Uploaded image for project: 'Cassandra'
  1. Cassandra
  2. CASSANDRA-19366

Expose mode of authentication in system_views.clients, nodetool clientstats, and ClientMetrics

    XMLWordPrintableJSON

Details

    • Operability
    • Normal
    • All
    • Docs
    • Hide

      Updated existing tests around nodetool clientstats and added a ClientMetricsTest that tests the existing metrics for ConnectedClients,AuthSuccess,AuthFailure and the new metrics I added.

      I ran utests and dtests against this branch and it came back clean with exception to two likely unrelated tests which I'll capture in comments.

       

      Show
      Updated existing tests around nodetool clientstats and added a ClientMetricsTest that tests the existing metrics for ConnectedClients,AuthSuccess,AuthFailure and the new metrics I added. I ran utests and dtests against this branch and it came back clean with exception to two likely unrelated tests which I'll capture in comments.  

    Description

      CASSANDRA-18554 added support for mTLS-authenticated clients. Part of this contribution introduced MutualTlsWithPasswordFallbackAuthenticator, which enables Cassandra to support either password and mTLS-authenticated connections.

      As an operator, it would be useful to know which connections are mTLS authenticated, and which are password authenticated, as a possible mode of operation is migrating users from one from of authentication to another. It would also be useful to know if that if authentication attempts are failing which mode of authentication is unsuccessful.

      Proposing to add the following:

      • Add a mode: string and metadata: map<string, string> to AuthenticatedUser. Update existing IAuthenticator implementations to pass mode (e.g. password , mtls), and optionally pass a metadata map (e.g. this can include the extracted identity from a client certificate for mtls authentication).
      • Update nodetool clientstats to add a new option flag --metadata, which when passed exposes these new fields on AuthenticatedUser. (Not added to existing output to maintain compatibility, much like -client-options did.
      • Update system_views.clients to include columns for these new fields.
      • Add new metrics to ClientMetrics:
        • Track authentication success and failures by mode. (Note: The metrics present by authentication mode scope are contextual based on the Authenticator used (e.g. only scope=Password will be present for PasswordAuthenticator)
      Existing:

org.apache.cassandra.metrics:name=AuthSuccess,type=Client
org.apache.cassandra.metrics:name=AuthFailure,type=Client

New:

org.apache.cassandra.metrics:name=AuthSuccess,scope=MutualTls,type=Client
org.apache.cassandra.metrics:name=AuthSuccess,scope=Password,type=Client

org.apache.cassandra.metrics:name=AuthFailure,scope=MutualTls,type=Client
org.apache.cassandra.metrics:name=AuthFailure,scope=Password,type=Client
        • Track connection counts by mode:
      Existing:
org.apache.cassandra.metrics:name=ConnectedNativeClients,type=Client
org.apache.cassandra.metrics:name=connectedNativeClients,type=Client (previously deprecated but still maintained)

New:
org.apache.cassandra.metrics:name=ConnectedNativeClients,scope=MutualTls,type=Client
org.apache.cassandra.metrics:name=ConnectedNativeClients,scope=Password,type=Client
        • A metric to track encrypted vs. non-encrypted connections:
      org.apache.cassandra.metrics:name=ConnectedNativeClients,scope=Encrypted,type=Client
org.apache.cassandra.metrics:name=ConnectedNativeClients,scope=Unencrypted,type=Client

      Attachments

        1. CASSANDRA-19366-trunk-1_test_results_summary.html
          7 kB
          Andy Tolbert
        2. CASSANDRA-19366-trunk-1_test_results.tgz
          40.05 MB
          Andy Tolbert
        3. CASSANDRA-19366-trunk-1_test_results-1.tgz
          40.05 MB
          Andy Tolbert
        4. CASSANDRA-19366-trunk-6_ci_summary.html
          7 kB
          Andy Tolbert

        Issue Links

          links to

          Web Link GitHub Pull Request #3085

          Activity

            People

              andrew.tolbert Andy Tolbert
              andrew.tolbert Andy Tolbert
              Andy Tolbert
              Francisco Guerrero, Stefan Miklosovic
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 4h
                  4h