Would it be possible for CQL Proxy to authenticate using the clients credentials?

[ims-swilkinson]

So when a client connects, could it authenticate a new connection for that client using the client's Astra username and password?
Then use that connection to make all the requests to Astra for that client? This way limitations imposed by the client's Astra role would apply, such as limiting them to only a specific keyspace.

The motivation behind this request is that we'd like to use a single CQL Proxy cluster to access our Astra database, with multiple apps connecting through it that we want to only be able to access their own keyspace.

[absurdfarce]

Thanks for the question @ims-swilkinson!

At the moment cql-proxy only supports a collection of connections for a single username/password; all client requests are then sent over that channel. cql-proxy could be modified to support a use case like the one you describe but the set of changes required would certainly be non-trivial:

• The arguments to specify username and password would have to be made optional
• Connections to Astra are currently indexed by keyspace. These connections would need to be modified by some combination of keyspace, username and credentials
  • You need to include credentials so that proxy users must provide them; you don't want users to assume identities just by knowing the name of the identity
• Connection logic would need to be changed to defer creation of connections to Astra until a client actually connects
  • This could probably be mitigated by providing the ability to specify username/password combinations that should be pre-allocated

There's almost certainly more than what's outlined above; I'm just musing out loud about what would be necessary. I'm also assuming all the username/password combinations are on the same Astra database. Extending this support to cover multiple Astra databases in addition to multiple username/password combinations would add yet another layer of complexity.

[ims-swilkinson]

Hi Bret, yes we would only ever want to attach a specific CQL Proxy instance or cluster to a specific target Astra database. I did suspect it would be complex to implement, just thought I'd ask in case it's something you'd already started considering. The use case it supports isn't the recommended one, it's just one that we wanted to try as it would make our lives easier, but we can deploy CQL Proxy as a sidecar. Thanks for the answer. Steve Wilkinson Principal Software Engineer e ***@***.******@***.***> w www.ims.tech<http://www.ims.tech/> t +44 (0) 1270 501 212 [A red and white sign Description automatically generated with low confidence]<https://ims.tech/> ***@***.*** <https://ims.tech/about-us/>

…

________________________________ ***@***.***<https://twitter.com/IMSTechHQ> ***@***.*** <https://www.linkedin.com/company/imstechhq/> Trak (Global Solutions) Limited, trading as IMS, is a company registered in England and Wales with company registration number 06944694 and registered address at Global House, Westmere Drive, Crewe Business Park, Crewe, Cheshire, CW1 6ZD. This email and any attachments to it may be confidential, may be legally privileged and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of the Trak Global Group. If you are not the intended recipient of this email, you must not take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. From: Bret McGuire ***@***.***> Sent: Friday, October 13, 2023 7:42 AM To: datastax/cql-proxy ***@***.***> Cc: Steve Wilkinson ***@***.***>; Mention ***@***.***> Subject: Re: [datastax/cql-proxy] Would it be possible for CQL Proxy to authenticate using the clients credentials? (Issue #120) Thanks for the question @ims-swilkinson<https://github.com/ims-swilkinson>! At the moment cql-proxy only supports a collection of connections for a single username/password; all client requests are then sent over that channel. cql-proxy could be modified to support a use case like the one you describe but the set of changes required would certainly be non-trivial: * The arguments to specify username and password would have to be made optional * Connections to Astra are currently indexed by keyspace. These connections would need to be modified by some combination of keyspace, username and credentials * You need to include credentials so that proxy users must provide them; you don't want users to assume identities just by knowing the name of the identity * Connection logic would need to be changed to defer creation of connections to Astra until a client actually connects * This could probably be mitigated by providing the ability to specify username/password combinations that should be pre-allocated There's almost certainly more than what's outlined above; I'm just musing out loud about what would be necessary. I'm also assuming all the username/password combinations are on the same Astra database. Extending this support to cover multiple Astra databases in addition to multiple username/password combinations would add yet another layer of complexity. - Reply to this email directly, view it on GitHub<#120 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A3VDYJIUJUCVNNMERMWN47TX7DPBTANCNFSM6AAAAAA52STY2M>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>

[absurdfarce]

Sounds good and happy to help @ims-swilkinson ! I'll keep this issue open so that we can have this issue in our backlog. I don't have any idea when or if any such fix would be implemented (as mentioned there aren't any plans to do anything like this now) but it's an intriguing idea.