Erm ... and here's the CEP:
https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-50%3A+Authentication+Negotiation
(Thanks for the heads up, Abe ...)
-- Joel.
On 6/30/2025 9:37 AM, Joel Shepherd wrote:
Hello - We would like to propose CEP-50: Authentication Negotiation
for adoption by the community: <link> .
This CEP proposes minor changes to the initial handshake protocol
(OPTIONS, SUPPORTED and STARTUP messages) to enable a client to inform
the node of the authenticators supported by the client, and changes in
the node's authentication-related areas to enable it to pick its
preferred authenticator for each client client connection. The CEP
explains why this approach is proposed, instead of implementing a
"negotiating authenticator".
Authentication negotiation will make it easier and safer for
administrators to migrate clusters to stronger authentication
mechanisms (including switching on authentication for a cluster that
has been using "allow-all" authentication) without downtime, and to
support environments where different clients prefer different
authentication mechanisms (e.g., username and password for ad-hoc
cqlsh access, mutual TLS for programmatic access, etc.), without
having to pick a single "lowest common denominator" authenticator for
all. Additionally, the proposed changes are intended to be backwards
compatible for both clients and nodes.
Thanks in advance for your time and feedback. Please keep the
discussion on this mailing list thread.
Thanks! -- Joel.
