docs/operating-scylla/security/certificate-authentication.rst
Certificate-based authentication is an alternative method of resolving a login to credentials, i.e. a defined ScyllaDB role. Instead of defining one or more user/password pairs, each defined role is assigned depending on verified client certificate Subject/Alt information.
#. Enable authentication
Enable authentication and define authorized roles in the cluster as described in the :doc:Enable Authentication </operating-scylla/security/authentication/> document.
#. Enable CQL transport TLS using client certificate verification
Enable CQL transport TLS using client certificate verification in each node by configuring the client_encryption_options option in the /etc/scylla/scylla.yaml file:
.. code-block:: yaml
client_encryption_options:
enabled: True
certificate: <server cert>
keyfile: <server key>
truststore: <shared trust>
require_client_auth: True
Create the client certificates such that each one designates the desired login role for this connection. A typical method would be to assign the subject common name as the role name. All client certificates need to be signed in such a way that either system trust or the defined trust store can verify them.
#. Configure the certificate based authenticator in each node.
.. code-block:: yaml
authenticator: com.scylladb.auth.CertificateAuthenticator
auth_certificate_role_queries:
- source: SUBJECT
query: CN=([^,\s]+)
More than one expression can be used to extract role names. The first matching expression will be used. The available sources are SUBJECT (distinguished name) and
ALTNAME (subject extensions). The query should be a regular expression with a single match clause.
Restart the cluster.
Enable Authentication </operating-scylla/security/authentication/>Enable Authorization </operating-scylla/security/enable-authorization/>Authorization </operating-scylla/security/authorization/>