[CASSANDRA-19366] Expose mode of authentication in system_views.clients, nodetool clientstats, and ClientMetrics - ASF JIRA

Agile Board

Attach files

Attach Screenshot

Bulk Copy Attachments

Bulk Move Attachments

Voters

Watch issue

Watchers

Create sub-task

Convert to sub-task

Move

Link

Clone

Labels

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Normal
Resolution: Fixed
Fix Version/s: 5.1
Component/s: Feature/Encryption, Messaging/Client, Observability/JMX, Observability/Metrics, Tool/nodetool
Labels:
None

Change Category:
Operability
Complexity:
Normal
Platform:

All
Impacts:

Docs
Source Control Link:

https://github.com/apache/cassandra/commit/4120b8ce4f1bc7bd7ce101e4e298fc2211a21fe0
Test and Documentation Plan:

Hide

Updated existing tests around nodetool clientstats and added a ClientMetricsTest that tests the existing metrics for ConnectedClients,AuthSuccess,AuthFailure and the new metrics I added.

I ran utests and dtests against this branch and it came back clean with exception to two likely unrelated tests which I'll capture in comments.

Show
Updated existing tests around nodetool clientstats and added a ClientMetricsTest that tests the existing metrics for ConnectedClients,AuthSuccess,AuthFailure and the new metrics I added. I ran utests and dtests against this branch and it came back clean with exception to two likely unrelated tests which I'll capture in comments.

Description

~~CASSANDRA-18554~~ added support for mTLS-authenticated clients. Part of this contribution introduced MutualTlsWithPasswordFallbackAuthenticator, which enables Cassandra to support either password and mTLS-authenticated connections.

As an operator, it would be useful to know which connections are mTLS authenticated, and which are password authenticated, as a possible mode of operation is migrating users from one from of authentication to another. It would also be useful to know if that if authentication attempts are failing which mode of authentication is unsuccessful.

Proposing to add the following:

Add a mode: string and metadata: map<string, string> to AuthenticatedUser. Update existing IAuthenticator implementations to pass mode (e.g. password , mtls), and optionally pass a metadata map (e.g. this can include the extracted identity from a client certificate for mtls authentication).
Update nodetool clientstats to add a new option flag --metadata, which when passed exposes these new fields on AuthenticatedUser. (Not added to existing output to maintain compatibility, much like -client-options did.
Update system_views.clients to include columns for these new fields.
Add new metrics to ClientMetrics:
- Track authentication success and failures by mode. (Note: The metrics present by authentication mode scope are contextual based on the Authenticator used (e.g. only scope=Password will be present for PasswordAuthenticator)

Existing:

org.apache.cassandra.metrics:name=AuthSuccess,type=Client
org.apache.cassandra.metrics:name=AuthFailure,type=Client

New:

org.apache.cassandra.metrics:name=AuthSuccess,scope=MutualTls,type=Client
org.apache.cassandra.metrics:name=AuthSuccess,scope=Password,type=Client

org.apache.cassandra.metrics:name=AuthFailure,scope=MutualTls,type=Client
org.apache.cassandra.metrics:name=AuthFailure,scope=Password,type=Client

- Track connection counts by mode:

Existing:
org.apache.cassandra.metrics:name=ConnectedNativeClients,type=Client
org.apache.cassandra.metrics:name=connectedNativeClients,type=Client (previously deprecated but still maintained)

New:
org.apache.cassandra.metrics:name=ConnectedNativeClients,scope=MutualTls,type=Client
org.apache.cassandra.metrics:name=ConnectedNativeClients,scope=Password,type=Client

- A metric to track encrypted vs. non-encrypted connections:

org.apache.cassandra.metrics:name=ConnectedNativeClients,scope=Encrypted,type=Client
org.apache.cassandra.metrics:name=ConnectedNativeClients,scope=Unencrypted,type=Client