| 14 Collaborator |
|
Brandon Williams , Aleksey Yeschenko , Mick Semb Wever , Štefan Miklošovič , David Capwell , Ariel Weisberg , Dinesh Joshi , Jon Meredith , Francisco Guerrero , Jon Haddad , Abe Ratnofsky , Jyothsna Konisa , Patrick Bannister , Tiago Alves |
| 5 Patch |
7 Review |
|
4120b8ce4f1bc7bd7ce101e4e298fc2211a21fe0,
c09d0d929baeaa02f3438313c7979ccf6b4b3c5a,
b47bee42d3b15020fbae72b173e873fa57c8e0c8,
3bdd2caa22a0413929188536b41d8117177574fa,
678ca3fc29c38b64a110dcf40693aa7840b0585c |
bf9a1d487b9ba469e8d740cf7d1cd419535a7e79,
50d94f4b462b7a3c4415cf508d6a8eff7bd5d32f,
25291ff3fd99f92cdb0a7d5d2125442282d42ff8,
a0af41f666c23a840d9df3f06729ed5fd2c06cd1,
bf9a1d487b9ba469e8d740cf7d1cd419535a7e79,
18ccbb4d308c27b67a8d81a2c849dc27fc3e2b5c,
175a083a6f3b4d5d58f3702d31ce6920af519669 |
50d94f4b462b7a3c4415cf508d6a8eff7bd5d32f | Author: Tiago Alves <tiago.alves@datastax.com>
| 2024-10-07 10:56:46+01:00
Enables IAuthenticator's to return own AuthenticateMessage
Allows custom implementations of IAuthenticator to return their own
AuthenticateMessage based on ClientState information.
ClientState contains information about driver's name and version which
could be used to determine the contents of the AuthenticateMessage that
is sent back to the clients. This enables, for instance, returning
driver's known authenticator implementations (e.g. DseAuthenticator)
which enables SASL negotiation.
patch by Tiago Alves; reviewed by Mick Semb Wever, Andy Tolbert for CASSANDRA-19984
a0af41f666c23a840d9df3f06729ed5fd2c06cd1 | Author: Francisco Guerrero <frank.guerrero@gmail.com>
| 2024-02-15 13:19:28-08:00
CASSANDRA-18951: Add option for MutualTlsAuthenticator to restrict the certificate validity period
In this commit, we introduce two new optional options for the `server_encryption_options`
and the `client_encryption_options`. The options are `max_certificate_validity_period` and
`certificate_validity_warn_threshold`. Both options can be configured as a duration
configuration parameter as defined by the `DurationSpec` (see CASSANDRA-15234). The resolution
for these new properties is minutes.
When specified, the certificate validation implementation will take that information
and reject certificates that are older than the maximum allowed certificate validity period,
translating into a rejection from the authenticating user.
The `certificate_validity_warn_threshold` option can be configured to emit warnings (log entries)
when the certificate exceeds the validity threshold.
patch by Francisco Guerrero; reviewed by Andy Tolbert, Abe Ratnofsky, Dinesh Joshi for CASSANDRA-18951
4120b8ce4f1bc7bd7ce101e4e298fc2211a21fe0 | Author: Andy Tolbert <6889771+tolbertam@users.noreply.github.com>
| 2024-01-31 11:06:59-06:00
Expose auth mode in system_views.clients, nodetool clientstats, metrics
Adds 'authenticationMode' and 'metadata' fields to AuthenticatedUser to add context
about how the user was authenticated and updates system_views.clients,
nodetool clientstats (behind --verbose flag) to include this information.
Also adds new metrics to ClientMetrics to help operators identify which
authentication modes are being used.
patch by Andy Tolbert; reviewed by Francisco Guerrero, Stefan Miklosovic for CASSANDRA-19366
c09d0d929baeaa02f3438313c7979ccf6b4b3c5a | Author: Andy Tolbert <andy_tolbert@apple.com>
| 2024-01-30 16:41:54-08:00
Allow CQL client certificate authentication to work without sending an AUTHENTICATE request
patch by Andy Tolbert; reviewed by Abe Ratnofsky, Dinesh Joshi, Francisco Guerrero, Jyothsna Konisa for CASSANDRA-18857
b47bee42d3b15020fbae72b173e873fa57c8e0c8 | Author: Andy Tolbert <6889771+tolbertam@users.noreply.github.com>
| 2023-08-18 09:33:57-05:00
Allow empty keystore_password in encryption_options
patch by Andy Tolbert; reviewed by Jon Meredith and Stefan Miklosovic for CASSANDRA-18778
3bdd2caa22a0413929188536b41d8117177574fa | Author: Andy Tolbert <6889771+tolbertam@users.noreply.github.com>
| 2022-10-06 14:04:38-04:00
Fix StorageService.getNativeaddress handling of IPv6 addresses
StorageService.getNativeaddress does not currently correctly handle
IPv6 addresses correctly when NATIVE_ADDRESS_AND_PORT are not present in
that it simply concatenates the IP address with the default native port,
e.g.:
0:0:0:0:0:0:5a:3:9042
This does not parse into an InetSocketAddress as the address and port
can't be disambiguated.
Such a case would usually be present when there are 3.x nodes present in a
cluster with 4.0 nodes.
Change updates RPC_ADDRESS and else case to create InetAddressAndPort instances
with DatabaseDescriptor.getNativeTransportPort and returns the
getHostAddress(withPort) which properly bracket encodes the address,
e.g.:
[0:0:0:0:0:0:5a:3]:9042
which can be parsed as an InetSocketAddress.
patch by Andy Tolbert; reviewed by Ariel Weisberg, Brandon Williams for CASSANDRA-17945
678ca3fc29c38b64a110dcf40693aa7840b0585c | Author: Jon Meredith <jmeredithco@gmail.com>
| 2020-04-07 18:58:59-06:00
Update port when reconnecting to pre-4.0 SSL storage
On a failed outbound connection to a node with pending data, recheck
the messaging version before reattempting the connection.
Prior to this change, if the endpoint version was incorrectly set
to 4.0 when the node was running 3.0 with an SSL storage port
the connection would continuously try to reconnect on the wrong port.
The patch also improves some of the log messages to include the
actual port being connected to as well as the canonical endpoint for
the node.
Patch by Jon Meredith & Andy Tolbert; reviewed by Aleksey Yeschenko for
CASSANDRA-15727
Co-authored-by: Jon Meredith <jmeredithco@gmail.com>
Co-authored-by: Andy Tolbert <andy_tolbert@apple.com>