Package org.apache.cassandra.auth

Class SpiffeCertificateValidator

  • All Implemented Interfaces:
    MutualTlsCertificateValidator
    public class SpiffeCertificateValidator
extends java.lang.Object
implements MutualTlsCertificateValidator
    This class assumes that the identity of a certificate is SPIFFE which is a URI that is present as part of the SAN of the client certificate. It has logic to extract identity (Spiffe) out of a certificate & knows how to validate the client certificates.

    Example: internode_authenticator: class_name : org.apache.cassandra.auth.MutualTlsAuthenticator parameters : validator_class_name: org.apache.cassandra.auth.SpiffeCertificateValidator authenticator: class_name : org.apache.cassandra.auth.MutualTlsInternodeAuthenticator parameters : validator_class_name: org.apache.cassandra.auth.SpiffeCertificateValidator

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      java.lang.String identity​(java.security.cert.Certificate[] clientCertificateChain)
      This method should provide logic to extract identity out of a certificate to perform mTLS authentication.
      boolean isValidCertificate​(java.security.cert.Certificate[] clientCertificateChain)
      Perform any checks that are to be performed on the certificate before making authorization check to grant the access to the client during mTLS connection.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Constructor Detail

      • SpiffeCertificateValidator

        public SpiffeCertificateValidator()

    • Method Detail

      • isValidCertificate

        public boolean isValidCertificate​(java.security.cert.Certificate[] clientCertificateChain)
        Description copied from interface: MutualTlsCertificateValidator
        Perform any checks that are to be performed on the certificate before making authorization check to grant the access to the client during mTLS connection. For example - Verifying CA information - Checking CN information - Validating Issuer information - Checking organization information etc
        Specified by:
        isValidCertificate in interface MutualTlsCertificateValidator
        Parameters:
        clientCertificateChain - client certificate chain
        Returns:
        returns if the certificate is valid or not

      • identity

        public java.lang.String identity​(java.security.cert.Certificate[] clientCertificateChain)
                          throws AuthenticationException
        Description copied from interface: MutualTlsCertificateValidator
        This method should provide logic to extract identity out of a certificate to perform mTLS authentication. An example of identity could be the following - an identifier in SAN of the certificate like SPIFFE - CN of the certificate - any other fields in the certificate can be combined and be used as identifier of the certificate
        Specified by:
        identity in interface MutualTlsCertificateValidator
        Parameters:
        clientCertificateChain - client certificate chain
        Returns:
        identifier extracted from certificate
        Throws:
        AuthenticationException - when identity cannot be extracted