366
c09d0d929baeaa02f3438313c7979ccf6b4b3c5a | Author: Andy Tolbert <andy_tolbert@apple.com>
| 2024-01-30 16:41:54-08:00
Allow CQL client certificate authentication to work without sending an AUTHENTICATE request
patch by Andy Tolbert; reviewed by Abe Ratnofsky, Dinesh Joshi, Francisco Guerrero, Jyothsna Konisa for CASSANDRA-18857
4c7133c72e136d23dbcea795e0041df764568931 | Author: Andy Tolbert <6889771+tolbertam@users.noreply.github.com>
| 2024-01-23 10:21:02-06:00
Replace uses of AttributeKey.newInstance
The java driver uses netty channel attributes to decorate a
connection's channel with the cluster name (returned from
the system.local table) and the map from the OPTIONS response, both
of which are obtained on connection initialization.
There's an issue here that I wouldn't expect to see in practice in
that the AttributeKey's used are created using
AttributeKey.newInstance, which throws an exception if an
AttributeKey of that name is defined anywhere else in evaluated code.
This change attempts to resolve this issue by changing AttributeKey
initialiation in DriverChannel from newInstance to valueOf, which avoids
throwing an exception if an AttributeKey of the same name was previously
instantiated.
patch by Andy Tolbert; reviewed by Bret McGuire, Alexandre Dutra, Abe Ratnofsky for CASSANDRA-19290
b47bee42d3b15020fbae72b173e873fa57c8e0c8 | Author: Andy Tolbert <6889771+tolbertam@users.noreply.github.com>
| 2023-08-18 09:33:57-05:00
Allow empty keystore_password in encryption_options
patch by Andy Tolbert; reviewed by Jon Meredith and Stefan Miklosovic for CASSANDRA-18778
3bdd2caa22a0413929188536b41d8117177574fa | Author: Andy Tolbert <6889771+tolbertam@users.noreply.github.com>
| 2022-10-06 14:04:38-04:00
Fix StorageService.getNativeaddress handling of IPv6 addresses
StorageService.getNativeaddress does not currently correctly handle
IPv6 addresses correctly when NATIVE_ADDRESS_AND_PORT are not present in
that it simply concatenates the IP address with the default native port,
e.g.:
0:0:0:0:0:0:5a:3:9042
This does not parse into an InetSocketAddress as the address and port
can't be disambiguated.
Such a case would usually be present when there are 3.x nodes present in a
cluster with 4.0 nodes.
Change updates RPC_ADDRESS and else case to create InetAddressAndPort instances
with DatabaseDescriptor.getNativeTransportPort and returns the
getHostAddress(withPort) which properly bracket encodes the address,
e.g.:
[0:0:0:0:0:0:5a:3]:9042
which can be parsed as an InetSocketAddress.
patch by Andy Tolbert; reviewed by Ariel Weisberg, Brandon Williams for CASSANDRA-17945