Hello - We would like to propose CEP-50: Authentication Negotiation for
adoption by the community: <link> .
This CEP proposes minor changes to the initial handshake protocol
(OPTIONS, SUPPORTED and STARTUP messages) to enable a client to inform
the node of the authenticators supported by the client, and changes in
the node's authentication-related areas to enable it to pick its
preferred authenticator for each client client connection. The CEP
explains why this approach is proposed, instead of implementing a
"negotiating authenticator".
Authentication negotiation will make it easier and safer for
administrators to migrate clusters to stronger authentication mechanisms
(including switching on authentication for a cluster that has been using
"allow-all" authentication) without downtime, and to support
environments where different clients prefer different authentication
mechanisms (e.g., username and password for ad-hoc cqlsh access, mutual
TLS for programmatic access, etc.), without having to pick a single
"lowest common denominator" authenticator for all. Additionally, the
proposed changes are intended to be backwards compatible for both
clients and nodes.
Thanks in advance for your time and feedback. Please keep the discussion
on this mailing list thread.
Thanks! -- Joel.
- [DISCUSS] CEP-50: Authentication Negotiation Joel Shepherd
-
