11= Getting started with mTLS authenticators
22
3- When a certificate based authentication protocol like TLS is used for client and
4- Internode connections, `MutualTlsAuthenticator` & `MutualTlsInternodeAuthenticator`
5- can be used for the authentication by leveraging the client certificates from the
6- SSL handshake.
3+ When certificate- based authentication such as TLS is used for client and
4+ internode connections, `MutualTlsAuthenticator` and
5+ `MutualTlsInternodeAuthenticator` can authenticate clients by using the
6+ client certificate from the SSL handshake.
77
8- After SSL handshake, identity from the client certificates is extracted and only
9- authorized users will be granted access.
8+ After the SSL handshake, the identity from the client certificate is
9+ extracted and only authorized users are granted access.
10+
11+ == Certificate prerequisites
12+
13+ Before enabling either authenticator, generate the certificate material
14+ you intend to use:
15+
16+ * one CA certificate that issues the node and client certificates
17+ * one server certificate and key for each node
18+ * one client certificate and key for each user or service account
19+ * a truststore that contains the issuing CA
20+ * a keystore for each node
21+
22+ If you use the default SPIFFE validator, the SPIFFE ID must be present
23+ in the certificate SAN. If you use a custom CN-based validator, the
24+ subject CN must match the identity you want to map to a role.
1025
1126== What is an Identity
1227
@@ -18,7 +33,7 @@ certificate conventions used in the deployment environment.
1833
1934There is a default implementation of `MutualTlsCertificateValidator` with
2035https://spiffe.io/docs/latest/spiffe-about/spiffe-concepts/[SPIFFE] as the identity
21- of the certificates.This requires spiffe to be present in the SAN of the certificate.
36+ of the certificates. This requires SPIFFE to be present in the SAN of the certificate.
2237
2338Instead of using `SPIFFE` based validator, a custom `CN` based validator that implements `MutualTlsCertificateValidator`
2439could be configured by the operator if required.
@@ -28,18 +43,18 @@ could be configured by the operator if required.
2843Note that the following steps uses SPIFFE identity as an example, If you are using
2944a custom validator, use appropriate identity in place of `spiffe://testdomain.com/testIdentifier/testValue`.
3045
31- *STEP 1: Add authorized users to system_auth.identity_to_roles table*
46+ *STEP 1: Add authorized users to ` system_auth.identity_to_roles` table*
3247
3348Note that only users with permissions to create/modify roles can add/remove identities.
34- Client certificates with the identities in this table will be trusted by C* .
49+ Client certificates with the identities in this table will be trusted by Cassandra .
3550[source, plaintext]
3651----
3752ADD IDENTITY 'spiffe://testdomain.com/testIdentifier/testValue' TO ROLE 'read_only_user'
3853----
3954
4055*STEP 2: Configure Cassandra.yaml with right properties*
4156
42- `client_encryption_options` configuration for mTLS connections
57+ Configure `client_encryption_options` for mTLS connections.
4358[source, plaintext]
4459----
4560client_encryption_options:
@@ -51,8 +66,9 @@ client_encryption_options:
5166 truststore_password: cassandra
5267 require_client_auth: true // to enable mTLS
5368----
54- Configure mTLS authenticator and the validator for client connections . If you are
55- implementing a custom validator, use that instead of Spiffe validator
69+ Configure the mTLS authenticator and validator for client connections.
70+ If you are implementing a custom validator, use that instead of the
71+ SPIFFE validator.
5672[source, plaintext]
5773----
5874authenticator:
@@ -63,35 +79,46 @@ authenticator:
6379
6480*STEP 3: Bounce the cluster*
6581
66- After the bounce, C* will accept mTLS connections from the clients and if their
67- identity is present in the `identity_to_roles` table, access will be granted.
82+ After the bounce, Cassandra accepts mTLS connections from clients. If
83+ the identity is present in the `identity_to_roles` table, access is
84+ granted.
85+
86+ == Verifying mTLS
87+
88+ Verify the setup with the same client toolchain you will use in
89+ production. Connect with the client certificate and key, run a simple
90+ query, and confirm that the mapped role can access the cluster. Repeat
91+ the connection attempt with a certificate whose identity is not present
92+ in `identity_to_roles`; the connection should be rejected.
6893
6994== Configuring mTLS with password fallback authenticator for client connections
7095
71- Operators that wish to migrate cannot immediately change the configuration to require
72- mTLS authentication as it will break existing non-mTLS based clients of the cluster.
73- In order to make a smooth transition from non-mTLS based authentication to mTLS authentication,
74- the operator can run Cassandra in optional mTLS mode and configure authenticator to be
75- `MutualTlsWithPasswordFallbackAuthenticator` which can accept both certificate based
76- and password based connections.
96+ Operators that want to migrate cannot immediately require mTLS
97+ authentication because that would break existing non-mTLS clients. To
98+ make a smooth transition, run Cassandra in optional mTLS mode and
99+ configure the authenticator to be
100+ `MutualTlsWithPasswordFallbackAuthenticator`, which accepts both
101+ certificate-based and password- based connections.
77102
78- Below are the steps to configure C* in optional mTLS mode with fallback authenticator.
79- Note that the following steps uses SPIFFE identity as an example, If you are using
80- a custom validator, use appropriate identity in place of `spiffe://testdomain.com/testIdentifier/testValue`.
103+ Below are the steps to configure Cassandra in optional mTLS mode with
104+ the fallback authenticator. Note that the following steps use SPIFFE
105+ identity as an example. If you are using a custom validator, use the
106+ appropriate identity in place of
107+ `spiffe://testdomain.com/testIdentifier/testValue`.
81108
82- *STEP 1: Add authorized users to system_auth.identity_to_roles table*
109+ *STEP 1: Add authorized users to ` system_auth.identity_to_roles` table*
83110
84111Note that only users with permissions to create/modify roles can add/remove identities.
85- Client certificates with the identities in this table will be trusted by C* .
112+ Client certificates with the identities in this table will be trusted by Cassandra .
86113[source, plaintext]
87114----
88115ADD IDENTITY 'spiffe://testdomain.com/testIdentifier/testValue' TO ROLE 'read_only_user'
89116----
90117
91118*STEP 2: Configure Cassandra.yaml with right properties*
92119
93- `client_encryption_options` configuration for mTLS connections, Note that require_client_auth configuration
94- is optional.
120+ Configure `client_encryption_options` for mTLS connections. Note that
121+ `require_client_auth` is optional here .
95122[source, plaintext]
96123----
97124client_encryption_options:
@@ -103,8 +130,9 @@ client_encryption_options:
103130 truststore_password: cassandra
104131 require_client_auth: optional // to enable mTLS in optional mode
105132----
106- Configure fallback authenticator and the validator for client connections . If you are
107- implementing a custom validator, use that instead of Spiffe validator
133+ Configure the fallback authenticator and validator for client
134+ connections. If you are implementing a custom validator, use that
135+ instead of the SPIFFE validator.
108136[source, plaintext]
109137----
110138authenticator:
@@ -115,13 +143,13 @@ authenticator:
115143
116144*STEP 3: Bounce the cluster*
117145
118- After the bounce, C* will accept both mTLS connections and password based connections from
119- the clients. This configuration should be used during transition phase and the require_client_auth
120- configuration should be set to true when all the clients start making mTLS connections to the cluster .
146+ After the bounce, Cassandra accepts both mTLS and password- based
147+ connections. Use this configuration only during the transition phase.
148+ Set `require_client_auth` to ` true` after all clients use mTLS.
121149
122150== Configuring mTLS authenticator for Internode connections
123151
124- Internode authenticator trusts certificates whose identities are present in
152+ The internode authenticator trusts certificates whose identities are present in
125153`internode_authenticator.parameters.trusted_peer_identities` if configured.
126154
127155Otherwise, it trusts connections which have the same identity as the node.
@@ -132,13 +160,13 @@ connections from other nodes who have the same identity will be trusted if
132160`trusted_peer_identities` is not configured.
133161
134162For example, if a node has `testIdentity` embedded in the certificate in
135- outbound keystore, It trusts connections from other nodes when their certificates
136- have `testIdentity` embedded in them.
163+ the outbound keystore, it trusts connections from other nodes when
164+ their certificates have `testIdentity` embedded in them.
137165
138166There is an optional configuration `node_identity` that can be used to verify identity
139167extracted from the keystore to avoid any configuration errors.
140168
141- *STEP 1: Configure server_encryption_options in cassandra.yaml*
169+ *STEP 1: Configure ` server_encryption_options` in ` cassandra.yaml` *
142170
143171[source, plaintext]
144172----
@@ -156,8 +184,9 @@ server_encryption_options:
156184
157185*STEP 2: Configure Internode Authenticator and Validator*
158186
159- Configure mTLS Internode authenticator and validator. If you are
160- implementing a custom validator, use that instead of Spiffe validator
187+ Configure the mTLS internode authenticator and validator. If you are
188+ implementing a custom validator, use that instead of the SPIFFE
189+ validator.
161190[source, plaintext]
162191----
163192internode_authenticator:
@@ -168,19 +197,22 @@ internode_authenticator:
168197----
169198
170199*STEP 3: Bounce the cluster*
171- Once all nodes in the cluster are restarted, all internode communications will be authenticated by mTLS.
200+ Once all nodes in the cluster are restarted, all internode
201+ communications are authenticated by mTLS.
172202
173203== Migration from existing password based authentication
174204* For client connections, since the migration will not happen overnight,
175- the operators can run cassandra in optional mTLS mode and use
176- `MutualTlsWithPasswordFallbackAuthenticator` which will accept both mTLS & password
177- based connections, based on the type of connection client is making. These settings
178- can be configured in `cassandra.yaml`. Once all the clients migrate to using mTLS,
179- turn off optional mode and set the authenticator to be `MutualTlsAuthenticator`. From
180- that point only mTLS client connections will be accepted.
205+ operators can run Cassandra in optional mTLS mode and use
206+ `MutualTlsWithPasswordFallbackAuthenticator`, which accepts both mTLS
207+ and password- based connections. Configure the settings in
208+ `cassandra.yaml`. Once all clients migrate to mTLS, turn off optional
209+ mode and set the authenticator to `MutualTlsAuthenticator`. From that
210+ point only mTLS client connections are accepted.
181211
182212* For Internode connections, while doing rolling upgrades from non-mTLS based configuration
183- to mTLS based configuration, set `server_encryption_options.optional:true` for the new nodes to
184- be able to connect to old nodes which are still using non-mTLS based configuration during upgrade.
185- After this, change the internode authenticator to be `MutualTlsInternodeAuthenticator` and turn off the optional
186- mode by setting `server_encryption_options.optional:false`.
213+ to mTLS based configuration, set `server_encryption_options.optional: true`
214+ for the new nodes so they can connect to old nodes that are still
215+ using non-mTLS based configuration during upgrade. After this, change
216+ the internode authenticator to `MutualTlsInternodeAuthenticator` and
217+ turn off the optional mode by setting
218+ `server_encryption_options.optional: false`.
0 commit comments