mirrors/scylladb
1
0
Fork 0
mirror of https://github.com/scylladb/scylladb.git synced 2026-05-02 22:25:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
copilot/fix-task-api-docs-and-node-ops
scylladb/docs/operating-scylla/security/certificate-authentication.rst

57 lines
2.1 KiB
ReStructuredText
Raw Permalink Blame History

Certificate-based Authentication
================================
Certificate-based authentication is an alternative method of resolving a login to credentials, i.e. a defined ScyllaDB role.
Instead of defining one or more user/password pairs, each defined role is assigned depending on verified
client certificate Subject/Alt information.
Procedure
---------
#. Enable authentication
Enable authentication and define authorized roles in the cluster as described in the :doc:`Enable Authentication </operating-scylla/security/authentication/>` document.
#. Enable CQL transport TLS using client certificate verification
Enable CQL transport TLS using client certificate verification in each node by configuring the `` client_encryption_options`` option in the ``/etc/scylla/scylla.yaml`` file:
.. code-block:: yaml
client_encryption_options:
enabled: True
certificate: <server cert>
keyfile: <server key>
truststore: <shared trust>
require_client_auth: True
Create the client certificates such that each one designates the desired login role for this connection. A typical method
would be to assign the subject common name as the role name. All client certificates need to be signed in such a way that
either system trust or the defined trust store can verify them.
#. Configure the certificate based authenticator in each node.
.. code-block:: yaml
authenticator: com.scylladb.auth.CertificateAuthenticator
auth_certificate_role_queries:
- source: SUBJECT
query: CN=([^,\s]+)
More than one expression can be used to extract role names. The first matching expression will be used. The available sources are `SUBJECT` (distinguished name) and
`ALTNAME` (subject extensions). The query should be a regular expression with a single match clause.
Restart the cluster.
Additional Resources
--------------------
* :doc:`Enable Authentication </operating-scylla/security/authentication/>`
* :doc:`Enable Authorization </operating-scylla/security/enable-authorization/>`
* :doc:`Authorization </operating-scylla/security/authorization/>`
Reference in New Issue View Git Blame Copy Permalink