From 505096f077ea9f414ea69be3d91aa37bd822a89d Mon Sep 17 00:00:00 2001
From: Joel Shepherd <shepherd@amazon.com>
Date: Tue, 14 Oct 2025 00:12:10 +0000
Subject: [PATCH 01/30] Enable IAuthenticator to declare supported and
 alterable role options (CASSANDRA-20834 for CEP-50)

With negotiated authentication (CEP-50), nodes may be configured with multiple authenticators. Prior to this change,
a number of areas in the code assumed that there was a single configured authenticator and contained logic that
switched depending on the authenticator type. This logic won't work when multiple authenticators can be configured.
This change eliminates most calls to DataDescriptor.getAuthenticator(), by enabling individual authenticators to
declare the role attributes they support, requiring callers to specify the type of authenticator they're looking
for, and directly returning whether the node can enforce authn or not rather than inferring it by the presence of
an authenticator.

Testing done: Unit tests for auth and config packages; d-tests for auth-related functionality (e.g. ColumnMasks).

patch by jcshepherd; reviewed by smiklosovic,tolbertam for CASSANDRA-20834
---
 .../org/apache/cassandra/auth/AuthConfig.java |  12 ++
 .../cassandra/auth/CassandraRoleManager.java  |  72 ++++++-----
 .../apache/cassandra/auth/IAuthenticator.java |  23 ++++
 .../auth/MutualTlsAuthenticator.java          |   5 +-
 .../auth/NetworkPermissionsCache.java         |   2 +-
 .../cassandra/auth/PasswordAuthenticator.java |  37 +++++-
 src/java/org/apache/cassandra/auth/Roles.java |   2 +-
 .../cassandra/config/DatabaseDescriptor.java  |  36 ++++++
 .../db/virtual/CredentialsCacheKeysTable.java |  15 +--
 .../cassandra/service/CassandraDaemon.java    |   2 +-
 .../apache/cassandra/service/ClientState.java |   4 +-
 test/conf/cassandra-passwordauth.yaml         |  93 ++++++++++++++
 .../apache/cassandra/auth/AuthConfigTest.java | 117 ++++++++++++++----
 13 files changed, 346 insertions(+), 74 deletions(-)
 create mode 100644 test/conf/cassandra-passwordauth.yaml

diff --git a/src/java/org/apache/cassandra/auth/AuthConfig.java b/src/java/org/apache/cassandra/auth/AuthConfig.java
index 67d4490790ee..86e1f626ff81 100644
--- a/src/java/org/apache/cassandra/auth/AuthConfig.java
+++ b/src/java/org/apache/cassandra/auth/AuthConfig.java
@@ -20,6 +20,8 @@
 
 import java.util.List;
 
+import com.google.common.annotations.VisibleForTesting;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -38,6 +40,16 @@ public final class AuthConfig
 
     private static boolean initialized;
 
+    /**
+     * Resets the initialized flag, enabling AuthConfig to be reconfigured multiple times within a single
+     * test case.
+     */
+    @VisibleForTesting
+    static void reset()
+    {
+        initialized = false;
+    }
+
     public static void applyAuth()
     {
         // some tests need this
diff --git a/src/java/org/apache/cassandra/auth/CassandraRoleManager.java b/src/java/org/apache/cassandra/auth/CassandraRoleManager.java
index d7cdbfee9403..d46526a71d22 100644
--- a/src/java/org/apache/cassandra/auth/CassandraRoleManager.java
+++ b/src/java/org/apache/cassandra/auth/CassandraRoleManager.java
@@ -21,7 +21,6 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
-import java.util.EnumSet;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
@@ -86,29 +85,16 @@
 import static org.apache.cassandra.utils.ByteBufferUtil.bytes;
 
 /**
- * Responsible for the creation, maintenance and deletion of roles
- * for the purposes of authentication and authorization.
- * Role data is stored internally, using the roles and role_members tables
- * in the system_auth keyspace.
+ * Responsible for the creation, maintenance and deletion of roles for the purposes of authentication and
+ * authorization. Role data is stored internally, using the roles and role_members tables in the system_auth
+ * keyspace.
  *
- * Additionally, if org.apache.cassandra.auth.PasswordAuthenticator is used,
- * encrypted passwords are also stored in the system_auth.roles table. This
- * coupling between the IAuthenticator and IRoleManager implementations exists
- * because setting a role's password via CQL is done with a CREATE ROLE or
- * ALTER ROLE statement, the processing of which is handled by IRoleManager.
- * As IAuthenticator is concerned only with credentials checking and has no
- * means to modify passwords, PasswordAuthenticator depends on
- * CassandraRoleManager for those functions.
- *
- * Alternative IAuthenticator implementations may be used in conjunction with
- * CassandraRoleManager, but WITH PASSWORD = 'password' will not be supported
- * in CREATE/ALTER ROLE statements.
- *
- * Such a configuration could be implemented using a custom IRoleManager that
- * extends CassandraRoleManager and which includes Option.PASSWORD in the {@code Set<Option>}
- * returned from supportedOptions/alterableOptions. Any additional processing
- * of the password itself (such as storing it in an alternative location) would
- * be added in overridden createRole and alterRole implementations.
+ * Authenticators (implementations of {@link IAuthenticator}) can specify additional attributes to be stored.
+ * For example, {@link org.apache.cassandra.auth.PasswordAuthenticator}, stores encrypted passwords in the
+ * system_auth.roles table. This coupling between the IAuthenticator and IRoleManager implementations exists because
+ * setting a role's password via CQL is done with a CREATE ROLE or ALTER ROLE statement, the processing of which is
+ * handled by IRoleManager. Authenticators depend on CassandraRoleManager for those functions because IAuthenticator
+ * is concerned only with credentials checking and has no means to directly modify passwords.
  */
 public class CassandraRoleManager implements IRoleManager, CassandraRoleManagerMBean
 {
@@ -118,8 +104,24 @@ public class CassandraRoleManager implements IRoleManager, CassandraRoleManagerM
     public static final String DEFAULT_SUPERUSER_NAME = "cassandra";
     public static final String DEFAULT_SUPERUSER_PASSWORD = "cassandra";
 
+    /**
+     * Role options which are supported for all authentication mechanisms. IAuthenticator implementations can declare
+     * additional supported role options via {@link IAuthenticator#getSupportedRoleOptions()}.
+     */
+    @VisibleForTesting
+    static final Set<Option> DEFAULT_SUPPORTED_ROLE_OPTIONS = Set.of(Option.LOGIN, Option.SUPERUSER);
+
+    /**
+     * User-alterable role options which are supported for all authentication mechanisms. IAuthenticator
+     * implementations can declare additional alterable role options via
+     * {@link IAuthenticator#getAlterableRoleOptions()}.
+     */
+    @VisibleForTesting
+    static final Set<Option> DEFAULT_ALTERABLE_ROLE_OPTIONS = Set.of();
+
     @VisibleForTesting
     static final String PARAM_INVALID_ROLE_DISCONNECT_TASK_PERIOD = "invalid_role_disconnect_task_period";
+
     @VisibleForTesting
     static final String PARAM_INVALID_ROLE_DISCONNECT_TASK_MAX_JITTER = "invalid_role_disconnect_task_max_jitter";
 
@@ -172,17 +174,21 @@ public CassandraRoleManager()
 
     public CassandraRoleManager(Map<String, String> parameters)
     {
-        Set<Option> allowedOptions = DatabaseDescriptor.getAuthenticator() instanceof PasswordAuthenticator
-                                     ? EnumSet.of(Option.LOGIN, Option.SUPERUSER, Option.PASSWORD, Option.HASHED_PASSWORD, Option.GENERATED_PASSWORD, Option.GENERATED_NAME)
-                                     : EnumSet.of(Option.LOGIN, Option.SUPERUSER);
+        Set<Option> supportedOptions = Stream.concat(
+                                           DEFAULT_SUPPORTED_ROLE_OPTIONS.stream(),
+                                           DatabaseDescriptor.getAuthenticator().getSupportedRoleOptions().stream()
+                                                             .filter(Objects::nonNull))
+                                             .collect(Collectors.toSet());
 
         if (Guardrails.roleNamePolicy.getGenerator() != NoOpGenerator.INSTANCE)
-            allowedOptions.add(Option.OPTIONS);
+            supportedOptions.add(Option.OPTIONS);
+
+        this.supportedOptions = Set.copyOf(supportedOptions);
 
-        supportedOptions = ImmutableSet.copyOf(allowedOptions);
-        alterableOptions = DatabaseDescriptor.getAuthenticator() instanceof PasswordAuthenticator
-                           ? ImmutableSet.of(Option.PASSWORD, Option.HASHED_PASSWORD, Option.GENERATED_PASSWORD)
-                           : ImmutableSet.<Option>of();
+        alterableOptions = Stream.concat(DEFAULT_ALTERABLE_ROLE_OPTIONS.stream(),
+                                         DatabaseDescriptor.getAuthenticator().getAlterableRoleOptions().stream()
+                                                           .filter(Objects::nonNull))
+                                 .collect(Collectors.toUnmodifiableSet());
 
         // Inherit parsing and validation from existing config parser
         invalidClientDisconnectPeriodMillis = new DurationSpec.LongMillisecondsBound(parameters.getOrDefault(PARAM_INVALID_ROLE_DISCONNECT_TASK_PERIOD, "0h")).toMilliseconds();
@@ -479,8 +485,8 @@ public boolean isExistingRole(RoleResource role)
 
     public Set<? extends IResource> protectedResources()
     {
-        return ImmutableSet.of(DataResource.table(SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLES),
-                               DataResource.table(SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLE_MEMBERS));
+        return Set.of(DataResource.table(SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLES),
+                      DataResource.table(SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLE_MEMBERS));
     }
 
     public void validateConfiguration() throws ConfigurationException
diff --git a/src/java/org/apache/cassandra/auth/IAuthenticator.java b/src/java/org/apache/cassandra/auth/IAuthenticator.java
index e58c6ab2bb70..a4e888e5057c 100644
--- a/src/java/org/apache/cassandra/auth/IAuthenticator.java
+++ b/src/java/org/apache/cassandra/auth/IAuthenticator.java
@@ -66,6 +66,29 @@ default boolean supportsEarlyAuthentication()
      */
     Set<? extends IResource> protectedResources();
 
+    /**
+     * Additional set of IRoleManager.Options used by this authenticator and supported by CREATE ROLE and ALTER ROLE
+     * statements. These are in addition to any default options supported by the role manager.
+     *
+     * @return A set of IRoleManager.Options that this authenticator requires support for.
+     */
+    default Set<IRoleManager.Option> getSupportedRoleOptions()
+    {
+        return Set.of();
+    }
+
+    /**
+     * Additional set of IRoleManager.Options used by this authenticator that users are allowed to alter via
+     * ALTER ROLE statements. These are in addition to any default alterable options supported by the role manager.
+     * Alterable role options must also be supported role options.
+     *
+     * @return A set of supported role options that users are allowed to alter.
+     */
+    default Set<IRoleManager.Option> getAlterableRoleOptions()
+    {
+        return Set.of();
+    }
+
     /**
      * Validates configuration of IAuthenticator implementation (if configurable).
      *
diff --git a/src/java/org/apache/cassandra/auth/MutualTlsAuthenticator.java b/src/java/org/apache/cassandra/auth/MutualTlsAuthenticator.java
index e80e3156b16e..76aacc5b5a2b 100644
--- a/src/java/org/apache/cassandra/auth/MutualTlsAuthenticator.java
+++ b/src/java/org/apache/cassandra/auth/MutualTlsAuthenticator.java
@@ -78,13 +78,16 @@ public class MutualTlsAuthenticator implements IAuthenticator
     private static final Logger logger = LoggerFactory.getLogger(MutualTlsAuthenticator.class);
     private static final NoSpamLogger nospamLogger = NoSpamLogger.getLogger(logger, 1L, TimeUnit.MINUTES);
     private static final String VALIDATOR_CLASS_NAME = "validator_class_name";
-    private static final String CACHE_NAME = "IdentitiesCache";
+
     private final IdentityCache identityCache = new IdentityCache();
     private final MutualTlsCertificateValidator certificateValidator;
     private static final Set<AuthenticationMode> AUTHENTICATION_MODES = Collections.singleton(MTLS);
     private final MutualTlsCertificateValidityPeriodValidator certificateValidityPeriodValidator;
     private final DurationSpec.IntMinutesBound certificateValidityWarnThreshold;
 
+    @VisibleForTesting
+    static final String CACHE_NAME = "IdentitiesCache";
+
     // key for the 'identity' value in AuthenticatedUser metadata map.
     public static final String METADATA_IDENTITY_KEY = "identity";
 
diff --git a/src/java/org/apache/cassandra/auth/NetworkPermissionsCache.java b/src/java/org/apache/cassandra/auth/NetworkPermissionsCache.java
index 1c18fed7a74f..f232cf354fac 100644
--- a/src/java/org/apache/cassandra/auth/NetworkPermissionsCache.java
+++ b/src/java/org/apache/cassandra/auth/NetworkPermissionsCache.java
@@ -36,7 +36,7 @@ public NetworkPermissionsCache(INetworkAuthorizer authorizer)
               DatabaseDescriptor::getRolesCacheActiveUpdate,
               authorizer::authorize,
               authorizer.bulkLoader(),
-              () -> DatabaseDescriptor.getAuthenticator().requireAuthentication());
+              DatabaseDescriptor::isAuthenticationRequired);
 
         MBeanWrapper.instance.registerMBean(this, MBEAN_NAME_BASE + DEPRECATED_CACHE_NAME);
     }
diff --git a/src/java/org/apache/cassandra/auth/PasswordAuthenticator.java b/src/java/org/apache/cassandra/auth/PasswordAuthenticator.java
index 82c8f24c6ffc..9b810f644b8d 100644
--- a/src/java/org/apache/cassandra/auth/PasswordAuthenticator.java
+++ b/src/java/org/apache/cassandra/auth/PasswordAuthenticator.java
@@ -21,13 +21,13 @@
 import java.nio.charset.StandardCharsets;
 import java.util.Arrays;
 import java.util.Collections;
+import java.util.EnumSet;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Set;
 import java.util.function.Supplier;
 
 import com.google.common.annotations.VisibleForTesting;
-import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Lists;
 
 import org.mindrot.jbcrypt.BCrypt;
@@ -76,6 +76,19 @@ public class PasswordAuthenticator implements IAuthenticator, AuthCache.BulkLoad
     public static final String PASSWORD_KEY = "password";
     private static final Set<AuthenticationMode> AUTHENTICATION_MODES = Collections.singleton(AuthenticationMode.PASSWORD);
 
+    @VisibleForTesting
+    static final Set<IRoleManager.Option> SUPPORTED_ROLE_OPTIONS =
+            EnumSet.of(IRoleManager.Option.PASSWORD,
+                       IRoleManager.Option.HASHED_PASSWORD,
+                       IRoleManager.Option.GENERATED_PASSWORD,
+                       IRoleManager.Option.GENERATED_NAME);
+
+    @VisibleForTesting
+    static final Set<IRoleManager.Option> ALTERABLE_ROLE_OPTIONS =
+            EnumSet.of(IRoleManager.Option.PASSWORD,
+                       IRoleManager.Option.HASHED_PASSWORD,
+                       IRoleManager.Option.GENERATED_PASSWORD);
+
     static final byte NUL = 0;
     private SelectStatement authenticateStatement;
 
@@ -87,7 +100,26 @@ public PasswordAuthenticator()
         AuthCacheService.instance.register(cache);
     }
 
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public Set<IRoleManager.Option> getSupportedRoleOptions()
+    {
+        return SUPPORTED_ROLE_OPTIONS;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public Set<IRoleManager.Option> getAlterableRoleOptions()
+    {
+        return ALTERABLE_ROLE_OPTIONS;
+    }
+
     // No anonymous access.
+    @Override
     public boolean requireAuthentication()
     {
         return true;
@@ -207,7 +239,7 @@ ResultMessage.Rows select(SelectStatement statement, QueryOptions options)
     public Set<DataResource> protectedResources()
     {
         // Also protected by CassandraRoleManager, but the duplication doesn't hurt and is more explicit
-        return ImmutableSet.of(DataResource.table(SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLES));
+        return Set.of(DataResource.table(SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLES));
     }
 
     public void validateConfiguration() throws ConfigurationException
@@ -347,6 +379,7 @@ private CredentialsCache(PasswordAuthenticator authenticator)
                                                      // invalidate the key if the sentinel is loaded during a refresh
         }
 
+        @Override
         public void invalidateCredentials(String roleName)
         {
             invalidate(roleName);
diff --git a/src/java/org/apache/cassandra/auth/Roles.java b/src/java/org/apache/cassandra/auth/Roles.java
index c4070aaff3ec..1c5ec0b008fb 100644
--- a/src/java/org/apache/cassandra/auth/Roles.java
+++ b/src/java/org/apache/cassandra/auth/Roles.java
@@ -36,7 +36,7 @@ public class Roles
 
     private static final Role NO_ROLE = new Role("", false, false, Collections.emptyMap(), Collections.emptySet());
 
-    public static final RolesCache cache = new RolesCache(DatabaseDescriptor.getRoleManager(), () -> DatabaseDescriptor.getAuthenticator().requireAuthentication());
+    public static final RolesCache cache = new RolesCache(DatabaseDescriptor.getRoleManager(), DatabaseDescriptor::isAuthenticationRequired);
 
     /** Use {@link AuthCacheService#initializeAndRegisterCaches} rather than calling this directly */
     public static void init()
diff --git a/src/java/org/apache/cassandra/config/DatabaseDescriptor.java b/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
index 59ffb9f02afa..b8bd66bdf5ca 100644
--- a/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
+++ b/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
@@ -2037,16 +2037,52 @@ public static void setCryptoProvider(AbstractCryptoProvider cryptoProvider)
         DatabaseDescriptor.cryptoProvider = cryptoProvider;
     }
 
+    /**
+     * Returns the authenticator configured for this node.
+     */
     public static IAuthenticator getAuthenticator()
     {
         return authenticator;
     }
 
+    /**
+     * Returns an authenticator configured for this node, if it is of the requested type.
+     * @param clazz The class of the requested authenticator: e.g. PasswordAuthenticator.class.
+     * @return An Optional of the configured authenticator, if it is of the requested type; otherwise
+     *         returns an empty Optional.
+     */
+    public static <T extends IAuthenticator> Optional<T> getAuthenticator(Class<T> clazz)
+    {
+        return hasAuthenticator(clazz) ? Optional.of(clazz.cast(authenticator)) : Optional.empty();
+    }
+
+    /**
+     * Sets the authenticator used by this node to authenticate clients.
+     */
     public static void setAuthenticator(IAuthenticator authenticator)
     {
         DatabaseDescriptor.authenticator = authenticator;
     }
 
+    /**
+     * Indicates if this node uses an authenticator that requires authentication.
+     */
+    public static boolean isAuthenticationRequired()
+    {
+        return authenticator.requireAuthentication();
+    }
+
+    /**
+     * Indicates if this node is configured with an authenticator of the specified type.
+     * @param clazz The class of the authenticator.
+     * @return True if this node has an authenticator of the specified type, false otherwise.
+     */
+    private static boolean hasAuthenticator(Class<? extends IAuthenticator> clazz)
+    {
+        return clazz.isAssignableFrom(authenticator.getClass());
+    }
+
+
     public static IAuthorizer getAuthorizer()
     {
         return authorizer;
diff --git a/src/java/org/apache/cassandra/db/virtual/CredentialsCacheKeysTable.java b/src/java/org/apache/cassandra/db/virtual/CredentialsCacheKeysTable.java
index f5bc62c5268f..0040f0254717 100644
--- a/src/java/org/apache/cassandra/db/virtual/CredentialsCacheKeysTable.java
+++ b/src/java/org/apache/cassandra/db/virtual/CredentialsCacheKeysTable.java
@@ -19,7 +19,6 @@
 
 import java.util.Optional;
 
-import org.apache.cassandra.auth.IAuthenticator;
 import org.apache.cassandra.auth.PasswordAuthenticator;
 import org.apache.cassandra.config.DatabaseDescriptor;
 import org.apache.cassandra.db.marshal.UTF8Type;
@@ -31,7 +30,7 @@ final class CredentialsCacheKeysTable extends AbstractMutableVirtualTable
     private static final String ROLE = "role";
 
     @SuppressWarnings("OptionalUsedAsFieldOrParameterType")
-    private final Optional<PasswordAuthenticator> passwordAuthenticatorOptional;
+    private final Optional<PasswordAuthenticator> maybePasswordAuthenticator;
 
     CredentialsCacheKeysTable(String keyspace)
     {
@@ -42,18 +41,14 @@ final class CredentialsCacheKeysTable extends AbstractMutableVirtualTable
                 .addPartitionKeyColumn(ROLE, UTF8Type.instance)
                 .build());
 
-        IAuthenticator authenticator = DatabaseDescriptor.getAuthenticator();
-        if (authenticator instanceof PasswordAuthenticator)
-            this.passwordAuthenticatorOptional = Optional.of((PasswordAuthenticator) authenticator);
-        else
-            this.passwordAuthenticatorOptional = Optional.empty();
+        maybePasswordAuthenticator = DatabaseDescriptor.getAuthenticator(PasswordAuthenticator.class);
     }
 
     public DataSet data()
     {
         SimpleDataSet result = new SimpleDataSet(metadata());
 
-        passwordAuthenticatorOptional
+        maybePasswordAuthenticator
                 .ifPresent(passwordAuthenticator -> passwordAuthenticator.getCredentialsCache().getAll()
                         .forEach((roleName, ignored) -> result.row(roleName)));
 
@@ -65,14 +60,14 @@ protected void applyPartitionDeletion(ColumnValues partitionKey)
     {
         String roleName = partitionKey.value(0);
 
-        passwordAuthenticatorOptional
+        maybePasswordAuthenticator
                 .ifPresent(passwordAuthenticator -> passwordAuthenticator.getCredentialsCache().invalidate(roleName));
     }
 
     @Override
     public void truncate()
     {
-        passwordAuthenticatorOptional
+        maybePasswordAuthenticator
                 .ifPresent(passwordAuthenticator -> passwordAuthenticator.getCredentialsCache().invalidate());
     }
 }
diff --git a/src/java/org/apache/cassandra/service/CassandraDaemon.java b/src/java/org/apache/cassandra/service/CassandraDaemon.java
index 4a5c2f1d9db2..8c8c53ad3ec1 100644
--- a/src/java/org/apache/cassandra/service/CassandraDaemon.java
+++ b/src/java/org/apache/cassandra/service/CassandraDaemon.java
@@ -901,7 +901,7 @@ public void validateTransportsCanStart()
         {
             if (StorageService.instance.isSurveyMode())
             {
-                if (!StorageService.instance.readyToFinishJoiningRing() || DatabaseDescriptor.getAuthenticator().requireAuthentication())
+                if (!StorageService.instance.readyToFinishJoiningRing() || DatabaseDescriptor.isAuthenticationRequired())
                 {
                     throw new IllegalStateException("Not starting client transports in write_survey mode as it's bootstrapping or " +
                                                     "auth is enabled");
diff --git a/src/java/org/apache/cassandra/service/ClientState.java b/src/java/org/apache/cassandra/service/ClientState.java
index 7ec2160e8dc2..c119d5f4c333 100644
--- a/src/java/org/apache/cassandra/service/ClientState.java
+++ b/src/java/org/apache/cassandra/service/ClientState.java
@@ -199,7 +199,7 @@ protected ClientState(InetSocketAddress remoteAddress)
     {
         this.isInternal = false;
         this.remoteAddress = remoteAddress;
-        if (!DatabaseDescriptor.getAuthenticator().requireAuthentication())
+        if (!DatabaseDescriptor.isAuthenticationRequired())
             this.user = AuthenticatedUser.ANONYMOUS_USER;
     }
 
@@ -628,7 +628,7 @@ public boolean isOrdinaryUser()
      */
     public boolean isSuper()
     {
-        return !DatabaseDescriptor.getAuthenticator().requireAuthentication() || (user != null && user.isSuper());
+        return !DatabaseDescriptor.isAuthenticationRequired() || (user != null && user.isSuper());
     }
 
     /**
diff --git a/test/conf/cassandra-passwordauth.yaml b/test/conf/cassandra-passwordauth.yaml
new file mode 100644
index 000000000000..42adbb2c6a20
--- /dev/null
+++ b/test/conf/cassandra-passwordauth.yaml
@@ -0,0 +1,93 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+#
+# Minimal cassandra.yaml for testing PasswordAuthenticator integration,
+# particularly with RoleManager.
+#
+cluster_name: Test Cluster
+memtable_allocation_type: offheap_objects
+commitlog_sync: periodic
+commitlog_sync_period: 10s
+commitlog_segment_size: 5MiB
+commitlog_directory: build/test/cassandra/commitlog
+cdc_raw_directory: build/test/cassandra/cdc_raw
+cdc_enabled: false
+hints_directory: build/test/cassandra/hints
+partitioner: org.apache.cassandra.dht.ByteOrderedPartitioner
+listen_address: 127.0.0.1
+storage_port: 7012
+ssl_storage_port: 17012
+start_native_transport: true
+native_transport_port: 9042
+column_index_size: 4KiB
+saved_caches_directory: build/test/cassandra/saved_caches
+data_file_directories:
+  - build/test/cassandra/data
+disk_access_mode: mmap_index_only
+seed_provider:
+  - class_name: org.apache.cassandra.locator.SimpleSeedProvider
+    parameters:
+      - seeds: "127.0.0.1:7012"
+endpoint_snitch: org.apache.cassandra.locator.SimpleSnitch
+dynamic_snitch: true
+incremental_backups: true
+concurrent_compactors: 4
+compaction_throughput: 0MiB/s
+row_cache_class_name: org.apache.cassandra.cache.OHCProvider
+row_cache_size: 16MiB
+prepared_statements_cache_size: 1MiB
+corrupted_tombstone_strategy: exception
+stream_entire_sstables: true
+stream_throughput_outbound: 23841858MiB/s
+sasi_indexes_enabled: true
+materialized_views_enabled: true
+drop_compact_storage_enabled: true
+file_cache_enabled: true
+auto_hints_cleanup_enabled: true
+default_keyspace_rf: 1
+
+client_encryption_options:
+  enabled: true
+  require_client_auth: true
+  keystore: test/conf/cassandra_ssl_test.keystore
+  keystore_password: cassandra
+  truststore: test/conf/cassandra_ssl_test.truststore
+  truststore_password: cassandra
+
+server_encryption_options:
+  internode_encryption: all
+  enabled: true
+  keystore: test/conf/cassandra_ssl_test.keystore
+  keystore_password: cassandra
+  outbound_keystore: test/conf/cassandra_ssl_test_outbound.keystore
+  outbound_keystore_password: cassandra
+  truststore: test/conf/cassandra_ssl_test.truststore
+  truststore_password: cassandra
+  require_client_auth: true
+internode_authenticator:
+  class_name : org.apache.cassandra.auth.MutualTlsInternodeAuthenticator
+  parameters :
+    validator_class_name: org.apache.cassandra.auth.SpiffeCertificateValidator
+authenticator:
+  class_name : org.apache.cassandra.auth.PasswordAuthenticator
+role_manager:
+  class_name: CassandraRoleManager
+  parameters:
+accord:
+  journal_directory: build/test/cassandra/accord_journal
diff --git a/test/unit/org/apache/cassandra/auth/AuthConfigTest.java b/test/unit/org/apache/cassandra/auth/AuthConfigTest.java
index 580c48eb9f8f..ecbc72f0d517 100644
--- a/test/unit/org/apache/cassandra/auth/AuthConfigTest.java
+++ b/test/unit/org/apache/cassandra/auth/AuthConfigTest.java
@@ -24,28 +24,46 @@
 import java.util.Arrays;
 import java.util.Collections;
 
-import org.junit.Rule;
+import org.junit.After;
+import org.junit.Before;
 import org.junit.Test;
-import org.junit.rules.ExpectedException;
 
 import org.apache.cassandra.config.Config;
 import org.apache.cassandra.config.DatabaseDescriptor;
-import org.apache.cassandra.config.EncryptionOptions.ServerEncryptionOptions.Builder;
 import org.apache.cassandra.config.ParameterizedClass;
 import org.apache.cassandra.locator.InetAddressAndPort;
 import org.apache.cassandra.utils.MBeanWrapper;
 
+import static org.apache.cassandra.auth.AuthCache.MBEAN_NAME_BASE;
 import static org.apache.cassandra.auth.AuthTestUtils.loadCertificateChain;
 import static org.apache.cassandra.auth.IInternodeAuthenticator.InternodeConnectionDirection.INBOUND;
 import static org.apache.cassandra.config.YamlConfigurationLoaderTest.load;
+import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
 
+/**
+ * Tests instantiation of various authenticators through AuthConfig, and the accessibility of the configured
+ * authenticators and role manager options through DatabaseDescriptor.
+ */
 public class AuthConfigTest
 {
-    @Rule
-    public ExpectedException expectedException = ExpectedException.none();
+    private static final String IDENTITIES_CACHE_MBEAN = MBEAN_NAME_BASE + MutualTlsAuthenticator.CACHE_NAME;
+
+    private static final String CREDENTIALS_CACHE_MBEAN = MBEAN_NAME_BASE + PasswordAuthenticator.CredentialsCacheMBean.CACHE_NAME;
+
+    @Before
+    public void setup()
+    {
+        AuthConfig.reset();
+    }
+
+    @After
+    public void teardown()
+    {
+        unregisterCaches();
+    }
 
     @Test
     public void testNewInstanceForMutualTlsInternodeAuthenticator() throws IOException, CertificateException
@@ -53,13 +71,11 @@ public void testNewInstanceForMutualTlsInternodeAuthenticator() throws IOExcepti
         Config config = load("cassandra-mtls.yaml");
         config.internode_authenticator.class_name = "org.apache.cassandra.auth.MutualTlsInternodeAuthenticator";
         config.internode_authenticator.parameters = Collections.singletonMap("validator_class_name", "org.apache.cassandra.auth.SpiffeCertificateValidator");
-        config.server_encryption_options = new Builder(config.server_encryption_options)
-                                           .withOutboundKeystore("test/conf/cassandra_ssl_test_outbound.keystore")
-                                           .withOutboundKeystorePassword("cassandra")
-                                           .build();
-        DatabaseDescriptor.setConfig(config);
+        DatabaseDescriptor.unsafeDaemonInitialization(()->config);
+
         MutualTlsInternodeAuthenticator authenticator = ParameterizedClass.newInstance(config.internode_authenticator,
                                                                                        Arrays.asList("", "org.apache.cassandra.auth."));
+        assertNotNull(authenticator);
 
         InetAddressAndPort address = InetAddressAndPort.getByName("127.0.0.1");
 
@@ -68,36 +84,91 @@ public void testNewInstanceForMutualTlsInternodeAuthenticator() throws IOExcepti
 
         Certificate[] unauthorizedCertificates = loadCertificateChain("auth/SampleUnauthorizedMtlsClientCertificate.pem");
         assertFalse(authenticator.authenticate(address.getAddress(), address.getPort(), unauthorizedCertificates, INBOUND));
+        unregisterCaches();
+    }
+
+    @Test
+    public void testNewInstanceForPasswordAuthenticator()
+    {
+        Config config = load("cassandra-passwordauth.yaml");
+        DatabaseDescriptor.unsafeDaemonInitialization(()->config);
+
+        IAuthenticator authenticator = DatabaseDescriptor.getAuthenticator();
+        assertNotNull(authenticator);
+
+        assertThat(DatabaseDescriptor.getAuthenticator(PasswordAuthenticator.class))
+            .isPresent()
+            .get()
+            .isSameAs(authenticator);
+        assertThat(DatabaseDescriptor.getAuthenticator(MutualTlsAuthenticator.class)).isEmpty();
+        assertThat(DatabaseDescriptor.getAuthenticator(MutualTlsWithPasswordFallbackAuthenticator.class)).isEmpty();
+        assertTrue(DatabaseDescriptor.getRoleManager().supportedOptions().containsAll(CassandraRoleManager.DEFAULT_SUPPORTED_ROLE_OPTIONS));
+        assertTrue(DatabaseDescriptor.getRoleManager().supportedOptions().containsAll(PasswordAuthenticator.SUPPORTED_ROLE_OPTIONS));
+        assertTrue(DatabaseDescriptor.getRoleManager().alterableOptions().containsAll(CassandraRoleManager.DEFAULT_ALTERABLE_ROLE_OPTIONS));
+        assertTrue(DatabaseDescriptor.getRoleManager().alterableOptions().containsAll(PasswordAuthenticator.ALTERABLE_ROLE_OPTIONS));
     }
 
     @Test
     public void testNewInstanceForMutualTlsWithPasswordFallbackAuthenticator()
     {
         Config config = load("cassandra-mtls.yaml");
-        config.client_encryption_options.applyConfig();
         config.authenticator.class_name = "org.apache.cassandra.auth.MutualTlsWithPasswordFallbackAuthenticator";
         config.authenticator.parameters = Collections.singletonMap("validator_class_name", "org.apache.cassandra.auth.SpiffeCertificateValidator");
-        DatabaseDescriptor.setConfig(config);
-        MutualTlsWithPasswordFallbackAuthenticator authenticator = ParameterizedClass.newInstance(config.authenticator,
-                                                                                                  Arrays.asList("", "org.apache.cassandra.auth."));
+        DatabaseDescriptor.unsafeDaemonInitialization(()->config);
+
+        IAuthenticator authenticator = DatabaseDescriptor.getAuthenticator();
         assertNotNull(authenticator);
-        unregisterIdentitesCache();
+
+        // MutualTlsWithPasswordFallbackAuthenticator is-a PasswordAuthenticator, so we expect getAuthenticator to
+        // return it when asked to return a PasswordAuthenticator.
+        assertThat(DatabaseDescriptor.getAuthenticator(PasswordAuthenticator.class))
+            .isPresent()
+            .get()
+            .isSameAs(authenticator);
+        assertThat(DatabaseDescriptor.getAuthenticator(MutualTlsAuthenticator.class)).isEmpty();
+        assertThat(DatabaseDescriptor.getAuthenticator(MutualTlsWithPasswordFallbackAuthenticator.class))
+            .isPresent()
+            .get()
+            .isSameAs(authenticator);
+
+        // Similarly, we expect the same role options as for PasswordAuthenticator.
+        assertTrue(DatabaseDescriptor.getRoleManager().supportedOptions().containsAll(CassandraRoleManager.DEFAULT_SUPPORTED_ROLE_OPTIONS));
+        assertTrue(DatabaseDescriptor.getRoleManager().supportedOptions().containsAll(PasswordAuthenticator.SUPPORTED_ROLE_OPTIONS));
+        assertTrue(DatabaseDescriptor.getRoleManager().alterableOptions().containsAll(CassandraRoleManager.DEFAULT_ALTERABLE_ROLE_OPTIONS));
+        assertTrue(DatabaseDescriptor.getRoleManager().alterableOptions().containsAll(PasswordAuthenticator.ALTERABLE_ROLE_OPTIONS));
     }
 
     @Test
-    public void testNewInstanceForMutualTlsAuthenticator() throws IOException, CertificateException
+    public void testNewInstanceForMutualTlsAuthenticator()
     {
         Config config = load("cassandra-mtls.yaml");
-        config.client_encryption_options.applyConfig();
-        DatabaseDescriptor.setConfig(config);
-        MutualTlsAuthenticator authenticator = ParameterizedClass.newInstance(config.authenticator,
-                                                                              Arrays.asList("", "org.apache.cassandra.auth."));
+        DatabaseDescriptor.unsafeDaemonInitialization(()->config);
+
+        IAuthenticator authenticator = DatabaseDescriptor.getAuthenticator();
         assertNotNull(authenticator);
-        unregisterIdentitesCache();
+
+        assertThat(DatabaseDescriptor.getAuthenticator(PasswordAuthenticator.class)).isEmpty();
+        assertThat(DatabaseDescriptor.getAuthenticator(MutualTlsAuthenticator.class))
+            .isPresent()
+            .get()
+            .isSameAs(authenticator);
+        assertThat(DatabaseDescriptor.getAuthenticator(MutualTlsWithPasswordFallbackAuthenticator.class)).isEmpty();
+
+        assertTrue(DatabaseDescriptor.getRoleManager().supportedOptions().containsAll(CassandraRoleManager.DEFAULT_SUPPORTED_ROLE_OPTIONS));
+        assertTrue(DatabaseDescriptor.getRoleManager().supportedOptions().containsAll(authenticator.getSupportedRoleOptions()));
+        assertTrue(DatabaseDescriptor.getRoleManager().alterableOptions().containsAll(CassandraRoleManager.DEFAULT_ALTERABLE_ROLE_OPTIONS));
+        assertTrue(DatabaseDescriptor.getRoleManager().alterableOptions().containsAll(authenticator.getAlterableRoleOptions()));
+    }
+
+    private void unregisterCaches()
+    {
+        safeUnregisterMbean(IDENTITIES_CACHE_MBEAN);
+        safeUnregisterMbean(CREDENTIALS_CACHE_MBEAN);
     }
 
-    private void unregisterIdentitesCache()
+    private void safeUnregisterMbean(String mbeanName)
     {
-        MBeanWrapper.instance.unregisterMBean("org.apache.cassandra.auth:type=IdentitiesCache");
+        if (MBeanWrapper.instance.isRegistered(mbeanName))
+            MBeanWrapper.instance.unregisterMBean(mbeanName);
     }
 }

From 4439dc7734d75a792d1194ba150bd536005d63d9 Mon Sep 17 00:00:00 2001
From: Joel Shepherd <shepherd@amazon.com>
Date: Tue, 14 Oct 2025 00:12:10 +0000
Subject: [PATCH 02/30] Factoring out assumption of a single authenticator
 node-wide (CASSANDRA-20834)

With negotiated authentication (CEP-50), nodes may be configured with multiple authenticators. Prior to this
change, a number of areas in the code assumed that there was a single configured authenticator and contained
logic that switched depending on the authenticator type. This logic won't work when multiple authenticators
can be configured. This change eliminates most calls to DataDescriptor.getAuthenticator(), by either requiring
dependencies to specify the type of authenticator they're looking for, or (in the case of authenticator-specific
role attributes) enabling individual authenticators to declare the role attributes they need.

patch by jcshepherd; reviewed by <Reviewers> for CASSANDRA-20834
---
 src/java/org/apache/cassandra/auth/CassandraRoleManager.java | 3 +--
 src/java/org/apache/cassandra/config/DatabaseDescriptor.java | 1 -
 test/unit/org/apache/cassandra/auth/AuthConfigTest.java      | 1 +
 3 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/java/org/apache/cassandra/auth/CassandraRoleManager.java b/src/java/org/apache/cassandra/auth/CassandraRoleManager.java
index d46526a71d22..de37bbf10072 100644
--- a/src/java/org/apache/cassandra/auth/CassandraRoleManager.java
+++ b/src/java/org/apache/cassandra/auth/CassandraRoleManager.java
@@ -42,9 +42,7 @@
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Strings;
 import com.google.common.collect.ImmutableSet;
-
 import org.apache.commons.lang3.StringUtils;
-import org.mindrot.jbcrypt.BCrypt;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -80,6 +78,7 @@
 import org.apache.cassandra.utils.FBUtilities;
 import org.apache.cassandra.utils.MBeanWrapper;
 import org.apache.cassandra.utils.NoSpamLogger;
+import org.mindrot.jbcrypt.BCrypt;
 
 import static org.apache.cassandra.service.QueryState.forInternalCalls;
 import static org.apache.cassandra.utils.ByteBufferUtil.bytes;
diff --git a/src/java/org/apache/cassandra/config/DatabaseDescriptor.java b/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
index b8bd66bdf5ca..340030dd82b9 100644
--- a/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
+++ b/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
@@ -4881,7 +4881,6 @@ public static void validateGCParams(long logThreshold, long warnThreshold)
     public static EncryptionContext getEncryptionContext()
     {
         return encryptionContext;
-
     }
 
     public static long getGCWarnThreshold()
diff --git a/test/unit/org/apache/cassandra/auth/AuthConfigTest.java b/test/unit/org/apache/cassandra/auth/AuthConfigTest.java
index ecbc72f0d517..d86ca4074eeb 100644
--- a/test/unit/org/apache/cassandra/auth/AuthConfigTest.java
+++ b/test/unit/org/apache/cassandra/auth/AuthConfigTest.java
@@ -112,6 +112,7 @@ public void testNewInstanceForPasswordAuthenticator()
     public void testNewInstanceForMutualTlsWithPasswordFallbackAuthenticator()
     {
         Config config = load("cassandra-mtls.yaml");
+        config.client_encryption_options.applyConfig();
         config.authenticator.class_name = "org.apache.cassandra.auth.MutualTlsWithPasswordFallbackAuthenticator";
         config.authenticator.parameters = Collections.singletonMap("validator_class_name", "org.apache.cassandra.auth.SpiffeCertificateValidator");
         DatabaseDescriptor.unsafeDaemonInitialization(()->config);

From a90b198891ac5e165ba9d9accdd4b1d09d25d502 Mon Sep 17 00:00:00 2001
From: Joel Shepherd <shepherd@amazon.com>
Date: Tue, 14 Oct 2025 00:12:10 +0000
Subject: [PATCH 03/30] Merging down from trunk and feature branch.

---
 test/unit/org/apache/cassandra/auth/AuthConfigTest.java | 1 +
 1 file changed, 1 insertion(+)

diff --git a/test/unit/org/apache/cassandra/auth/AuthConfigTest.java b/test/unit/org/apache/cassandra/auth/AuthConfigTest.java
index d86ca4074eeb..c441f3ecdbba 100644
--- a/test/unit/org/apache/cassandra/auth/AuthConfigTest.java
+++ b/test/unit/org/apache/cassandra/auth/AuthConfigTest.java
@@ -27,6 +27,7 @@
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
+import org.junit.rules.ExpectedException;
 
 import org.apache.cassandra.config.Config;
 import org.apache.cassandra.config.DatabaseDescriptor;

From f6297611cf72a0a7c937be8bd86e8f1b8b24d130 Mon Sep 17 00:00:00 2001
From: Joel Shepherd <shepherd@amazon.com>
Date: Thu, 12 Mar 2026 18:57:22 +0000
Subject: [PATCH 04/30] Reverting DatabaseDescriptor.applyGuardrails() to
 private, switching to DatabaseDescriptor.unsafeDaemonInitialization() in
 AuthConfigTest to enable each test to run against the appropriate auth
 config. (DatabaseDescriptor.daemonInitialization() can be invoked only once
 per unit test class execution and is not suitable for test cases exercising
 multiple configuration scenarios.)

---
 test/unit/org/apache/cassandra/auth/AuthConfigTest.java | 1 -
 1 file changed, 1 deletion(-)

diff --git a/test/unit/org/apache/cassandra/auth/AuthConfigTest.java b/test/unit/org/apache/cassandra/auth/AuthConfigTest.java
index c441f3ecdbba..c8f07e03f8ab 100644
--- a/test/unit/org/apache/cassandra/auth/AuthConfigTest.java
+++ b/test/unit/org/apache/cassandra/auth/AuthConfigTest.java
@@ -113,7 +113,6 @@ public void testNewInstanceForPasswordAuthenticator()
     public void testNewInstanceForMutualTlsWithPasswordFallbackAuthenticator()
     {
         Config config = load("cassandra-mtls.yaml");
-        config.client_encryption_options.applyConfig();
         config.authenticator.class_name = "org.apache.cassandra.auth.MutualTlsWithPasswordFallbackAuthenticator";
         config.authenticator.parameters = Collections.singletonMap("validator_class_name", "org.apache.cassandra.auth.SpiffeCertificateValidator");
         DatabaseDescriptor.unsafeDaemonInitialization(()->config);

From 406705741ab4aceb18e73016e7116907434d2f3b Mon Sep 17 00:00:00 2001
From: Joel Shepherd <shepherd@amazon.com>
Date: Tue, 17 Mar 2026 22:49:42 +0000
Subject: [PATCH 05/30] ParameterizedClass.toString() has consistent form
 whether or not there are parameters

---
 src/java/org/apache/cassandra/config/ParameterizedClass.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/java/org/apache/cassandra/config/ParameterizedClass.java b/src/java/org/apache/cassandra/config/ParameterizedClass.java
index d772629f194c..255c46f431b1 100644
--- a/src/java/org/apache/cassandra/config/ParameterizedClass.java
+++ b/src/java/org/apache/cassandra/config/ParameterizedClass.java
@@ -148,6 +148,6 @@ public int hashCode()
     @Override
     public String toString()
     {
-        return class_name + parameters;
+        return class_name + (parameters == null ? "{}" : parameters);
     }
 }

From 54202df1cf88387dca692c936cd2a2bdd3b63522 Mon Sep 17 00:00:00 2001
From: Joel Shepherd <shepherd@amazon.com>
Date: Tue, 17 Mar 2026 22:57:19 +0000
Subject: [PATCH 06/30] Add configuration parsing and evaluation to configure
 negotiated authentication

---
 conf/cassandra.yaml                           |  42 +++-
 .../org/apache/cassandra/config/Config.java   |  19 ++
 .../cassandra/config/DatabaseDescriptor.java  |  57 ++++-
 test/conf/cassandra-auth-negotiation.yaml     | 102 +++++++++
 .../AuthenticatorNegotiationConfigTest.java   | 212 ++++++++++++++++++
 .../config/DatabaseDescriptorRefTest.java     |   1 +
 6 files changed, 419 insertions(+), 14 deletions(-)
 create mode 100644 test/conf/cassandra-auth-negotiation.yaml
 create mode 100644 test/unit/org/apache/cassandra/config/AuthenticatorNegotiationConfigTest.java

diff --git a/conf/cassandra.yaml b/conf/cassandra.yaml
index 42935df4d6b7..1c4594805899 100644
--- a/conf/cassandra.yaml
+++ b/conf/cassandra.yaml
@@ -191,12 +191,14 @@ batchlog_replay_throttle: 1024KiB
 #    ...
 #
 # - AllowAllAuthenticator performs no checks - set it to disable authentication.
-# - PasswordAuthenticator relies on username/password pairs to authenticate
-#   users. It keeps usernames and hashed passwords in system_auth.roles table.
-#   Please increase system_auth keyspace replication factor if you use this authenticator.
-#   If using PasswordAuthenticator, CassandraRoleManager must also be used (see below)
+# - PasswordAuthenticator relies on username/password pairs to authenticate users. It keeps usernames and
+#     hashed passwords in system_auth.roles table. Please increase system_auth keyspace replication factor
+#     if you use this authenticator.
+#     If using PasswordAuthenticator, CassandraRoleManager must also be used (see below).
+# - MutualTlsAuthenticator is certificate-based authentication, using the same certificates used to establish
+#     connection security.
 authenticator:
-  class_name: AllowAllAuthenticator
+  class_name: PasswordAuthenticator
 # MutualTlsAuthenticator can be configured using the following configuration. One can add their own validator
 # which implements MutualTlsCertificateValidator class and provide logic for extracting identity out of certificates
 # and validating certificates.
@@ -204,6 +206,34 @@ authenticator:
 #  parameters:
 #    validator_class_name: org.apache.cassandra.auth.SpiffeCertificateValidator
 
+# Configure authenticator negotiation, to allow nodes to support multiple authentication mechanisms and
+# negotiate (resolve) a specific mechanism with a client at connection time. When this configuration is present,
+# it supersedes the 'authenticator' configuration entirely.
+authenticator_negotiation:
+  # If true, client connections will go through authn negotiation. If false, they will use the authenticator
+  # configured by the default_authenticator key.
+  enabled: true
+  # If true, all configured authenticators, including the default authenticator, must 'require authenticiation':
+  # i.e., 'AllowAllAuthenticator' and other authenticators that don't require authentication cannot be used and
+  # will cause the node to fail at starttup. This prevents 'fail-open' negotiation. If false, AllowAllAuthenticator
+  # and other non-authenticating authenticators are allowed. This is discouraged but may make migrating to
+  # negotiated authentication easier for deployments that do not enforce authentication today.
+  require_authentication: false
+  # The authenticator to be used for clients that don't support negotiation, or clients that support none of
+  # the authenticators listed in the 'authenticators' section.
+  default_authenticator:
+    - class_name: PasswordAuthenticator
+  # The authenticators that this node supports for negotiation. These are configured as documented for the
+  # 'authenticator' section. List authenticators in order from most- to least-preferred. For negotiating
+  # clients, the server will select the first authenticator in this list that the client indicates it can
+  # support.
+  authenticators:
+    - class_name: MutualTlsAuthenticator
+      parameters:
+        validator_class_name: org.apache.cassandra.auth.SpiffeCertificateValidator
+    - class_name: PasswordAuthenticator
+    - class_name: AllowAllAuthenticator
+
 # Authorization backend, implementing IAuthorizer; used to limit access/provide permissions
 # Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllAuthorizer,
 # CassandraAuthorizer}.
@@ -1895,7 +1925,7 @@ client_encryption_options:
   # Custom auth settings which can be used as alternatives to JMX's out of the box auth utilities.
   # JAAS login modules can be used for authentication using this property.Cassandra ships with a
   # LoginModule implementation - org.apache.cassandra.auth.CassandraLoginModule - which delegates
-  # to the IAuthenticator configured in cassandra.yaml.
+  # to the default IAuthenticator configured in cassandra.yaml.
   #
   # login_config_name refers to the Application Name in the JAAS configuration under which the
   # desired LoginModule(s) are configured.
diff --git a/src/java/org/apache/cassandra/config/Config.java b/src/java/org/apache/cassandra/config/Config.java
index c777d0fc89b4..1b2e3b58c07e 100644
--- a/src/java/org/apache/cassandra/config/Config.java
+++ b/src/java/org/apache/cassandra/config/Config.java
@@ -19,10 +19,12 @@
 
 import java.lang.reflect.Field;
 import java.lang.reflect.Modifier;
+import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.LinkedHashMap;
+import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.TreeMap;
@@ -83,6 +85,23 @@ public static Set<String> splitCommaDelimited(String src)
     public static final String PROPERTY_PREFIX = "cassandra.";
 
     public String cluster_name = "Test Cluster";
+
+    /**
+     * Configuration for authenticator negotiation, enabling nodes to support multiple authentication mechanisms
+     * and negotiate with clients at connection time.
+     * <p/>
+     * When configured, these settings take precedence over the legacy 'authenticator' configuration. The
+     * 'default_authenticator' is used for non-negotiating clients or when negotiation fails to resolve.
+     */
+    public static class AuthenticatorNegotiationConfig
+    {
+        public boolean enabled = false;
+        public boolean require_authentication = true;
+        public ParameterizedClass default_authenticator;
+        public List<ParameterizedClass> authenticators = new ArrayList<>();
+    }
+
+    public AuthenticatorNegotiationConfig authenticator_negotiation = new AuthenticatorNegotiationConfig();
     public ParameterizedClass authenticator;
     public ParameterizedClass authorizer;
     public ParameterizedClass role_manager;
diff --git a/src/java/org/apache/cassandra/config/DatabaseDescriptor.java b/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
index 340030dd82b9..569113220262 100644
--- a/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
+++ b/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
@@ -224,7 +224,8 @@ public class DatabaseDescriptor
     private static DiskAccessMode compactionReadDiskAccessMode;
 
     private static AbstractCryptoProvider cryptoProvider;
-    private static IAuthenticator authenticator;
+    private static List<IAuthenticator> negotiableAuthenticators;
+    private static IAuthenticator defaultAuthenticator;
     private static IAuthorizer authorizer;
     private static INetworkAuthorizer networkAuthorizer;
     private static ICIDRAuthorizer cidrAuthorizer;
@@ -393,7 +394,7 @@ public static void clientInitialization()
     }
 
     /**
-     * Equivalent to {@link #clientInitialization(boolean) clientInitialization(true, Config::new)}.
+     * Equivalent to {@link #clientInitialization(boolean, Supplier) clientInitialization(failIfDaemonOrTool, Config::new)}.
      */
     public static void clientInitialization(boolean failIfDaemonOrTool)
     {
@@ -2037,12 +2038,42 @@ public static void setCryptoProvider(AbstractCryptoProvider cryptoProvider)
         DatabaseDescriptor.cryptoProvider = cryptoProvider;
     }
 
+    @VisibleForTesting /* Only for testing */
+    public static void setAuthenticatorNegotationEnabled(boolean isEnabled) {
+        conf.authenticator_negotiation.enabled = isEnabled;
+    }
+
+    public static boolean isAuthenticatorNegotiationEnabled()
+    {
+        return conf.authenticator_negotiation.enabled &&
+               !negotiableAuthenticators.isEmpty();
+    }
+
+    public static List<IAuthenticator> getNegotiableAuthenticators()
+    {
+        return DatabaseDescriptor.negotiableAuthenticators;
+    }
+
+    public static void setNegotiableAuthenticators(List<IAuthenticator> authenticators)
+    {
+        DatabaseDescriptor.negotiableAuthenticators = new ArrayList<>(authenticators);
+    }
+
     /**
-     * Returns the authenticator configured for this node.
+     * Returns the default authenticator configured for this node.
      */
+    @Deprecated(since = "6.0.0")
     public static IAuthenticator getAuthenticator()
     {
-        return authenticator;
+        return getDefaultAuthenticator();
+    }
+
+    /**
+     * Returns the default authenticator configured for this node.
+     */
+    public static IAuthenticator getDefaultAuthenticator()
+    {
+        return defaultAuthenticator;
     }
 
     /**
@@ -2053,15 +2084,25 @@ public static IAuthenticator getAuthenticator()
      */
     public static <T extends IAuthenticator> Optional<T> getAuthenticator(Class<T> clazz)
     {
-        return hasAuthenticator(clazz) ? Optional.of(clazz.cast(authenticator)) : Optional.empty();
+        return negotiableAuthenticators.stream()
+                                       .filter(auth -> clazz.isAssignableFrom(auth.getClass()))
+                                       .findFirst()
+                                       .map(clazz::cast);
     }
 
     /**
      * Sets the authenticator used by this node to authenticate clients.
+     * @deprecated Use {@link #setDefaultAuthenticator(IAuthenticator)} instead.
      */
+    @Deprecated(since = "6.0.0" )
     public static void setAuthenticator(IAuthenticator authenticator)
     {
-        DatabaseDescriptor.authenticator = authenticator;
+        setDefaultAuthenticator(authenticator);
+    }
+
+    public static void setDefaultAuthenticator(IAuthenticator authenticator)
+    {
+        DatabaseDescriptor.defaultAuthenticator = authenticator;
     }
 
     /**
@@ -2079,10 +2120,10 @@ public static boolean isAuthenticationRequired()
      */
     private static boolean hasAuthenticator(Class<? extends IAuthenticator> clazz)
     {
-        return clazz.isAssignableFrom(authenticator.getClass());
+        return negotiableAuthenticators.stream()
+                                       .anyMatch(auth -> clazz.isAssignableFrom(auth.getClass()));
     }
 
-
     public static IAuthorizer getAuthorizer()
     {
         return authorizer;
diff --git a/test/conf/cassandra-auth-negotiation.yaml b/test/conf/cassandra-auth-negotiation.yaml
new file mode 100644
index 000000000000..79ab283f148c
--- /dev/null
+++ b/test/conf/cassandra-auth-negotiation.yaml
@@ -0,0 +1,102 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+#
+# Minimal cassandra.yaml for testing authenticator negotiation.
+#
+cluster_name: Test Cluster
+memtable_allocation_type: offheap_objects
+commitlog_sync: periodic
+commitlog_sync_period: 10s
+commitlog_segment_size: 5MiB
+commitlog_directory: build/test/cassandra/commitlog
+cdc_raw_directory: build/test/cassandra/cdc_raw
+cdc_enabled: false
+hints_directory: build/test/cassandra/hints
+partitioner: org.apache.cassandra.dht.ByteOrderedPartitioner
+listen_address: 127.0.0.1
+storage_port: 7012
+ssl_storage_port: 17012
+start_native_transport: true
+native_transport_port: 9042
+column_index_size: 4KiB
+saved_caches_directory: build/test/cassandra/saved_caches
+data_file_directories:
+  - build/test/cassandra/data
+disk_access_mode: mmap_index_only
+seed_provider:
+  - class_name: org.apache.cassandra.locator.SimpleSeedProvider
+    parameters:
+      - seeds: "127.0.0.1:7012"
+endpoint_snitch: org.apache.cassandra.locator.SimpleSnitch
+dynamic_snitch: true
+incremental_backups: true
+concurrent_compactors: 4
+compaction_throughput: 0MiB/s
+row_cache_class_name: org.apache.cassandra.cache.OHCProvider
+row_cache_size: 16MiB
+prepared_statements_cache_size: 1MiB
+corrupted_tombstone_strategy: exception
+stream_entire_sstables: true
+stream_throughput_outbound: 23841858MiB/s
+sasi_indexes_enabled: true
+materialized_views_enabled: true
+drop_compact_storage_enabled: true
+file_cache_enabled: true
+auto_hints_cleanup_enabled: true
+default_keyspace_rf: 1
+
+client_encryption_options:
+  enabled: true
+  require_client_auth: true
+  keystore: test/conf/cassandra_ssl_test.keystore
+  keystore_password: cassandra
+  truststore: test/conf/cassandra_ssl_test.truststore
+  truststore_password: cassandra
+
+server_encryption_options:
+  internode_encryption: all
+  enabled: true
+  keystore: test/conf/cassandra_ssl_test.keystore
+  keystore_password: cassandra
+  outbound_keystore: test/conf/cassandra_ssl_test_outbound.keystore
+  outbound_keystore_password: cassandra
+  truststore: test/conf/cassandra_ssl_test.truststore
+  truststore_password: cassandra
+  require_client_auth: true
+internode_authenticator:
+  class_name : org.apache.cassandra.auth.MutualTlsInternodeAuthenticator
+  parameters :
+    validator_class_name: org.apache.cassandra.auth.SpiffeCertificateValidator
+authenticator:
+  class_name : org.apache.cassandra.auth.PasswordAuthenticator
+authenticator_negotiation:
+  enabled: true
+  require_authentication: true
+  default_authenticator: PasswordAuthenticator
+  authenticators:
+    - class_name: MutualTlsAuthenticator
+      parameters:
+        validator_class_name: org.apache.cassandra.auth.SpiffeCertificateValidator
+    - class_name: PasswordAuthenticator
+    - class_name: AllowAllAuthenticator
+role_manager:
+  class_name: CassandraRoleManager
+  parameters:
+accord:
+  journal_directory: build/test/cassandra/accord_journal
diff --git a/test/unit/org/apache/cassandra/config/AuthenticatorNegotiationConfigTest.java b/test/unit/org/apache/cassandra/config/AuthenticatorNegotiationConfigTest.java
new file mode 100644
index 000000000000..75b6da46641e
--- /dev/null
+++ b/test/unit/org/apache/cassandra/config/AuthenticatorNegotiationConfigTest.java
@@ -0,0 +1,212 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cassandra.config;
+
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.ImmutableMap;
+
+import org.junit.Test;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+
+public class AuthenticatorNegotiationConfigTest
+{
+    @Test
+    public void testLoadFullConfiguration()
+    {
+        Map<String, Object> yaml = Map.of(
+            "authenticator_negotiation", Map.of(
+                "enabled", true,
+                "require_authentication", true,
+                "default_authenticator", Map.of("class_name", "PasswordAuthenticator"),
+                "authenticators", List.of(
+                    Map.of(
+                        "class_name", "MutualTlsAuthenticator",
+                        "parameters", Map.of(
+                            "validator_class_name", "org.apache.cassandra.auth.SpiffeCertificateValidator"
+                        )
+                    ),
+                    Map.of("class_name", "PasswordAuthenticator"),
+                    Map.of(
+                        "class_name", "com.example.authn.CustomAuthenticator",
+                        "parameters", Map.of("custom_param", "custom_value")
+                    )
+                )
+            )
+        );
+
+        Config config = YamlConfigurationLoader.fromMap(yaml, Config.class);
+
+        assertNotNull(config.authenticator_negotiation);
+        assertTrue(config.authenticator_negotiation.enabled);
+        assertTrue(config.authenticator_negotiation.require_authentication);
+        
+        assertNotNull(config.authenticator_negotiation.default_authenticator);
+        assertEquals("PasswordAuthenticator", config.authenticator_negotiation.default_authenticator.class_name);
+        
+        assertEquals(3, config.authenticator_negotiation.authenticators.size());
+
+        // Order of authenticators must be preserved.
+        assertThat(config.authenticator_negotiation.authenticators)
+            .extracting(pc -> pc.class_name)
+            .containsExactly("MutualTlsAuthenticator",
+                             "PasswordAuthenticator",
+                             "com.example.authn.CustomAuthenticator");
+
+        // Validate expected parameters for each authenticator
+        ParameterizedClass mtls = config.authenticator_negotiation.authenticators.get(0);
+        assertEquals("org.apache.cassandra.auth.SpiffeCertificateValidator",
+                     mtls.parameters.get("validator_class_name"));
+
+        ParameterizedClass password = config.authenticator_negotiation.authenticators.get(1);
+        assertNull(password.parameters);
+
+        ParameterizedClass custom = config.authenticator_negotiation.authenticators.get(2);
+        assertEquals("custom_value", custom.parameters.get("custom_param"));
+    }
+
+    @Test
+    public void testDefaultsWhenNotConfigured()
+    {
+        Config config = YamlConfigurationLoader.fromMap(Collections.emptyMap(), Config.class);
+
+        assertNotNull(config.authenticator_negotiation);
+        assertFalse(config.authenticator_negotiation.enabled);
+        assertTrue(config.authenticator_negotiation.require_authentication);
+        assertNull(config.authenticator_negotiation.default_authenticator);
+        assertNotNull(config.authenticator_negotiation.authenticators);
+        assertTrue(config.authenticator_negotiation.authenticators.isEmpty());
+    }
+
+
+    @Test
+    public void testPartialConfiguration()
+    {
+        Map<String, Object> yaml = ImmutableMap.of(
+            "authenticator_negotiation", ImmutableMap.of(
+                "enabled", true,
+                "default_authenticator", ImmutableMap.of("class_name", "PasswordAuthenticator")
+            )
+        );
+
+        Config config = YamlConfigurationLoader.fromMap(yaml, Config.class);
+
+        assertNotNull(config.authenticator_negotiation);
+        assertTrue(config.authenticator_negotiation.enabled);
+        assertTrue(config.authenticator_negotiation.require_authentication);
+        assertNotNull(config.authenticator_negotiation.default_authenticator);
+        assertEquals("PasswordAuthenticator", config.authenticator_negotiation.default_authenticator.class_name);
+        assertNotNull(config.authenticator_negotiation.authenticators);
+        assertTrue(config.authenticator_negotiation.authenticators.isEmpty());
+    }
+
+    @Test
+    public void testLoadsAuthenticatorsWhenNegotiationDisabled()
+    {
+        Map<String, Object> yaml = ImmutableMap.of(
+            "authenticator_negotiation", ImmutableMap.of(
+                "enabled", false,
+                "default_authenticator", ImmutableMap.of("class_name", "PasswordAuthenticator"),
+                "authenticators", ImmutableList.of(
+                    ImmutableMap.of("class_name", "PasswordAuthenticator")
+                )
+            )
+        );
+
+        Config config = YamlConfigurationLoader.fromMap(yaml, Config.class);
+
+        assertFalse(config.authenticator_negotiation.enabled);
+        assertNotNull(config.authenticator_negotiation.default_authenticator);
+        assertEquals("PasswordAuthenticator", config.authenticator_negotiation.default_authenticator.class_name);
+        assertEquals(1, config.authenticator_negotiation.authenticators.size());
+    }
+
+    @Test
+    public void testEmptyAuthenticatorsList()
+    {
+        Map<String, Object> yaml = ImmutableMap.of(
+            "authenticator_negotiation", ImmutableMap.of(
+                "enabled", true,
+                "authenticators", Collections.emptyList()
+            )
+        );
+
+        Config config = YamlConfigurationLoader.fromMap(yaml, Config.class);
+
+        assertTrue(config.authenticator_negotiation.enabled);
+        assertTrue(config.authenticator_negotiation.authenticators.isEmpty());
+    }
+
+    @Test
+    public void testDefaultAuthenticatorWithParameters()
+    {
+        Map<String, Object> yaml = ImmutableMap.of(
+            "authenticator_negotiation", ImmutableMap.of(
+                "enabled", true,
+                "default_authenticator", ImmutableMap.of(
+                    "class_name", "MutualTlsAuthenticator",
+                    "parameters", ImmutableMap.of(
+                        "validator_class_name", "org.apache.cassandra.auth.SpiffeCertificateValidator"
+                    )
+                ),
+                "authenticators", ImmutableList.of(
+                    ImmutableMap.of("class_name", "PasswordAuthenticator")
+                )
+            )
+        );
+
+        Config config = YamlConfigurationLoader.fromMap(yaml, Config.class);
+
+        assertNotNull(config.authenticator_negotiation.default_authenticator);
+        assertEquals("MutualTlsAuthenticator", config.authenticator_negotiation.default_authenticator.class_name);
+        assertNotNull(config.authenticator_negotiation.default_authenticator.parameters);
+        assertEquals("org.apache.cassandra.auth.SpiffeCertificateValidator",
+                     config.authenticator_negotiation.default_authenticator.parameters.get("validator_class_name"));
+    }
+
+    @Test
+    public void testUpdateInPlace()
+    {
+        Config config = new Config();
+
+        assertFalse(config.authenticator_negotiation.enabled);
+        assertTrue(config.authenticator_negotiation.require_authentication);
+
+        // Update to negate defaults.
+        Map<String, Object> yaml = ImmutableMap.of(
+            "authenticator_negotiation.enabled", true,
+            "authenticator_negotiation.require_authentication", false
+        );
+
+        Config updated = YamlConfigurationLoader.updateFromMap(yaml, true, config);
+
+        assertThat(updated).isSameAs(config);
+        assertTrue(config.authenticator_negotiation.enabled);
+        assertFalse(config.authenticator_negotiation.require_authentication);
+    }
+}
diff --git a/test/unit/org/apache/cassandra/config/DatabaseDescriptorRefTest.java b/test/unit/org/apache/cassandra/config/DatabaseDescriptorRefTest.java
index 5a6e2086ff87..88078f205b08 100644
--- a/test/unit/org/apache/cassandra/config/DatabaseDescriptorRefTest.java
+++ b/test/unit/org/apache/cassandra/config/DatabaseDescriptorRefTest.java
@@ -89,6 +89,7 @@ public class DatabaseDescriptorRefTest
     "org.apache.cassandra.config.CassandraRelevantProperties$PropertyConverter",
     "org.apache.cassandra.config.Config",
     "org.apache.cassandra.config.Config$1",
+    "org.apache.cassandra.config.Config$AuthenticatorNegotiationConfig",
     "org.apache.cassandra.config.Config$CommitFailurePolicy",
     "org.apache.cassandra.config.Config$CQLStartTime",
     "org.apache.cassandra.config.Config$CommitLogSync",

From cdce63fbf4f5198af5e95eeff93d98dc883b1e7e Mon Sep 17 00:00:00 2001
From: Joel Shepherd <shepherd@amazon.com>
Date: Tue, 17 Mar 2026 23:19:31 +0000
Subject: [PATCH 07/30] Use normalized (lowercase, Locale.ROOT charset) for
 equals() and hashCode() computations

---
 src/java/org/apache/cassandra/auth/IAuthenticator.java | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/java/org/apache/cassandra/auth/IAuthenticator.java b/src/java/org/apache/cassandra/auth/IAuthenticator.java
index a4e888e5057c..7e683a9b0a9e 100644
--- a/src/java/org/apache/cassandra/auth/IAuthenticator.java
+++ b/src/java/org/apache/cassandra/auth/IAuthenticator.java
@@ -20,6 +20,7 @@
 import java.net.InetAddress;
 import java.security.cert.Certificate;
 import java.util.Collections;
+import java.util.Locale;
 import java.util.Map;
 import java.util.Objects;
 import java.util.Set;
@@ -248,6 +249,7 @@ default AuthenticationMode getAuthenticationMode()
     abstract class AuthenticationMode
     {
         private final String displayName;
+        private final String normalizedDisplayName;
 
         /**
          * @param displayName How this mode should be displayed in tooling and JMX beans.  Note that it is desirable
@@ -256,6 +258,7 @@ abstract class AuthenticationMode
         public AuthenticationMode(@Nonnull String displayName)
         {
             this.displayName = displayName;
+            this.normalizedDisplayName = displayName.toLowerCase(Locale.ROOT);
         }
 
         /**
@@ -283,15 +286,15 @@ public String toString()
         public boolean equals(Object o)
         {
             if (this == o) return true;
-            if (o == null || getClass() != o.getClass()) return false;
+            if (!(o instanceof AuthenticationMode)) return false;
             AuthenticationMode that = (AuthenticationMode) o;
-            return displayName.equals(that.displayName);
+            return normalizedDisplayName.equalsIgnoreCase(that.normalizedDisplayName);
         }
 
         @Override
         public int hashCode()
         {
-            return Objects.hash(displayName);
+            return Objects.hash(normalizedDisplayName);
         }
     }
 }

From 54c6c110fa5e719bc6dbfc979036e796a8615fc9 Mon Sep 17 00:00:00 2001
From: Joel Shepherd <shepherd@amazon.com>
Date: Wed, 18 Mar 2026 23:59:42 +0000
Subject: [PATCH 08/30] Implement configuration for authenticator negotiation
 as well as the basic negotiation mechanism

---
 .../org/apache/cassandra/auth/AuthConfig.java | 122 ++++++++++--
 .../auth/AuthenticatorNegotiator.java         |  73 +++++++
 .../cassandra/auth/CassandraLoginModule.java  |   6 +-
 .../cassandra/auth/PasswordAuthenticator.java |  14 +-
 test/conf/cassandra-auth-negotiation.yaml     |   3 +-
 .../apache/cassandra/auth/AuthConfigTest.java |  28 ++-
 .../apache/cassandra/auth/AuthTestUtils.java  |  17 ++
 .../auth/AuthenticatorNegotiatorTest.java     | 182 ++++++++++++++++++
 8 files changed, 415 insertions(+), 30 deletions(-)
 create mode 100644 src/java/org/apache/cassandra/auth/AuthenticatorNegotiator.java
 create mode 100644 test/unit/org/apache/cassandra/auth/AuthenticatorNegotiatorTest.java

diff --git a/src/java/org/apache/cassandra/auth/AuthConfig.java b/src/java/org/apache/cassandra/auth/AuthConfig.java
index 86e1f626ff81..78509204c679 100644
--- a/src/java/org/apache/cassandra/auth/AuthConfig.java
+++ b/src/java/org/apache/cassandra/auth/AuthConfig.java
@@ -18,7 +18,9 @@
 
 package org.apache.cassandra.auth;
 
+import java.util.ArrayList;
 import java.util.List;
+import java.util.Optional;
 
 import com.google.common.annotations.VisibleForTesting;
 
@@ -38,6 +40,8 @@ public final class AuthConfig
 {
     private static final Logger logger = LoggerFactory.getLogger(AuthConfig.class);
 
+    private static final String AUTH_PACKAGE = AuthConfig.class.getPackage().getName();
+
     private static boolean initialized;
 
     /**
@@ -60,34 +64,117 @@ public static void applyAuth()
 
         Config conf = DatabaseDescriptor.getRawConfig();
 
-
         /* Authentication, authorization and role management backend, implementing IAuthenticator, I*Authorizer & IRoleManager */
 
-        IAuthenticator authenticator = authInstantiate(conf.authenticator, AllowAllAuthenticator.class);
+        // Determine if authenticator_negotiation section was configured
+        boolean negotiationConfigured = conf.authenticator_negotiation.default_authenticator != null
+                                        || conf.authenticator_negotiation.enabled
+                                        || !conf.authenticator_negotiation.authenticators.isEmpty();
+
+        // Determine default authenticator based on configuration precedence
+        IAuthenticator defaultAuthenticator;
+
+        if (negotiationConfigured)
+        {
+            ParameterizedClass defaultAuthConfig = conf.authenticator_negotiation.default_authenticator;
+
+            if (defaultAuthConfig == null)
+                // authenticator_negotiation is configured but default_authenticator is missing - fail to start
+                throw new ConfigurationException(
+                    "authenticator_negotiation section requires default_authenticator to be specified", false);
+
+            defaultAuthenticator = (IAuthenticator) authInstantiate(defaultAuthConfig)
+                                                    .orElseThrow(() -> new ConfigurationException(
+                                                    "Unable to load default_authenticator from authenticator_negotiation section: "
+                                                    + conf.authenticator_negotiation.default_authenticator.class_name, false
+                                                    ));
+        }
+        else
+        {
+            // Fall back to legacy authenticator config
+            defaultAuthenticator = authInstantiate(conf.authenticator, AllowAllAuthenticator.class);
+        }
 
         // the configuration options regarding credentials caching are only guaranteed to
         // work with PasswordAuthenticator, so log a message if some other authenticator
         // is in use and non-default values are detected
-        if (!(authenticator instanceof PasswordAuthenticator || authenticator instanceof MutualTlsAuthenticator)
+        if (!(defaultAuthenticator instanceof PasswordAuthenticator || defaultAuthenticator instanceof MutualTlsAuthenticator)
             && (conf.credentials_update_interval != null
                 || conf.credentials_validity.toMilliseconds() != 2000
                 || conf.credentials_cache_max_entries != 1000))
         {
             logger.info("Configuration options credentials_update_interval, credentials_validity and " +
                         "credentials_cache_max_entries may not be applicable for the configured authenticator ({})",
-                        authenticator.getClass().getName());
+                        defaultAuthenticator.getClass().getName());
+        }
+
+        DatabaseDescriptor.setDefaultAuthenticator(defaultAuthenticator);
+
+        List<IAuthenticator> negotiableAuthenticators = new ArrayList<>();
+
+        if (negotiationConfigured)
+        {
+            logger.info("Authentication negotiation enabled: initializing authenticators");
+            List<ParameterizedClass> authenticators = conf.authenticator_negotiation.authenticators;
+
+            if (authenticators != null)
+            {
+                for (ParameterizedClass clazz: authenticators)
+                {
+                    // We generally can't instantiate multiple instances of an authenticator, so if the
+                    // default is also in the list of negotiaable authenticators, just re-use the instance
+                    // that we have.
+                    // TODO - This comparison is potentially broken because depending on how the authenticator
+                    //  is configured in YAML, this equals() may or may not work. The parameterized class created
+                    //  from 'default_authenticator: PasswordAuthenticator' is different from that created from
+                    //  'default_authenticator:\n\t- class_name: PasswordAuthenticator'. The ParameterizedClass
+                    //  instance created by SnakeYAML will have an _empty_ parameters member with the first form,
+                    //  and a _null_ parameters member with the second form. This causes ParameterizedClass.equals()
+                    //  to return 'false' when those two ParameterizedClass objects are compared ... which is probably
+                    //  incorrect. I'm not sure how to resolve this right now. For now the unit tests pass but this
+                    //  does introduce the risk of trying to instantiate the same authenticator twice, and not all
+                    //  authenticators can tolerate that.
+                    //if (clazz.equals(conf.authenticator_negotiation.default_authenticator))
+                    //{
+                    //    negotiableAuthenticators.add(defaultAuthenticator);
+                    //    continue;
+                    //}
+
+                    Optional<IAuthenticator> authenticator = authInstantiate(clazz);
+
+                    if (authenticator.isEmpty())
+                    {
+                        logger.warn("Unable to instantiate configured authenticator {}", clazz.class_name);
+                    }
+                    else
+                    {
+                        negotiableAuthenticators.add(authenticator.get());
+                    }
+                }
+            }
+
+            logger.info("Configured negotiable authenticators {}", negotiableAuthenticators);
+        }
+
+        // Ensure default authenticator is available for negotiation (as lowest priority) so clients can
+        // explicitly signal support for it, rather than falling back to it blindly when negotiation fails.
+        if (!negotiableAuthenticators.contains(defaultAuthenticator))
+        {
+            logger.info("Adding default authenticator as least-preferred for negotiation: {}",
+                        defaultAuthenticator.getClass().getName());
+            negotiableAuthenticators.add(defaultAuthenticator);
         }
 
-        DatabaseDescriptor.setAuthenticator(authenticator);
+        DatabaseDescriptor.setNegotiableAuthenticators(negotiableAuthenticators);
 
         // authorizer
 
         IAuthorizer authorizer = authInstantiate(conf.authorizer, AllowAllAuthorizer.class);
 
-        if (!authenticator.requireAuthentication() && authorizer.requireAuthorization())
+        if (!defaultAuthenticator.requireAuthentication() && authorizer.requireAuthorization())
         {
             throw new ConfigurationException(authorizer.getClass().getName() + " has authorization enabled which requires " +
-                                             authenticator.getClass().getName() + " to enable authentication", false);
+                                             defaultAuthenticator.getClass().getName() + " to enable authentication", false);
         }
 
         DatabaseDescriptor.setAuthorizer(authorizer);
@@ -96,8 +183,8 @@ public static void applyAuth()
 
         IRoleManager roleManager = authInstantiate(conf.role_manager, CassandraRoleManager.class);
 
-        if (authenticator instanceof PasswordAuthenticator && !(roleManager instanceof CassandraRoleManager))
-            throw new ConfigurationException(authenticator.getClass().getName() + " requires " + CassandraRoleManager.class.getName(), false);
+        if (defaultAuthenticator instanceof PasswordAuthenticator && !(roleManager instanceof CassandraRoleManager))
+            throw new ConfigurationException(defaultAuthenticator.getClass().getName() + " requires " + CassandraRoleManager.class.getName(), false);
 
         DatabaseDescriptor.setRoleManager(roleManager);
 
@@ -111,7 +198,7 @@ public static void applyAuth()
 
         INetworkAuthorizer networkAuthorizer = authInstantiate(conf.network_authorizer, AllowAllNetworkAuthorizer.class);
 
-        if (networkAuthorizer.requireAuthorization() && !authenticator.requireAuthentication())
+        if (networkAuthorizer.requireAuthorization() && !defaultAuthenticator.requireAuthentication())
         {
             throw new ConfigurationException(conf.network_authorizer + " can't be used with " + conf.authenticator.class_name, false);
         }
@@ -122,7 +209,7 @@ public static void applyAuth()
 
         ICIDRAuthorizer cidrAuthorizer = authInstantiate(conf.cidr_authorizer, AllowAllCIDRAuthorizer.class);
 
-        if (cidrAuthorizer.requireAuthorization() && !authenticator.requireAuthentication())
+        if (cidrAuthorizer.requireAuthorization() && !defaultAuthenticator.requireAuthentication())
         {
             throw new ConfigurationException(conf.cidr_authorizer + " can't be used with " + conf.authenticator, false);
         }
@@ -132,7 +219,7 @@ public static void applyAuth()
         // Validate at last to have authenticator, authorizer, role-manager and internode-auth setup
         // in case these rely on each other.
 
-        authenticator.validateConfiguration();
+        defaultAuthenticator.validateConfiguration();
         authorizer.validateConfiguration();
         roleManager.validateConfiguration();
         networkAuthorizer.validateConfiguration();
@@ -141,12 +228,19 @@ public static void applyAuth()
     }
 
     private static <T> T authInstantiate(ParameterizedClass authCls, Class<T> defaultCls) {
+        return (T) authInstantiate(authCls).orElseGet(() -> defaultAuthInstantiate(defaultCls));
+    }
+
+    private static <T> Optional<T> authInstantiate(ParameterizedClass authCls) {
         if (authCls != null && authCls.class_name != null)
         {
-            String authPackage = AuthConfig.class.getPackage().getName();
-            return ParameterizedClass.newInstance(authCls, List.of("", authPackage));
+            return Optional.of(ParameterizedClass.newInstance(authCls, List.of("", AUTH_PACKAGE)));
         }
 
+        return Optional.empty();
+    }
+
+    private static <T> T defaultAuthInstantiate(Class<T> defaultCls) {
         // for now, this has to stay and can not be replaced by ParameterizedClass.newInstance as above
         // due to that failing for simulator dtests. See CASSANDRA-20450 for more information.
         try
diff --git a/src/java/org/apache/cassandra/auth/AuthenticatorNegotiator.java b/src/java/org/apache/cassandra/auth/AuthenticatorNegotiator.java
new file mode 100644
index 000000000000..c1dd8660c77b
--- /dev/null
+++ b/src/java/org/apache/cassandra/auth/AuthenticatorNegotiator.java
@@ -0,0 +1,73 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.cassandra.auth;
+
+import java.util.Collections;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+import javax.annotation.Nonnull;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import org.apache.cassandra.config.DatabaseDescriptor;
+
+/**
+ * Implements the business logic for selecting an authenticator for a given session, when both the node and the
+ * client support authenticator negotiation.
+ */
+public class AuthenticatorNegotiator
+{
+    private static final Logger logger = LoggerFactory.getLogger(AuthenticatorNegotiator.class);
+
+    /**
+     * Selects an {@link IAuthenticator authenticator} based on client-provided authentication modes and this
+     * node's own prioritized list of supported authenticators.
+     *
+     * @param clientAuthenticators Comma-separated list of {@link IAuthenticator.AuthenticationMode} names supported
+     *                             by the client. May be null or empty if the client doesn't support or is not
+     *                             configured for negotiation
+     * @return The node's most preferred authenticator that supports at least one of the client's offered authentication
+     *         modes, or its default authenticator if no modes are provided or none match.
+     */
+    public static IAuthenticator negotiateAuthenticator(@Nonnull Set<String> clientAuthenticators)
+    {
+        if (DatabaseDescriptor.isAuthenticatorNegotiationEnabled())
+        {
+            Set<IAuthenticator.AuthenticationMode> clientAuthenticationModes =
+                clientAuthenticators.stream()
+                                    .map(name -> new IAuthenticator.AuthenticationMode(name) {})
+                                    .collect(Collectors.toSet());
+
+            for (IAuthenticator authenticator : DatabaseDescriptor.getNegotiableAuthenticators())
+            {
+                if (!Collections.disjoint(clientAuthenticationModes, authenticator.getSupportedAuthenticationModes()))
+                {
+                    logger.info("Negotiated authenticator with client with options {}: selected {}",
+                                clientAuthenticationModes, authenticator.getClass().getName());
+                    return authenticator;
+                }
+            }
+        }
+
+        logger.info("Auth negotiation failed for client options {}: continuing with default authenticator", clientAuthenticators);
+
+        return DatabaseDescriptor.getDefaultAuthenticator();
+    }
+}
diff --git a/src/java/org/apache/cassandra/auth/CassandraLoginModule.java b/src/java/org/apache/cassandra/auth/CassandraLoginModule.java
index 6c648d4770f0..6579d381ff5c 100644
--- a/src/java/org/apache/cassandra/auth/CassandraLoginModule.java
+++ b/src/java/org/apache/cassandra/auth/CassandraLoginModule.java
@@ -39,8 +39,8 @@
 import org.apache.cassandra.service.StorageService;
 
 /**
- * LoginModule which authenticates a user towards the Cassandra database using
- * the internal authentication mechanism.
+ * LoginModule which authenticates a user towards the Cassandra database using the default authentication
+ * mechanism. This is used to support JMX authentication.
  */
 public class CassandraLoginModule implements LoginModule
 {
@@ -143,7 +143,7 @@ private void authenticate()
         if (!StorageService.instance.isAuthSetupComplete())
             throw new AuthenticationException("Cannot login as server authentication setup is not yet completed");
 
-        IAuthenticator authenticator = DatabaseDescriptor.getAuthenticator();
+        IAuthenticator authenticator = DatabaseDescriptor.getDefaultAuthenticator();
         Map<String, String> credentials = new HashMap<>();
         credentials.put(PasswordAuthenticator.USERNAME_KEY, username);
         credentials.put(PasswordAuthenticator.PASSWORD_KEY, String.valueOf(password));
diff --git a/src/java/org/apache/cassandra/auth/PasswordAuthenticator.java b/src/java/org/apache/cassandra/auth/PasswordAuthenticator.java
index 9b810f644b8d..27a1692e5eba 100644
--- a/src/java/org/apache/cassandra/auth/PasswordAuthenticator.java
+++ b/src/java/org/apache/cassandra/auth/PasswordAuthenticator.java
@@ -91,14 +91,7 @@ public class PasswordAuthenticator implements IAuthenticator, AuthCache.BulkLoad
 
     static final byte NUL = 0;
     private SelectStatement authenticateStatement;
-
-    private final CredentialsCache cache;
-
-    public PasswordAuthenticator()
-    {
-        cache = new CredentialsCache(this);
-        AuthCacheService.instance.register(cache);
-    }
+    private CredentialsCache cache;
 
     /**
      * {@inheritDoc}
@@ -248,6 +241,11 @@ public void validateConfiguration() throws ConfigurationException
 
     public void setup()
     {
+        // Cache initialization is deferred to setup() to avoid duplicate cache registration when subclasses
+        // of PasswordAuthenticator (e.g., MutualTlsWithPasswordFallbackAuthenticator) are also instantiated.
+        cache = new CredentialsCache(this);
+        AuthCacheService.instance.register(cache);
+
         String query = String.format("SELECT %s FROM %s.%s WHERE role = ?",
                                      SALTED_HASH,
                                      SchemaConstants.AUTH_KEYSPACE_NAME,
diff --git a/test/conf/cassandra-auth-negotiation.yaml b/test/conf/cassandra-auth-negotiation.yaml
index 79ab283f148c..a5736a83166d 100644
--- a/test/conf/cassandra-auth-negotiation.yaml
+++ b/test/conf/cassandra-auth-negotiation.yaml
@@ -88,7 +88,8 @@ authenticator:
 authenticator_negotiation:
   enabled: true
   require_authentication: true
-  default_authenticator: PasswordAuthenticator
+  default_authenticator:
+    - class_name: PasswordAuthenticator
   authenticators:
     - class_name: MutualTlsAuthenticator
       parameters:
diff --git a/test/unit/org/apache/cassandra/auth/AuthConfigTest.java b/test/unit/org/apache/cassandra/auth/AuthConfigTest.java
index c8f07e03f8ab..08cbd2f059f2 100644
--- a/test/unit/org/apache/cassandra/auth/AuthConfigTest.java
+++ b/test/unit/org/apache/cassandra/auth/AuthConfigTest.java
@@ -23,11 +23,11 @@
 import java.security.cert.CertificateException;
 import java.util.Arrays;
 import java.util.Collections;
+import java.util.List;
 
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
-import org.junit.rules.ExpectedException;
 
 import org.apache.cassandra.config.Config;
 import org.apache.cassandra.config.DatabaseDescriptor;
@@ -40,6 +40,7 @@
 import static org.apache.cassandra.auth.IInternodeAuthenticator.InternodeConnectionDirection.INBOUND;
 import static org.apache.cassandra.config.YamlConfigurationLoaderTest.load;
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
@@ -66,6 +67,25 @@ public void teardown()
         unregisterCaches();
     }
 
+    @Test
+    public void testConfigureAuthenticatorNegotiation()
+    {
+        Config config = load("cassandra-auth-negotiation.yaml");
+        DatabaseDescriptor.unsafeDaemonInitialization(()->config);
+
+        IAuthenticator authenticator = DatabaseDescriptor.getDefaultAuthenticator();
+        assertThat(authenticator instanceof PasswordAuthenticator);
+        assertNotNull(authenticator);
+        assertTrue(DatabaseDescriptor.isAuthenticatorNegotiationEnabled());
+        List<IAuthenticator> negotiableAuthenticators = DatabaseDescriptor.getNegotiableAuthenticators();
+        assertNotNull(negotiableAuthenticators);
+        // TODO - See TODO in AuthConfig. Right now we're adding the PasswordAuthenticator twice.
+        assertEquals(4, negotiableAuthenticators.size());
+        assertTrue(DatabaseDescriptor.getAuthenticator(PasswordAuthenticator.class).isPresent());
+        assertTrue(DatabaseDescriptor.getAuthenticator(MutualTlsAuthenticator.class).isPresent());
+        assertTrue(DatabaseDescriptor.getAuthenticator(AllowAllAuthenticator.class).isPresent());
+    }
+
     @Test
     public void testNewInstanceForMutualTlsInternodeAuthenticator() throws IOException, CertificateException
     {
@@ -94,7 +114,7 @@ public void testNewInstanceForPasswordAuthenticator()
         Config config = load("cassandra-passwordauth.yaml");
         DatabaseDescriptor.unsafeDaemonInitialization(()->config);
 
-        IAuthenticator authenticator = DatabaseDescriptor.getAuthenticator();
+        IAuthenticator authenticator = DatabaseDescriptor.getDefaultAuthenticator();
         assertNotNull(authenticator);
 
         assertThat(DatabaseDescriptor.getAuthenticator(PasswordAuthenticator.class))
@@ -117,7 +137,7 @@ public void testNewInstanceForMutualTlsWithPasswordFallbackAuthenticator()
         config.authenticator.parameters = Collections.singletonMap("validator_class_name", "org.apache.cassandra.auth.SpiffeCertificateValidator");
         DatabaseDescriptor.unsafeDaemonInitialization(()->config);
 
-        IAuthenticator authenticator = DatabaseDescriptor.getAuthenticator();
+        IAuthenticator authenticator = DatabaseDescriptor.getDefaultAuthenticator();
         assertNotNull(authenticator);
 
         // MutualTlsWithPasswordFallbackAuthenticator is-a PasswordAuthenticator, so we expect getAuthenticator to
@@ -145,7 +165,7 @@ public void testNewInstanceForMutualTlsAuthenticator()
         Config config = load("cassandra-mtls.yaml");
         DatabaseDescriptor.unsafeDaemonInitialization(()->config);
 
-        IAuthenticator authenticator = DatabaseDescriptor.getAuthenticator();
+        IAuthenticator authenticator = DatabaseDescriptor.getDefaultAuthenticator();
         assertNotNull(authenticator);
 
         assertThat(DatabaseDescriptor.getAuthenticator(PasswordAuthenticator.class)).isEmpty();
diff --git a/test/unit/org/apache/cassandra/auth/AuthTestUtils.java b/test/unit/org/apache/cassandra/auth/AuthTestUtils.java
index d17d39ec4e09..7ab130f3d977 100644
--- a/test/unit/org/apache/cassandra/auth/AuthTestUtils.java
+++ b/test/unit/org/apache/cassandra/auth/AuthTestUtils.java
@@ -240,6 +240,23 @@ UntypedResultSet process(String query, ConsistencyLevel cl)
         }
     }
 
+    /**
+     * Functionally identical to LocalPasswordAuthenticator, but is used to differentiate between default and
+     * negotiated authenticators in negotiation test cases.
+     */
+    public static class LocalDefaultPasswordAuthenticator extends LocalPasswordAuthenticator
+    {
+
+    }
+
+    public static class LocalMutualTLSAuthenticator extends MutualTlsAuthenticator
+    {
+        public LocalMutualTLSAuthenticator(Map<String, String> parameters)
+        {
+            super(parameters);
+        }
+    }
+
     public static class LocalMutualTlsWithPasswordFallbackAuthenticator extends MutualTlsWithPasswordFallbackAuthenticator
     {
 
diff --git a/test/unit/org/apache/cassandra/auth/AuthenticatorNegotiatorTest.java b/test/unit/org/apache/cassandra/auth/AuthenticatorNegotiatorTest.java
new file mode 100644
index 000000000000..7187476bbe4a
--- /dev/null
+++ b/test/unit/org/apache/cassandra/auth/AuthenticatorNegotiatorTest.java
@@ -0,0 +1,182 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.cassandra.auth;
+
+import java.util.Collections;
+import java.util.Set;
+
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import org.apache.cassandra.config.Config;
+import org.apache.cassandra.config.DatabaseDescriptor;
+
+import static org.apache.cassandra.auth.AuthCache.MBEAN_NAME_BASE;
+import static org.apache.cassandra.config.YamlConfigurationLoaderTest.load;
+import static org.junit.Assert.assertSame;
+import static org.junit.Assert.assertTrue;
+
+/**
+ * Tests the authenticator negotiation logic in {@link AuthenticatorNegotiator}.
+ */
+public class AuthenticatorNegotiatorTest
+{
+    private static final String IDENTITIES_CACHE_MBEAN = MBEAN_NAME_BASE + MutualTlsAuthenticator.CACHE_NAME;
+    private static final String CREDENTIALS_CACHE_MBEAN = MBEAN_NAME_BASE + PasswordAuthenticator.CredentialsCacheMBean.CACHE_NAME;
+
+    @Before
+    public void setup()
+    {
+        AuthConfig.reset();
+    }
+
+    @After
+    public void teardown()
+    {
+        unregisterCaches();
+    }
+
+    private void unregisterCaches()
+    {
+        try
+        {
+            org.apache.cassandra.utils.MBeanWrapper.instance.unregisterMBean(IDENTITIES_CACHE_MBEAN);
+        }
+        catch (Exception ignored) {}
+
+        try
+        {
+            org.apache.cassandra.utils.MBeanWrapper.instance.unregisterMBean(CREDENTIALS_CACHE_MBEAN);
+        }
+        catch (Exception ignored) {}
+    }
+
+    // Server will use the default authenticator if the client doesn't provide any options.
+    @Test
+    public void testEmptyClientAuthenticators()
+    {
+        Config config = load("cassandra-auth-negotiation.yaml");
+        DatabaseDescriptor.unsafeDaemonInitialization(() -> config);
+
+        IAuthenticator result = AuthenticatorNegotiator.negotiateAuthenticator(Collections.emptySet());
+
+        assertSame(DatabaseDescriptor.getDefaultAuthenticator(), result);
+    }
+
+    // Server supports MTLS, Password and AllowAll. Client supports MTLS and Password. Server should pick MTLS
+    // as the most preferred shared preference.
+    @Test
+    public void testMatchesServersPreferredAuthenticator()
+    {
+        Config config = load("cassandra-auth-negotiation.yaml");
+        DatabaseDescriptor.unsafeDaemonInitialization(() -> config);
+
+        Set<String> clientModes = Set.of("MutualTls", "Password");
+        IAuthenticator result = AuthenticatorNegotiator.negotiateAuthenticator(clientModes);
+
+        assertTrue(result instanceof MutualTlsAuthenticator);
+    }
+
+    // Server supports MTLS, Password and AllowAll. Client supports Password or no-auth. Server should choose Password
+    // auth as it's the most preferred option of the ones the client can support (even though the server would prefer
+    // MTLS).
+    @Test
+    public void testMatchesServersAcceptedAuthenticator()
+    {
+        Config config = load("cassandra-auth-negotiation.yaml");
+        DatabaseDescriptor.unsafeDaemonInitialization(() -> config);
+
+        Set<String> clientModes = Set.of("Password", "Unauthenticated");
+        IAuthenticator result = AuthenticatorNegotiator.negotiateAuthenticator(clientModes);
+
+        // Should return Password authenticator
+        assertTrue(result instanceof PasswordAuthenticator);
+    }
+
+    // Server supports MTLS, Password and AllowAll. Client supports Kerberos, JWT and OAuth. Since the server and
+    // client don't appear able to support any common authentication scheme, the server will offer its default
+    // authenticator and hope the client can work with it.
+    @Test
+    public void testNoMatchingAuthenticatorUsesDefaultAuthenticator()
+    {
+        Config config = load("cassandra-auth-negotiation.yaml");
+        DatabaseDescriptor.unsafeDaemonInitialization(() -> config);
+
+        Set<String> clientModes = Set.of("Kerberos", "JWT", "OAuth");
+        IAuthenticator result = AuthenticatorNegotiator.negotiateAuthenticator(clientModes);
+
+        assertSame(DatabaseDescriptor.getDefaultAuthenticator(), result);
+    }
+
+    // Server supports MTLS, Password and AllowAll. Client supports Password and MTLS but doesn't agree on
+    // case (for whatever reason). Server should correctly settle on MTLS regardless.
+    @Test
+    public void testCaseInsensitiveMatching()
+    {
+        Config config = load("cassandra-auth-negotiation.yaml");
+        DatabaseDescriptor.unsafeDaemonInitialization(() -> config);
+
+        Set<String> clientModes = Set.of("password", "MUTUALTLS");
+        IAuthenticator result = AuthenticatorNegotiator.negotiateAuthenticator(clientModes);
+
+        assertTrue(result instanceof MutualTlsAuthenticator);
+    }
+
+    // Server is not configured to support negotiation. Client attempts to offer authentication options anyway.
+    // Server should simplu respond with its default authenticator (password auth).
+    @Test
+    public void testNegotiationDisabled()
+    {
+        Config config = load("cassandra-passwordauth.yaml");
+        DatabaseDescriptor.unsafeDaemonInitialization(() -> config);
+
+        Set<String> clientModes = Set.of("MutualTls");
+        IAuthenticator result = AuthenticatorNegotiator.negotiateAuthenticator(clientModes);
+
+        assertSame(DatabaseDescriptor.getDefaultAuthenticator(), result);
+    }
+
+    // Server supports MTLS, Password and AllowAll. Client supports no-auth, Password and MTLS. Server should
+    // select its most preferred option (MTLS) even though it's not the first option offered by the client.
+    @Test
+    public void testPriorityOrderWithMultipleMatches()
+    {
+        Config config = load("cassandra-auth-negotiation.yaml");
+        DatabaseDescriptor.unsafeDaemonInitialization(() -> config);
+
+        Set<String> clientModes = Set.of("Unauthenticated", "Password", "MutualTls");
+        IAuthenticator result = AuthenticatorNegotiator.negotiateAuthenticator(clientModes);
+
+        assertTrue(result instanceof MutualTlsAuthenticator);
+    }
+
+    // Client sends duplicate authentication modes including case variations. Server should handle this gracefully
+    // and select based on its priority order, not be confused by the duplicates.
+    @Test
+    public void testDuplicateClientAuthenticators()
+    {
+        Config config = load("cassandra-auth-negotiation.yaml");
+        DatabaseDescriptor.unsafeDaemonInitialization(() -> config);
+
+        Set<String> clientModes = Set.of("Password", "MutualTls", "password");
+        IAuthenticator result = AuthenticatorNegotiator.negotiateAuthenticator(clientModes);
+
+        assertTrue(result instanceof MutualTlsAuthenticator);
+    }
+}

From 505d670c671474d0345a9675a8721df83ebfc406 Mon Sep 17 00:00:00 2001
From: Joel Shepherd <shepherd@amazon.com>
Date: Thu, 19 Mar 2026 00:12:04 +0000
Subject: [PATCH 09/30] Support authenticator negotiation parameters in
 OPTIONS, SUPPORTED and STARTUP messages

---
 .../transport/InitialConnectionHandler.java   |   3 +
 .../transport/messages/OptionsMessage.java    |   5 +
 .../transport/messages/StartupMessage.java    |  59 +++--
 .../org/apache/cassandra/cql3/CQLTester.java  |  52 ++--
 .../NegotiatedAuthenticationTest.java         | 225 ++++++++++++++++++
 .../NonNegotiatedAuthenticationTest.java      | 130 ++++++++++
 6 files changed, 429 insertions(+), 45 deletions(-)
 create mode 100644 test/unit/org/apache/cassandra/transport/NegotiatedAuthenticationTest.java
 create mode 100644 test/unit/org/apache/cassandra/transport/NonNegotiatedAuthenticationTest.java

diff --git a/src/java/org/apache/cassandra/transport/InitialConnectionHandler.java b/src/java/org/apache/cassandra/transport/InitialConnectionHandler.java
index 556a5607934d..bdff28a2d6f8 100644
--- a/src/java/org/apache/cassandra/transport/InitialConnectionHandler.java
+++ b/src/java/org/apache/cassandra/transport/InitialConnectionHandler.java
@@ -28,6 +28,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import org.apache.cassandra.config.DatabaseDescriptor;
 import org.apache.cassandra.cql3.QueryProcessor;
 import org.apache.cassandra.net.AsyncChannelPromise;
 import org.apache.cassandra.transport.ClientResourceLimits.Overload;
@@ -87,6 +88,8 @@ protected void decode(ChannelHandlerContext ctx, ByteBuf buffer, List<Object> li
                     compressions.add("lz4");
 
                     Map<String, List<String>> supportedOptions = new HashMap<>();
+                    if (DatabaseDescriptor.isAuthenticatorNegotiationEnabled())
+                            supportedOptions.put(StartupMessage.AUTHENTICATORS, new ArrayList<>());
                     supportedOptions.put(StartupMessage.CQL_VERSION, cqlVersions);
                     supportedOptions.put(StartupMessage.COMPRESSION, compressions);
                     supportedOptions.put(StartupMessage.PROTOCOL_VERSIONS, ProtocolVersion.supportedVersions());
diff --git a/src/java/org/apache/cassandra/transport/messages/OptionsMessage.java b/src/java/org/apache/cassandra/transport/messages/OptionsMessage.java
index 77a76e336897..829bc93b953f 100644
--- a/src/java/org/apache/cassandra/transport/messages/OptionsMessage.java
+++ b/src/java/org/apache/cassandra/transport/messages/OptionsMessage.java
@@ -61,6 +61,8 @@ public OptionsMessage()
     @Override
     protected Message.Response execute(QueryState state, Dispatcher.RequestTime requestTime, boolean traceRequest)
     {
+        // JDEBUG - This duplicates code in InitialConnectionHandler (line 78+). Why? Is this used?
+        /*
         List<String> cqlVersions = new ArrayList<String>();
         cqlVersions.add(QueryProcessor.CQL_VERSION.toString());
 
@@ -71,11 +73,14 @@ protected Message.Response execute(QueryState state, Dispatcher.RequestTime requ
         compressions.add("lz4");
 
         Map<String, List<String>> supported = new HashMap<String, List<String>>();
+
         supported.put(StartupMessage.CQL_VERSION, cqlVersions);
         supported.put(StartupMessage.COMPRESSION, compressions);
         supported.put(StartupMessage.PROTOCOL_VERSIONS, ProtocolVersion.supportedVersions());
 
         return new SupportedMessage(supported);
+         */
+        return new SupportedMessage(new HashMap<>());
     }
 
     @Override
diff --git a/src/java/org/apache/cassandra/transport/messages/StartupMessage.java b/src/java/org/apache/cassandra/transport/messages/StartupMessage.java
index 85c531c20aa6..8d8c5f20779a 100644
--- a/src/java/org/apache/cassandra/transport/messages/StartupMessage.java
+++ b/src/java/org/apache/cassandra/transport/messages/StartupMessage.java
@@ -19,9 +19,12 @@
 
 import java.util.HashMap;
 import java.util.Map;
+import java.util.Set;
 
+import org.apache.commons.lang3.StringUtils;
+
+import org.apache.cassandra.auth.AuthenticatorNegotiator;
 import org.apache.cassandra.auth.IAuthenticator;
-import org.apache.cassandra.config.DatabaseDescriptor;
 import org.apache.cassandra.service.ClientState;
 import org.apache.cassandra.service.QueryState;
 import org.apache.cassandra.transport.CBUtil;
@@ -44,6 +47,7 @@
  */
 public class StartupMessage extends Message.Request
 {
+    public static final String AUTHENTICATORS = "AUTHENTICATORS";
     public static final String CQL_VERSION = "CQL_VERSION";
     public static final String COMPRESSION = "COMPRESSION";
     public static final String PROTOCOL_VERSIONS = "PROTOCOL_VERSIONS";
@@ -130,37 +134,40 @@ else if (compression.equals("lz4"))
             clientState.setDriverVersion(options.get(DRIVER_VERSION));
         }
 
-        IAuthenticator authenticator = DatabaseDescriptor.getAuthenticator();
-        if (authenticator.requireAuthentication())
+        Set<String> clientAuthenticators = Set.of(StringUtils.defaultIfEmpty(options.get(AUTHENTICATORS), StringUtils.EMPTY).split(","));
+
+        IAuthenticator authenticator = AuthenticatorNegotiator.negotiateAuthenticator(clientAuthenticators);
+
+        if (!authenticator.requireAuthentication()) {
+            return new ReadyMessage();
+        }
+
+        // If the authenticator supports early authentication, attempt to authenticate.
+        if (authenticator.supportsEarlyAuthentication())
         {
-            // If the authenticator supports early authentication, attempt to authenticate.
-            if (authenticator.supportsEarlyAuthentication())
+            IAuthenticator.SaslNegotiator saslNegotiator = ((ServerConnection) connection).getSaslNegotiator(state);
+            // If the negotiator determines that sending an authenticate message is not necessary, attempt to authenticate here,
+            // otherwise, send an Authenticate message to begin the traditional authentication flow.
+            if (!saslNegotiator.shouldSendAuthenticateMessage())
             {
-                IAuthenticator.SaslNegotiator negotiator = ((ServerConnection) connection).getSaslNegotiator(state);
-                // If the negotiator determines that sending an authenticate message is not necessary, attempt to authenticate here,
-                // otherwise, send an Authenticate message to begin the traditional authentication flow.
-                if (!negotiator.shouldSendAuthenticateMessage())
+                // Attempt to authenticate the user.
+                return AuthUtil.handleLogin(connection, state, EMPTY_CLIENT_RESPONSE, (negotiationComplete, challenge) ->
                 {
-                    // Attempt to authenticate the user.
-                    return AuthUtil.handleLogin(connection, state, EMPTY_CLIENT_RESPONSE, (negotiationComplete, challenge) ->
+                    if (negotiationComplete)
+                    {
+                        // Authentication was successful, proceed.
+                        return new ReadyMessage();
+                    } else
                     {
-                        if (negotiationComplete)
-                        {
-                            // Authentication was successful, proceed.
-                            return new ReadyMessage();
-                        } else
-                        {
-                            // It's expected that any negotiator that requires a challenge will likely not support early
-                            // authentication, in this case we can just go through the traditional auth flow.
-                            return authenticator.getAuthenticateMessage(clientState);
-                        }
-                    });
-                }
+                        // It's expected that any negotiator that requires a challenge will likely not support early
+                        // authentication, in this case we can just go through the traditional auth flow.
+                        return authenticator.getAuthenticateMessage(clientState);
+                    }
+                });
             }
-            return authenticator.getAuthenticateMessage(clientState);
         }
-        else
-            return new ReadyMessage();
+
+        return authenticator.getAuthenticateMessage(clientState);
     }
 
     private static Map<String, String> upperCaseKeys(Map<String, String> options)
diff --git a/test/unit/org/apache/cassandra/cql3/CQLTester.java b/test/unit/org/apache/cassandra/cql3/CQLTester.java
index e4eaec08eab4..7f48910e726d 100644
--- a/test/unit/org/apache/cassandra/cql3/CQLTester.java
+++ b/test/unit/org/apache/cassandra/cql3/CQLTester.java
@@ -64,28 +64,13 @@
 import javax.management.remote.rmi.RMIConnectorServer;
 import javax.net.ssl.SSLException;
 
-import com.codahale.metrics.Gauge;
-import com.datastax.driver.core.CloseFuture;
-import com.datastax.driver.core.Cluster;
-import com.datastax.driver.core.ColumnDefinitions;
-import com.datastax.driver.core.DataType;
-import com.datastax.driver.core.NettyOptions;
-import com.datastax.driver.core.ResultSet;
-import com.datastax.driver.core.Row;
-import com.datastax.driver.core.Session;
-import com.datastax.driver.core.SimpleStatement;
-import com.datastax.driver.core.SocketOptions;
-import com.datastax.driver.core.Statement;
-import com.datastax.driver.core.TypeCodec;
-import com.datastax.driver.core.UDTValue;
-import com.datastax.driver.core.UserType;
-import com.datastax.driver.core.exceptions.UnauthorizedException;
-import com.datastax.shaded.netty.channel.EventLoopGroup;
 import com.google.common.base.Objects;
 import com.google.common.base.Strings;
+import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Iterables;
 
+import org.apache.cassandra.auth.SpiffeCertificateValidator;
 import org.apache.commons.lang3.ArrayUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.assertj.core.api.Assertions;
@@ -106,7 +91,23 @@
 import accord.utils.Gen;
 import accord.utils.Property;
 import accord.utils.RandomSource;
-
+import com.codahale.metrics.Gauge;
+import com.datastax.driver.core.CloseFuture;
+import com.datastax.driver.core.Cluster;
+import com.datastax.driver.core.ColumnDefinitions;
+import com.datastax.driver.core.DataType;
+import com.datastax.driver.core.NettyOptions;
+import com.datastax.driver.core.ResultSet;
+import com.datastax.driver.core.Row;
+import com.datastax.driver.core.Session;
+import com.datastax.driver.core.SimpleStatement;
+import com.datastax.driver.core.SocketOptions;
+import com.datastax.driver.core.Statement;
+import com.datastax.driver.core.TypeCodec;
+import com.datastax.driver.core.UDTValue;
+import com.datastax.driver.core.UserType;
+import com.datastax.driver.core.exceptions.UnauthorizedException;
+import com.datastax.shaded.netty.channel.EventLoopGroup;
 import org.apache.cassandra.SchemaLoader;
 import org.apache.cassandra.ServerTestUtils;
 import org.apache.cassandra.Util;
@@ -653,7 +654,7 @@ public void setup()
         //TODO
         //MigrationManager.announceNewKeyspace(AuthKeyspace.metadata(), true);
         DatabaseDescriptor.getRoleManager().setup();
-        DatabaseDescriptor.getAuthenticator().setup();
+        DatabaseDescriptor.getDefaultAuthenticator().setup();
         DatabaseDescriptor.getAuthorizer().setup();
         DatabaseDescriptor.getNetworkAuthorizer().setup();
         DatabaseDescriptor.getCIDRAuthorizer().setup();
@@ -662,6 +663,19 @@ public void setup()
         AuthCacheService.initializeAndRegisterCaches();
     }
 
+    protected static void requireAuthenticatorNegotiation()
+    {
+        final Map<String, String> authenticatorParams = ImmutableMap.of("validator_class_name", SpiffeCertificateValidator.class.getSimpleName());
+        requireAuthenticatorNegotiation(new AuthTestUtils.LocalPasswordAuthenticator(), new AuthTestUtils.LocalMutualTLSAuthenticator(authenticatorParams));
+    }
+
+    protected static void requireAuthenticatorNegotiation(IAuthenticator... negotiableAuthenticators)
+    {
+        DatabaseDescriptor.setAuthenticatorNegotationEnabled(true);
+        DatabaseDescriptor.setNegotiableAuthenticators(List.of(negotiableAuthenticators));
+        requireAuthentication(new AuthTestUtils.LocalDefaultPasswordAuthenticator());
+    }
+
     /**
      * @param useEncryption Whether created clients should use encryption.
      */
diff --git a/test/unit/org/apache/cassandra/transport/NegotiatedAuthenticationTest.java b/test/unit/org/apache/cassandra/transport/NegotiatedAuthenticationTest.java
new file mode 100644
index 000000000000..74ce4060a782
--- /dev/null
+++ b/test/unit/org/apache/cassandra/transport/NegotiatedAuthenticationTest.java
@@ -0,0 +1,225 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cassandra.transport;
+
+import java.io.IOException;
+import java.util.Map;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import org.apache.cassandra.auth.AuthTestUtils;
+import org.apache.cassandra.cql3.CQLTester;
+import org.apache.cassandra.cql3.QueryProcessor;
+import org.apache.cassandra.exceptions.AuthenticationException;
+import org.apache.cassandra.transport.messages.AuthResponse;
+import org.apache.cassandra.transport.messages.AuthSuccess;
+import org.apache.cassandra.transport.messages.AuthenticateMessage;
+import org.apache.cassandra.transport.messages.ErrorMessage;
+import org.apache.cassandra.transport.messages.OptionsMessage;
+import org.apache.cassandra.transport.messages.StartupMessage;
+import org.apache.cassandra.transport.messages.SupportedMessage;
+
+import static org.apache.cassandra.auth.AuthTestUtils.getToken;
+import static org.apache.cassandra.transport.messages.StartupMessage.AUTHENTICATORS;
+import static org.apache.cassandra.transport.messages.StartupMessage.CQL_VERSION;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+/**
+ * Tests the authentication negotiation protocol flow for a server that is configured to support authenticator
+ * negotiation, including compatibility scenarios defined in CEP-50. Covers the compatibility matrix for
+ * negotiating and non-negotiating clients.
+ */
+public class NegotiatedAuthenticationTest extends CQLTester
+{
+    @BeforeClass
+    public static void setup()
+    {
+        requireNetwork();
+        requireAuthenticatorNegotiation();
+    }
+
+    // Scenario 1: Negotiating client + Negotiating server - OPTIONS/SUPPORTED handshake
+    @Test
+    public void testFullNegotiationHandshake()
+    {
+        try (SimpleClient client = SimpleClient.builder(nativeAddr.getHostAddress(), nativePort).build())
+        {
+            // Negotiating client: send OPTIONS
+            client.establishConnection();
+            OptionsMessage options = new OptionsMessage();
+            Message.Response optionsResponse = client.execute(options);
+
+            assertTrue("Server should respond with SUPPORTED", optionsResponse instanceof SupportedMessage);
+
+            SupportedMessage supported = (SupportedMessage) optionsResponse;
+            assertTrue("Negotiating server should include AUTHENTICATORS in SUPPORTED",
+                       supported.supported.containsKey(AUTHENTICATORS));
+            assertNotNull("AUTHENTICATORS value should not be null",
+                          supported.supported.get(AUTHENTICATORS));
+
+            // Client sends STARTUP with AUTHENTICATORS
+            StartupMessage startup = new StartupMessage(Map.of(CQL_VERSION, QueryProcessor.CQL_VERSION.toString(),
+                                                               AUTHENTICATORS, "Password,MutualTls"));
+            Message.Response startupResponse = client.execute(startup);
+
+            assertTrue("Server should respond with AUTHENTICATE after negotiation",
+                       startupResponse instanceof AuthenticateMessage);
+            assertEquals(((AuthenticateMessage) startupResponse).authenticator,
+                         AuthTestUtils.LocalPasswordAuthenticator.class.getName());
+
+            // Complete authentication with server's preferred authenticator (Password)
+            AuthResponse authResponse = new AuthResponse(getToken("cassandra", "cassandra"));
+            Message.Response authResult = client.execute(authResponse);
+
+            assertTrue("Authentication should succeed with default authenticator",
+                       authResult instanceof AuthSuccess);
+        }
+        catch (IOException e)
+        {
+            fail("Error establishing connection: " + e.getMessage());
+        }
+    }
+
+    // Scenario 2: "Short" negotiation - client skips sending Options message and immediately sends STARTUP with
+    // a list of authenticators it can use.
+    @Test
+    public void testShortNegotiationHandshake()
+    {
+        try (SimpleClient client = SimpleClient.builder(nativeAddr.getHostAddress(), nativePort).build())
+        {
+            client.establishConnection();
+            StartupMessage startup = new StartupMessage(Map.of(CQL_VERSION, QueryProcessor.CQL_VERSION.toString(),
+                                                               AUTHENTICATORS, "Password,MutualTls,Unauthenticated"));
+            Message.Response startupResponse = client.execute(startup);
+
+            assertTrue("Server should respond with AUTHENTICATE", startupResponse instanceof AuthenticateMessage);
+            assertEquals(((AuthenticateMessage) startupResponse).authenticator,
+                         AuthTestUtils.LocalPasswordAuthenticator.class.getName());
+
+            AuthResponse authResponse = new AuthResponse(getToken("cassandra", "cassandra"));
+            Message.Response authResult = client.execute(authResponse);
+
+            assertTrue("Authentication should succeed with correct credentials",
+                       authResult instanceof AuthSuccess);
+        }
+        catch (IOException e)
+        {
+            fail("Error establishing connection: " + e.getMessage());
+        }
+    }
+
+    // Scenario 3: Non-negotiating client + Negotiating server
+    // Client sends STARTUP without AUTHENTICATORS option, server falls back to default authenticator
+    @Test
+    public void testNonNegotiatingClientWithNegotiatingServer()
+    {
+        try (SimpleClient client = SimpleClient.builder(nativeAddr.getHostAddress(), nativePort).build())
+        {
+            // Non-negotiating client: STARTUP without AUTHENTICATORS
+            client.establishConnection();
+            StartupMessage startup = new StartupMessage(Map.of(CQL_VERSION, QueryProcessor.CQL_VERSION.toString()));
+            Message.Response startupResponse = client.execute(startup);
+
+            assertTrue("Server should respond with AUTHENTICATE for non-negotiating client",
+                       startupResponse instanceof AuthenticateMessage);
+            assertEquals(((AuthenticateMessage) startupResponse).authenticator,
+                         AuthTestUtils.LocalDefaultPasswordAuthenticator.class.getName());
+
+            // Complete authentication with default authenticator (Password)
+            AuthResponse authResponse = new AuthResponse(getToken("cassandra", "cassandra"));
+            Message.Response authResult = client.execute(authResponse);
+
+            assertTrue("Authentication should succeed with default authenticator",
+                       authResult instanceof AuthSuccess);
+        }
+        catch (IOException e)
+        {
+            fail("Error establishing connection: " + e.getMessage());
+        }
+    }
+
+    // Scenario 4: Full negotiation - no matching authenticators, falls back to default
+    @Test
+    public void testFullNegotiationNoMatch()
+    {
+        try (SimpleClient client = SimpleClient.builder(nativeAddr.getHostAddress(), nativePort).build())
+        {
+            // Client offers authenticators the server doesn't support
+            client.establishConnection();
+            StartupMessage startup = new StartupMessage(Map.of(CQL_VERSION, QueryProcessor.CQL_VERSION.toString(),
+                                                               AUTHENTICATORS, "Kerberos,OAuth,JWT"));
+            Message.Response startupResponse = client.execute(startup, false);
+
+            assertTrue("Server should respond with AUTHENTICATE using default authenticator when no match",
+                      startupResponse instanceof AuthenticateMessage);
+            assertEquals(((AuthenticateMessage) startupResponse).authenticator,
+                         AuthTestUtils.LocalDefaultPasswordAuthenticator.class.getName());
+
+            // Complete authentication with default authenticator (Password)
+            AuthResponse authResponse = new AuthResponse(getToken("cassandra", "cassandra"));
+            Message.Response authResult = client.execute(authResponse);
+
+            assertTrue("Authentication should succeed with default authenticator",
+                       authResult instanceof AuthSuccess);
+        }
+        catch (IOException e)
+        {
+            fail("Error establishing connection: " + e.getMessage());
+        }
+    }
+
+    // Scenario 5: Full negotiation - failed authentication
+    @Test
+    public void testNegotiatedAuthenticationFailure()
+    {
+        try (SimpleClient client = SimpleClient.builder(nativeAddr.getHostAddress(), nativePort).build())
+        {
+            client.establishConnection();
+            StartupMessage startup = new StartupMessage(Map.of(CQL_VERSION, QueryProcessor.CQL_VERSION.toString(),
+                                                               AUTHENTICATORS, "Password,MutualTls,Unauthenticated"));
+            Message.Response startupResponse = client.execute(startup);
+
+            assertTrue("Server should respond with AUTHENTICATE", startupResponse instanceof AuthenticateMessage);
+            assertEquals(((AuthenticateMessage) startupResponse).authenticator,
+                         AuthTestUtils.LocalPasswordAuthenticator.class.getName());
+
+            AuthResponse authResponse = new AuthResponse(getToken("cassandra", "badpassword"));
+            Message.Response response = client.execute(authResponse, false);
+
+            if (response instanceof ErrorMessage)
+            {
+                ErrorMessage errorMessage = (ErrorMessage) response;
+                assertTrue("Expected AuthenticationException, got: " + errorMessage.error,
+                          errorMessage.error instanceof AuthenticationException);
+            }
+            else
+            {
+                fail("Expected ErrorMessage but got: " + response);
+            }
+        }
+        catch (IOException e)
+        {
+            fail("Error establishing connection: " + e.getMessage());
+        }
+    }
+}
diff --git a/test/unit/org/apache/cassandra/transport/NonNegotiatedAuthenticationTest.java b/test/unit/org/apache/cassandra/transport/NonNegotiatedAuthenticationTest.java
new file mode 100644
index 000000000000..cf6bf3252573
--- /dev/null
+++ b/test/unit/org/apache/cassandra/transport/NonNegotiatedAuthenticationTest.java
@@ -0,0 +1,130 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cassandra.transport;
+
+import java.io.IOException;
+import java.util.Map;
+
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import org.apache.cassandra.cql3.CQLTester;
+import org.apache.cassandra.cql3.QueryProcessor;
+import org.apache.cassandra.transport.messages.AuthResponse;
+import org.apache.cassandra.transport.messages.AuthSuccess;
+import org.apache.cassandra.transport.messages.AuthenticateMessage;
+import org.apache.cassandra.transport.messages.OptionsMessage;
+import org.apache.cassandra.transport.messages.StartupMessage;
+import org.apache.cassandra.transport.messages.SupportedMessage;
+
+import static org.apache.cassandra.auth.AuthTestUtils.getToken;
+import static org.apache.cassandra.transport.messages.StartupMessage.AUTHENTICATORS;
+import static org.apache.cassandra.transport.messages.StartupMessage.CQL_VERSION;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+/**
+ * Tests authentication protocol flow when server does NOT support negotiation.
+ * Covers scenario 3 from CEP-50: Negotiating client + Non-negotiating server.
+ */
+public class NonNegotiatedAuthenticationTest extends CQLTester
+{
+    @BeforeClass
+    public static void setup()
+    {
+        requireNetwork();
+        requireAuthentication();
+    }
+
+    // Scenario 1: Negotiating client + Non-negotiating server
+    // Client sends OPTIONS, server SUPPORTED lacks AUTHENTICATORS, client falls back
+    @Test
+    public void testNegotiatingClientWithNonNegotiatingServer()
+    {
+        try (SimpleClient client = SimpleClient.builder(nativeAddr.getHostAddress(), nativePort).build())
+        {
+            // Negotiating client: send OPTIONS first
+            client.establishConnection();
+            OptionsMessage options = new OptionsMessage();
+            Message.Response optionsResponse = client.execute(options);
+
+            assertTrue("Server should respond with SUPPORTED", optionsResponse instanceof SupportedMessage);
+
+            SupportedMessage supported = (SupportedMessage) optionsResponse;
+            assertFalse("Non-negotiating server should not include AUTHENTICATORS in SUPPORTED",
+                       supported.supported.containsKey(AUTHENTICATORS));
+
+            // Client detects no negotiation support, sends STARTUP without AUTHENTICATORS
+            StartupMessage startup = new StartupMessage(Map.of(CQL_VERSION, QueryProcessor.CQL_VERSION.toString()));
+            Message.Response startupResponse = client.execute(startup);
+
+            assertTrue("Server should respond with AUTHENTICATE", startupResponse instanceof AuthenticateMessage);
+
+            // Complete authentication
+            AuthResponse authResponse = new AuthResponse(getToken("cassandra", "cassandra"));
+            Message.Response authResult = client.execute(authResponse);
+
+            assertTrue("Authentication should succeed", authResult instanceof AuthSuccess);
+        }
+        catch (IOException e)
+        {
+            fail("Error establishing connection: " + e.getMessage());
+        }
+    }
+
+
+    // Scenario 2: Stubborn negotiating client + Non-negotiating server.
+    // Client sends OPTIONS, server SUPPORTED lacks AUTHENTICATORS, client sends authenticators with STARTUP message
+    // anyway, server ignores and executes non-negotiating auth flow.
+    @Test
+    public void testStubbornNegotiatingClientWithNonNegotiatingServer()
+    {
+        try (SimpleClient client = SimpleClient.builder(nativeAddr.getHostAddress(), nativePort).build())
+        {
+            // Negotiating client: send OPTIONS first
+            client.establishConnection();
+            OptionsMessage options = new OptionsMessage();
+            Message.Response optionsResponse = client.execute(options);
+
+            assertTrue("Server should respond with SUPPORTED", optionsResponse instanceof SupportedMessage);
+
+            SupportedMessage supported = (SupportedMessage) optionsResponse;
+            assertFalse("Non-negotiating server should not include AUTHENTICATORS in SUPPORTED",
+                        supported.supported.containsKey(AUTHENTICATORS));
+
+            // Client ignores signal that server lacks negotiation support, sends STARTUP with AUTHENTICATORS
+            StartupMessage startup = new StartupMessage(Map.of(CQL_VERSION, QueryProcessor.CQL_VERSION.toString(),
+                                                               AUTHENTICATORS, "Password,MutualTls,Unauthenticated"));
+            Message.Response startupResponse = client.execute(startup);
+
+            assertTrue("Server should respond with AUTHENTICATE", startupResponse instanceof AuthenticateMessage);
+
+            // Complete authentication
+            AuthResponse authResponse = new AuthResponse(getToken("cassandra", "cassandra"));
+            Message.Response authResult = client.execute(authResponse);
+
+            assertTrue("Authentication should succeed", authResult instanceof AuthSuccess);
+        }
+        catch (IOException e)
+        {
+            fail("Error establishing connection: " + e.getMessage());
+        }
+    }
+}

From 893692a3055a5b5c26b3d3c2232c3eeeb190f680 Mon Sep 17 00:00:00 2001
From: Joel Shepherd <shepherd@amazon.com>
Date: Thu, 19 Mar 2026 17:40:13 +0000
Subject: [PATCH 10/30] Correcting test configuration to specify the default
 authenticator as an object, not a list, and adding notes on why it matters.
 Still a sharp edge ...

---
 .../org/apache/cassandra/auth/AuthConfig.java | 34 ++++++++++++-------
 test/conf/cassandra-auth-negotiation.yaml     |  2 +-
 .../apache/cassandra/auth/AuthConfigTest.java |  2 +-
 3 files changed, 23 insertions(+), 15 deletions(-)

diff --git a/src/java/org/apache/cassandra/auth/AuthConfig.java b/src/java/org/apache/cassandra/auth/AuthConfig.java
index 78509204c679..f59b24a0285a 100644
--- a/src/java/org/apache/cassandra/auth/AuthConfig.java
+++ b/src/java/org/apache/cassandra/auth/AuthConfig.java
@@ -126,19 +126,27 @@ public static void applyAuth()
                     // that we have.
                     // TODO - This comparison is potentially broken because depending on how the authenticator
                     //  is configured in YAML, this equals() may or may not work. The parameterized class created
-                    //  from 'default_authenticator: PasswordAuthenticator' is different from that created from
-                    //  'default_authenticator:\n\t- class_name: PasswordAuthenticator'. The ParameterizedClass
-                    //  instance created by SnakeYAML will have an _empty_ parameters member with the first form,
-                    //  and a _null_ parameters member with the second form. This causes ParameterizedClass.equals()
-                    //  to return 'false' when those two ParameterizedClass objects are compared ... which is probably
-                    //  incorrect. I'm not sure how to resolve this right now. For now the unit tests pass but this
-                    //  does introduce the risk of trying to instantiate the same authenticator twice, and not all
-                    //  authenticators can tolerate that.
-                    //if (clazz.equals(conf.authenticator_negotiation.default_authenticator))
-                    //{
-                    //    negotiableAuthenticators.add(defaultAuthenticator);
-                    //    continue;
-                    //}
+                    //  from 'default_authenticator: PasswordAuthenticator' or
+                    //  'default_authenticator:\n\tclass_name: PasswordAuthenticator'
+                    //  is different from that created from
+                    //  'default_authenticator:\n\t- class_name: PasswordAuthenticator'.
+                    //  The latter, inadvertantly, attempts to set default_authenticator to a list (indicated by the '-').
+                    //  Since default_authenticator isn't a list, SnakeYAML grabs the first list element and constructs
+                    //  the ParameterizedClass instance using the default constructor and reflection, which results in
+                    //  'parameters' being null instead of being an empty map which is what the first two forms will
+                    //  create. This causes ParameterizedClass.equals() to return 'false' when a ParameterizedClass
+                    //  generated from the 'authenticators' list is compared to the default_authenticator if the default
+                    //  authenticator was specified using that third form (list style). This results in the default
+                    //  authenticator being placed at the end of the authenticators list instead of in its
+                    //  configured order, which can lead to the negotiator picking a weaker authenticator than the order
+                    //  of authenticators in the configuration indicates. I'm not sure how to resolve this right now.
+                    //  One possibility is to 'fix' the equals() and hashCode() methods in ParameterizedClass to treat
+                    //  null and empty 'parameters' the same (by coercing null to empty).
+                    if (clazz.equals(conf.authenticator_negotiation.default_authenticator))
+                    {
+                        negotiableAuthenticators.add(defaultAuthenticator);
+                        continue;
+                    }
 
                     Optional<IAuthenticator> authenticator = authInstantiate(clazz);
 
diff --git a/test/conf/cassandra-auth-negotiation.yaml b/test/conf/cassandra-auth-negotiation.yaml
index a5736a83166d..3d2db9b7ed27 100644
--- a/test/conf/cassandra-auth-negotiation.yaml
+++ b/test/conf/cassandra-auth-negotiation.yaml
@@ -89,7 +89,7 @@ authenticator_negotiation:
   enabled: true
   require_authentication: true
   default_authenticator:
-    - class_name: PasswordAuthenticator
+    class_name: PasswordAuthenticator
   authenticators:
     - class_name: MutualTlsAuthenticator
       parameters:
diff --git a/test/unit/org/apache/cassandra/auth/AuthConfigTest.java b/test/unit/org/apache/cassandra/auth/AuthConfigTest.java
index 08cbd2f059f2..74d49765dc3d 100644
--- a/test/unit/org/apache/cassandra/auth/AuthConfigTest.java
+++ b/test/unit/org/apache/cassandra/auth/AuthConfigTest.java
@@ -80,7 +80,7 @@ public void testConfigureAuthenticatorNegotiation()
         List<IAuthenticator> negotiableAuthenticators = DatabaseDescriptor.getNegotiableAuthenticators();
         assertNotNull(negotiableAuthenticators);
         // TODO - See TODO in AuthConfig. Right now we're adding the PasswordAuthenticator twice.
-        assertEquals(4, negotiableAuthenticators.size());
+        assertEquals(3, negotiableAuthenticators.size());
         assertTrue(DatabaseDescriptor.getAuthenticator(PasswordAuthenticator.class).isPresent());
         assertTrue(DatabaseDescriptor.getAuthenticator(MutualTlsAuthenticator.class).isPresent());
         assertTrue(DatabaseDescriptor.getAuthenticator(AllowAllAuthenticator.class).isPresent());

From 10e02f10ac7561068915e14feae7fb4d327f16f2 Mon Sep 17 00:00:00 2001
From: Joel Shepherd <shepherd@amazon.com>
Date: Thu, 19 Mar 2026 17:44:47 +0000
Subject: [PATCH 11/30] Correct default_authenticator specification from
 list-style toobject-style

---
 conf/cassandra.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/conf/cassandra.yaml b/conf/cassandra.yaml
index 1c4594805899..0807c1fef90d 100644
--- a/conf/cassandra.yaml
+++ b/conf/cassandra.yaml
@@ -222,7 +222,7 @@ authenticator_negotiation:
   # The authenticator to be used for clients that don't support negotiation, or clients that support none of
   # the authenticators listed in the 'authenticators' section.
   default_authenticator:
-    - class_name: PasswordAuthenticator
+    class_name: PasswordAuthenticator
   # The authenticators that this node supports for negotiation. These are configured as documented for the
   # 'authenticator' section. List authenticators in order from most- to least-preferred. For negotiating
   # clients, the server will select the first authenticator in this list that the client indicates it can

From 08215cd3f35f9b5af37171bed8f2060fd8eec148 Mon Sep 17 00:00:00 2001
From: Joel Shepherd <shepherd@amazon.com>
Date: Wed, 25 Mar 2026 23:56:58 +0000
Subject: [PATCH 12/30] ClientState.isOrdinaryUser() avoids checks on
 authentication being enabled during node initialization, when all clients are
 system/internal

---
 src/java/org/apache/cassandra/service/ClientState.java | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/java/org/apache/cassandra/service/ClientState.java b/src/java/org/apache/cassandra/service/ClientState.java
index c119d5f4c333..8fd2865c731c 100644
--- a/src/java/org/apache/cassandra/service/ClientState.java
+++ b/src/java/org/apache/cassandra/service/ClientState.java
@@ -620,7 +620,9 @@ public void ensureNotAnonymous()
      */
     public boolean isOrdinaryUser()
     {
-        return !isSuper() && !isSystem();
+        // isSuper() depends on auth setup being complete. Prior to that, all clients are system only,
+        // so check that first to avoid warnings during node startup.
+        return !isSystem() && !isSuper();
     }
 
     /**

From b8ed818a51cd9d395d1d065c31c412e0ff35d619 Mon Sep 17 00:00:00 2001
From: Joel Shepherd <shepherd@amazon.com>
Date: Thu, 26 Mar 2026 00:03:34 +0000
Subject: [PATCH 13/30] ServerConnection uses per-client authenticator for the
 authentication handshake, client super- and anonymous-user determination is
 made based on the authenticator used by the client, not the node's default
 authenticator

---
 .../apache/cassandra/service/ClientState.java | 46 +++++++++++++++++--
 .../cassandra/transport/ServerConnection.java | 15 +++---
 .../transport/messages/StartupMessage.java    |  3 ++
 3 files changed, 53 insertions(+), 11 deletions(-)

diff --git a/src/java/org/apache/cassandra/service/ClientState.java b/src/java/org/apache/cassandra/service/ClientState.java
index 8fd2865c731c..30649597f087 100644
--- a/src/java/org/apache/cassandra/service/ClientState.java
+++ b/src/java/org/apache/cassandra/service/ClientState.java
@@ -39,6 +39,7 @@
 import org.apache.cassandra.auth.AuthenticatedUser;
 import org.apache.cassandra.auth.DataResource;
 import org.apache.cassandra.auth.FunctionResource;
+import org.apache.cassandra.auth.IAuthenticator;
 import org.apache.cassandra.auth.IResource;
 import org.apache.cassandra.auth.Permission;
 import org.apache.cassandra.auth.Resources;
@@ -115,6 +116,9 @@ public class ClientState
     private volatile boolean issuedPreparedStatementsUseWarning;
     private volatile boolean issuedWarningForUneligiblePreparedStatements;
 
+    // The authenticator used for this connection (set after negotiation/selection)
+    private volatile IAuthenticator authenticator;
+
     private static final QueryHandler cqlQueryHandler;
     static
     {
@@ -199,8 +203,6 @@ protected ClientState(InetSocketAddress remoteAddress)
     {
         this.isInternal = false;
         this.remoteAddress = remoteAddress;
-        if (!DatabaseDescriptor.isAuthenticationRequired())
-            this.user = AuthenticatedUser.ANONYMOUS_USER;
     }
 
     protected ClientState(ClientState source)
@@ -212,6 +214,7 @@ protected ClientState(ClientState source)
         this.driverName = source.driverName;
         this.driverVersion = source.driverVersion;
         this.clientOptions = source.clientOptions;
+        this.authenticator = source.authenticator;
     }
 
     /**
@@ -409,6 +412,31 @@ public void login(AuthenticatedUser user)
             throw new AuthenticationException(String.format("%s is not permitted to log in", user.getName()));
     }
 
+    /**
+     * Sets the authenticator used for this connection.
+     * Should be called after authenticator negotiation/selection completes.
+     * If the authenticator doesn't require authentication, sets the user to anonymous.
+     *
+     * @throws IllegalStateException if authenticator has already been set
+     */
+    public void setAuthenticator(IAuthenticator authenticator)
+    {
+        if (this.authenticator != null)
+            throw new IllegalStateException("Authenticator already set for this connection");
+
+        this.authenticator = authenticator;
+        if (!authenticator.requireAuthentication())
+            this.user = AuthenticatedUser.ANONYMOUS_USER;
+    }
+
+    /**
+     * Returns the authenticator used for this connection, or null if not yet set.
+     */
+    public IAuthenticator getAuthenticator()
+    {
+        return authenticator;
+    }
+
     private boolean canLogin(AuthenticatedUser user)
     {
         try
@@ -630,7 +658,19 @@ public boolean isOrdinaryUser()
      */
     public boolean isSuper()
     {
-        return !DatabaseDescriptor.isAuthenticationRequired() || (user != null && user.isSuper());
+        // TODO: If AllowAllAuthenticator is used as a fallback in negotiation, should clients
+        // who didn't authenticate have superuser privileges while authenticated clients need
+        // explicit grants? This may need policy consideration.
+
+        // Authenticator should always be set before this is called in normal operation.
+        // If not set (e.g., internal clients or test code), fall back to global check.
+        if (authenticator == null)
+        {
+            logger.warn("isSuper() called before authenticator was set - this should not happen in normal operation");
+            return !DatabaseDescriptor.isAuthenticationRequired() || (user != null && user.isSuper());
+        }
+
+        return !authenticator.requireAuthentication() || (user != null && user.isSuper());
     }
 
     /**
diff --git a/src/java/org/apache/cassandra/transport/ServerConnection.java b/src/java/org/apache/cassandra/transport/ServerConnection.java
index 50986d1b27e6..0cb80d75c6fb 100644
--- a/src/java/org/apache/cassandra/transport/ServerConnection.java
+++ b/src/java/org/apache/cassandra/transport/ServerConnection.java
@@ -27,7 +27,6 @@
 import org.slf4j.LoggerFactory;
 
 import org.apache.cassandra.auth.IAuthenticator;
-import org.apache.cassandra.config.DatabaseDescriptor;
 import org.apache.cassandra.service.ClientState;
 import org.apache.cassandra.service.QueryState;
 
@@ -38,7 +37,6 @@ public class ServerConnection extends Connection
 {
     private static final Logger logger = LoggerFactory.getLogger(ServerConnection.class);
 
-    private volatile IAuthenticator.SaslNegotiator saslNegotiator;
     private final ClientState clientState;
     private volatile ConnectionStage stage;
     public final Counter requests = new Counter();
@@ -105,8 +103,6 @@ else if (responseType == Message.Type.READY)
                 if (responseType == Message.Type.READY || responseType == Message.Type.AUTH_SUCCESS)
                 {
                     stage = ConnectionStage.READY;
-                    // we won't use the authenticator again, null it so that it can be GC'd
-                    saslNegotiator = null;
                 }
                 break;
             case READY:
@@ -118,10 +114,13 @@ else if (responseType == Message.Type.READY)
 
     public IAuthenticator.SaslNegotiator getSaslNegotiator(QueryState queryState)
     {
-        if (saslNegotiator == null)
-            saslNegotiator = DatabaseDescriptor.getAuthenticator()
-                                               .newSaslNegotiator(queryState.getClientAddress(), certificates());
-        return saslNegotiator;
+        // Get the authenticator that was negotiated/selected for this connection
+        IAuthenticator authenticator = queryState.getClientState().getAuthenticator();
+        
+        if (authenticator == null)
+            throw new IllegalStateException("Authenticator must be set in ClientState before creating SASL negotiator");
+        
+        return authenticator.newSaslNegotiator(queryState.getClientAddress(), certificates());
     }
 
     private Certificate[] certificates()
diff --git a/src/java/org/apache/cassandra/transport/messages/StartupMessage.java b/src/java/org/apache/cassandra/transport/messages/StartupMessage.java
index 8d8c5f20779a..a2f5ebab7292 100644
--- a/src/java/org/apache/cassandra/transport/messages/StartupMessage.java
+++ b/src/java/org/apache/cassandra/transport/messages/StartupMessage.java
@@ -137,6 +137,9 @@ else if (compression.equals("lz4"))
         Set<String> clientAuthenticators = Set.of(StringUtils.defaultIfEmpty(options.get(AUTHENTICATORS), StringUtils.EMPTY).split(","));
 
         IAuthenticator authenticator = AuthenticatorNegotiator.negotiateAuthenticator(clientAuthenticators);
+        
+        // Set the authenticator for this connection
+        clientState.setAuthenticator(authenticator);
 
         if (!authenticator.requireAuthentication()) {
             return new ReadyMessage();

From 7331da2be0eac15e185a5162138132a57ef76f66 Mon Sep 17 00:00:00 2001
From: Joel Shepherd <shepherd@amazon.com>
Date: Thu, 26 Mar 2026 00:08:38 +0000
Subject: [PATCH 14/30] Grrr ... Whitespace cleanup on the previous commit

---
 src/java/org/apache/cassandra/transport/ServerConnection.java | 4 ++--
 .../apache/cassandra/transport/messages/StartupMessage.java   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/java/org/apache/cassandra/transport/ServerConnection.java b/src/java/org/apache/cassandra/transport/ServerConnection.java
index 0cb80d75c6fb..c55d33ddca2c 100644
--- a/src/java/org/apache/cassandra/transport/ServerConnection.java
+++ b/src/java/org/apache/cassandra/transport/ServerConnection.java
@@ -116,10 +116,10 @@ public IAuthenticator.SaslNegotiator getSaslNegotiator(QueryState queryState)
     {
         // Get the authenticator that was negotiated/selected for this connection
         IAuthenticator authenticator = queryState.getClientState().getAuthenticator();
-        
+
         if (authenticator == null)
             throw new IllegalStateException("Authenticator must be set in ClientState before creating SASL negotiator");
-        
+
         return authenticator.newSaslNegotiator(queryState.getClientAddress(), certificates());
     }
 
diff --git a/src/java/org/apache/cassandra/transport/messages/StartupMessage.java b/src/java/org/apache/cassandra/transport/messages/StartupMessage.java
index a2f5ebab7292..82e7781c55ee 100644
--- a/src/java/org/apache/cassandra/transport/messages/StartupMessage.java
+++ b/src/java/org/apache/cassandra/transport/messages/StartupMessage.java
@@ -137,7 +137,7 @@ else if (compression.equals("lz4"))
         Set<String> clientAuthenticators = Set.of(StringUtils.defaultIfEmpty(options.get(AUTHENTICATORS), StringUtils.EMPTY).split(","));
 
         IAuthenticator authenticator = AuthenticatorNegotiator.negotiateAuthenticator(clientAuthenticators);
-        
+
         // Set the authenticator for this connection
         clientState.setAuthenticator(authenticator);
 

From f1b9315280e5eb290085762ae5e066382c3e399b Mon Sep 17 00:00:00 2001
From: Joel Shepherd <shepherd@amazon.com>
Date: Thu, 26 Mar 2026 00:28:09 +0000
Subject: [PATCH 15/30] CassandraDaemon handles auth setup during node
 initialization, instead of StorageService. Auth setup includes ensuring all
 negotiable authenticators are initialized.

---
 .../cassandra/auth/CassandraLoginModule.java  |  4 +-
 .../cassandra/service/CassandraDaemon.java    | 74 +++++++++++++++++-
 .../cassandra/service/StorageService.java     | 37 ---------
 .../cassandra/distributed/impl/Instance.java  |  2 +-
 .../org/apache/cassandra/cql3/CQLTester.java  | 78 +++++++++++++------
 5 files changed, 131 insertions(+), 64 deletions(-)

diff --git a/src/java/org/apache/cassandra/auth/CassandraLoginModule.java b/src/java/org/apache/cassandra/auth/CassandraLoginModule.java
index 6579d381ff5c..f703000905a3 100644
--- a/src/java/org/apache/cassandra/auth/CassandraLoginModule.java
+++ b/src/java/org/apache/cassandra/auth/CassandraLoginModule.java
@@ -36,7 +36,7 @@
 
 import org.apache.cassandra.config.DatabaseDescriptor;
 import org.apache.cassandra.exceptions.AuthenticationException;
-import org.apache.cassandra.service.StorageService;
+import org.apache.cassandra.service.CassandraDaemon;
 
 /**
  * LoginModule which authenticates a user towards the Cassandra database using the default authentication
@@ -140,7 +140,7 @@ public boolean login() throws LoginException
 
     private void authenticate()
     {
-        if (!StorageService.instance.isAuthSetupComplete())
+        if (!CassandraDaemon.isAuthSetupComplete())
             throw new AuthenticationException("Cannot login as server authentication setup is not yet completed");
 
         IAuthenticator authenticator = DatabaseDescriptor.getDefaultAuthenticator();
diff --git a/src/java/org/apache/cassandra/service/CassandraDaemon.java b/src/java/org/apache/cassandra/service/CassandraDaemon.java
index 8c8c53ad3ec1..7a87d064f1b2 100644
--- a/src/java/org/apache/cassandra/service/CassandraDaemon.java
+++ b/src/java/org/apache/cassandra/service/CassandraDaemon.java
@@ -35,6 +35,7 @@
 import java.util.Set;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeUnit;
+import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.function.Predicate;
 import java.util.stream.Stream;
 
@@ -53,7 +54,9 @@
 
 import org.apache.cassandra.audit.AuditLogManager;
 import org.apache.cassandra.auth.AuthCacheService;
+import org.apache.cassandra.auth.AuthSchemaChangeListener;
 import org.apache.cassandra.auth.AuthenticatedUser;
+import org.apache.cassandra.auth.IAuthenticator;
 import org.apache.cassandra.concurrent.ScheduledExecutors;
 import org.apache.cassandra.config.CassandraRelevantProperties;
 import org.apache.cassandra.config.DatabaseDescriptor;
@@ -419,7 +422,7 @@ protected void setup()
         };
 
         ScheduledExecutors.optionalTasks.schedule(viewRebuild, StorageService.RING_DELAY_MILLIS, TimeUnit.MILLISECONDS);
-        StorageService.instance.doAuthSetup();
+        doAuthSetup();
 
         // Apply overrides before re-enabling auto-compaction
         setCompactionStrategyOverrides(Schema.instance.getKeyspaces());
@@ -634,6 +637,75 @@ else if (ksTable.length == 2)
         return entitiesToChangeCompaction;
     }
 
+    // Auth setup state - static so it can be accessed from anywhere
+    private static final AtomicBoolean authSetupCalled = new AtomicBoolean(CassandraRelevantProperties.SKIP_AUTH_SETUP.getBoolean());
+    private static volatile boolean authSetupComplete = false;
+
+    /**
+     * Initialize authentication and authorization subsystems.
+     * This should be called after storage initialization since auth data is stored in system tables.
+     */
+    public static void doAuthSetup()
+    {
+        doAuthSetup(true);
+    }
+
+    /**
+     * Initialize authentication and authorization subsystems.
+     *
+     * @param async if true, initialize the role manager asynchronously
+     */
+    @VisibleForTesting
+    public static void doAuthSetup(boolean async)
+    {
+        if (!authSetupCalled.getAndSet(true))
+        {
+            DatabaseDescriptor.getRoleManager().setup(async);
+
+            // Call setup() on all negotiable authenticators (includes default authenticator)
+            List<IAuthenticator> authenticators = DatabaseDescriptor.getNegotiableAuthenticators();
+            if (authenticators.isEmpty())
+            {
+                // Fallback: if negotiation not configured, setup default authenticator
+                DatabaseDescriptor.getDefaultAuthenticator().setup();
+            }
+            else
+            {
+                for (IAuthenticator authenticator : authenticators)
+                    authenticator.setup();
+            }
+
+            DatabaseDescriptor.getAuthorizer().setup();
+            DatabaseDescriptor.getNetworkAuthorizer().setup();
+            DatabaseDescriptor.getCIDRAuthorizer().setup();
+            AuthCacheService.initializeAndRegisterCaches();
+            Schema.instance.registerListener(new AuthSchemaChangeListener());
+            authSetupComplete = true;
+        }
+    }
+
+    public static boolean isAuthSetupComplete()
+    {
+        return authSetupComplete;
+    }
+
+    @VisibleForTesting
+    public static boolean authSetupCalled()
+    {
+        return authSetupCalled.get();
+    }
+
+    /**
+     * Reset auth setup state for testing purposes.
+     * This allows tests to re-run auth setup in the same JVM.
+     */
+    @VisibleForTesting
+    public static void resetAuthSetup()
+    {
+        authSetupCalled.set(false);
+        authSetupComplete = false;
+    }
+
     public void setupVirtualKeyspaces()
     {
         VirtualKeyspaceRegistry.instance.register(VirtualSchemaKeyspace.instance);
diff --git a/src/java/org/apache/cassandra/service/StorageService.java b/src/java/org/apache/cassandra/service/StorageService.java
index 424df75b97d3..9882ef041352 100644
--- a/src/java/org/apache/cassandra/service/StorageService.java
+++ b/src/java/org/apache/cassandra/service/StorageService.java
@@ -44,7 +44,6 @@
 import java.util.concurrent.ThreadLocalRandom;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.TimeoutException;
-import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.concurrent.atomic.AtomicInteger;
 import java.util.concurrent.atomic.AtomicReference;
 import java.util.function.Supplier;
@@ -81,8 +80,6 @@
 
 import org.apache.cassandra.audit.AuditLogManager;
 import org.apache.cassandra.audit.AuditLogOptions;
-import org.apache.cassandra.auth.AuthCacheService;
-import org.apache.cassandra.auth.AuthSchemaChangeListener;
 import org.apache.cassandra.batchlog.BatchlogManager;
 import org.apache.cassandra.concurrent.ExecutorLocals;
 import org.apache.cassandra.concurrent.FutureTask;
@@ -473,8 +470,6 @@ public static List<Range<Token>> getAllRanges(List<Token> sortedTokens)
     private boolean isSurveyMode = TEST_WRITE_SURVEY.getBoolean(false);
     /* true if node is rebuilding and receiving data */
     private volatile boolean initialized = false;
-    private final AtomicBoolean authSetupCalled = new AtomicBoolean(CassandraRelevantProperties.SKIP_AUTH_SETUP.getBoolean());
-    private volatile boolean authSetupComplete = false;
 
     /* the probability for tracing any particular request, 0 disables tracing and 1 enables for all */
     private double traceProbability = 0.0;
@@ -1123,27 +1118,6 @@ private void exitWriteSurveyMode()
         InProgressSequences.finishInProgressSequences(id);
     }
 
-    void doAuthSetup()
-    {
-        doAuthSetup(true);
-    }
-
-    @VisibleForTesting
-    public void doAuthSetup(boolean async)
-    {
-        if (!authSetupCalled.getAndSet(true))
-        {
-            DatabaseDescriptor.getRoleManager().setup(async);
-            DatabaseDescriptor.getAuthenticator().setup();
-            DatabaseDescriptor.getAuthorizer().setup();
-            DatabaseDescriptor.getNetworkAuthorizer().setup();
-            DatabaseDescriptor.getCIDRAuthorizer().setup();
-            AuthCacheService.initializeAndRegisterCaches();
-            Schema.instance.registerListener(new AuthSchemaChangeListener());
-            authSetupComplete = true;
-        }
-    }
-
     public void doAutoRepairSetup()
     {
         AutoRepairService.setup();
@@ -1155,17 +1129,6 @@ public void doAutoRepairSetup()
         }
     }
 
-    public boolean isAuthSetupComplete()
-    {
-        return authSetupComplete;
-    }
-
-    @VisibleForTesting
-    public boolean authSetupCalled()
-    {
-        return authSetupCalled.get();
-    }
-
     public boolean isJoined()
     {
         return ClusterMetadata.current().myNodeState() == JOINED && !isSurveyMode;
diff --git a/test/distributed/org/apache/cassandra/distributed/impl/Instance.java b/test/distributed/org/apache/cassandra/distributed/impl/Instance.java
index 791465eb60f8..c63b70765b81 100644
--- a/test/distributed/org/apache/cassandra/distributed/impl/Instance.java
+++ b/test/distributed/org/apache/cassandra/distributed/impl/Instance.java
@@ -933,7 +933,7 @@ else if (cluster instanceof Cluster)
     public void postStartup()
     {
         sync(() ->
-            StorageService.instance.doAuthSetup(false)
+             CassandraDaemon.doAuthSetup(false)
         ).run();
     }
 
diff --git a/test/unit/org/apache/cassandra/cql3/CQLTester.java b/test/unit/org/apache/cassandra/cql3/CQLTester.java
index 7f48910e726d..98d4059daffa 100644
--- a/test/unit/org/apache/cassandra/cql3/CQLTester.java
+++ b/test/unit/org/apache/cassandra/cql3/CQLTester.java
@@ -111,8 +111,6 @@
 import org.apache.cassandra.SchemaLoader;
 import org.apache.cassandra.ServerTestUtils;
 import org.apache.cassandra.Util;
-import org.apache.cassandra.auth.AuthCacheService;
-import org.apache.cassandra.auth.AuthSchemaChangeListener;
 import org.apache.cassandra.auth.AuthTestUtils;
 import org.apache.cassandra.auth.IAuthenticator;
 import org.apache.cassandra.auth.IRoleManager;
@@ -185,6 +183,7 @@
 import org.apache.cassandra.schema.SchemaKeyspace;
 import org.apache.cassandra.schema.TableMetadata;
 import org.apache.cassandra.serializers.TypeSerializer;
+import org.apache.cassandra.service.CassandraDaemon;
 import org.apache.cassandra.service.ClientState;
 import org.apache.cassandra.service.ClientWarn;
 import org.apache.cassandra.service.QueryState;
@@ -633,7 +632,57 @@ protected static void requireAuthentication()
 
     protected static void requireAuthentication(final IAuthenticator authenticator)
     {
-        DatabaseDescriptor.setAuthenticator(authenticator);
+        // Setup for single authenticator mode (no negotiation)
+        DatabaseDescriptor.setDefaultAuthenticator(authenticator);
+        DatabaseDescriptor.setAuthenticatorNegotationEnabled(false);
+        DatabaseDescriptor.setNegotiableAuthenticators(List.of());
+
+        commonAuthSetup();
+    }
+
+    protected static void requireAuthenticatorNegotiation()
+    {
+        final Map<String, String> authenticatorParams = ImmutableMap.of("validator_class_name", SpiffeCertificateValidator.class.getSimpleName());
+        requireAuthenticatorNegotiation(new AuthTestUtils.LocalPasswordAuthenticator(), new AuthTestUtils.LocalMutualTLSAuthenticator(authenticatorParams));
+    }
+
+    protected static void requireAuthenticatorNegotiation(IAuthenticator... negotiableAuthenticators)
+    {
+        // Setup for negotiation mode with multiple authenticators
+        // Find or create the LocalPasswordAuthenticator instance that will be shared
+        AuthTestUtils.LocalPasswordAuthenticator passwordAuth = null;
+        for (IAuthenticator auth : negotiableAuthenticators)
+        {
+            if (auth instanceof AuthTestUtils.LocalPasswordAuthenticator)
+            {
+                passwordAuth = (AuthTestUtils.LocalPasswordAuthenticator) auth;
+                break;
+            }
+        }
+        if (passwordAuth == null)
+            passwordAuth = new AuthTestUtils.LocalPasswordAuthenticator();
+
+        // Create default authenticator that delegates to the shared instance
+        IAuthenticator defaultAuthenticator = new AuthTestUtils.LocalDefaultPasswordAuthenticator(passwordAuth);
+        DatabaseDescriptor.setDefaultAuthenticator(defaultAuthenticator);
+        DatabaseDescriptor.setAuthenticatorNegotationEnabled(true);
+
+        // Build negotiable list and ensure the shared password authenticator is included
+        List<IAuthenticator> negotiableList = new ArrayList<>(List.of(negotiableAuthenticators));
+        if (!negotiableList.contains(passwordAuth))
+            negotiableList.add(passwordAuth);
+
+        DatabaseDescriptor.setNegotiableAuthenticators(negotiableList);
+
+        commonAuthSetup();
+    }
+
+    /**
+     * Common auth setup for both single and negotiation modes.
+     * Sets up authorizers, role manager, and calls doAuthSetup().
+     */
+    private static void commonAuthSetup()
+    {
         DatabaseDescriptor.setAuthorizer(new AuthTestUtils.LocalCassandraAuthorizer());
         DatabaseDescriptor.setNetworkAuthorizer(new AuthTestUtils.LocalCassandraNetworkAuthorizer());
         DatabaseDescriptor.setCIDRAuthorizer(new AuthTestUtils.LocalCassandraCIDRAuthorizer());
@@ -653,27 +702,10 @@ public void setup()
         DatabaseDescriptor.setRoleManager(roleManager);
         //TODO
         //MigrationManager.announceNewKeyspace(AuthKeyspace.metadata(), true);
-        DatabaseDescriptor.getRoleManager().setup();
-        DatabaseDescriptor.getDefaultAuthenticator().setup();
-        DatabaseDescriptor.getAuthorizer().setup();
-        DatabaseDescriptor.getNetworkAuthorizer().setup();
-        DatabaseDescriptor.getCIDRAuthorizer().setup();
-        Schema.instance.registerListener(new AuthSchemaChangeListener());
-
-        AuthCacheService.initializeAndRegisterCaches();
-    }
 
-    protected static void requireAuthenticatorNegotiation()
-    {
-        final Map<String, String> authenticatorParams = ImmutableMap.of("validator_class_name", SpiffeCertificateValidator.class.getSimpleName());
-        requireAuthenticatorNegotiation(new AuthTestUtils.LocalPasswordAuthenticator(), new AuthTestUtils.LocalMutualTLSAuthenticator(authenticatorParams));
-    }
-
-    protected static void requireAuthenticatorNegotiation(IAuthenticator... negotiableAuthenticators)
-    {
-        DatabaseDescriptor.setAuthenticatorNegotationEnabled(true);
-        DatabaseDescriptor.setNegotiableAuthenticators(List.of(negotiableAuthenticators));
-        requireAuthentication(new AuthTestUtils.LocalDefaultPasswordAuthenticator());
+        // Use centralized auth setup - use sync mode for tests
+        CassandraDaemon.resetAuthSetup();
+        CassandraDaemon.doAuthSetup(false);  // false = synchronous setup for tests
     }
 
     /**

From 2fd1dfebfb8134dcb4d710ee20e42010cd6199e6 Mon Sep 17 00:00:00 2001
From: Joel Shepherd <shepherd@amazon.com>
Date: Thu, 26 Mar 2026 00:29:57 +0000
Subject: [PATCH 16/30] Missed from previous commit: JMX AuthorizationProxy
 calls CassandraDaemon to set up auth

---
 .../org/apache/cassandra/auth/jmx/AuthorizationProxy.java   | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/java/org/apache/cassandra/auth/jmx/AuthorizationProxy.java b/src/java/org/apache/cassandra/auth/jmx/AuthorizationProxy.java
index 183050b4c467..50c07447eb99 100644
--- a/src/java/org/apache/cassandra/auth/jmx/AuthorizationProxy.java
+++ b/src/java/org/apache/cassandra/auth/jmx/AuthorizationProxy.java
@@ -53,7 +53,7 @@
 import org.apache.cassandra.auth.RoleResource;
 import org.apache.cassandra.auth.Roles;
 import org.apache.cassandra.config.DatabaseDescriptor;
-import org.apache.cassandra.service.StorageService;
+import org.apache.cassandra.service.CassandraDaemon;
 import org.apache.cassandra.utils.JmxInvocationListener;
 import org.apache.cassandra.utils.MBeanWrapper;
 
@@ -148,10 +148,10 @@ public class AuthorizationProxy implements InvocationHandler
     protected Function<ObjectName, Set<ObjectName>> queryNames = (name) -> mbs.queryNames(name, null);
 
     /*
-     Used to determine whether auth setup has completed so we know whether the expect the IAuthorizer
+     Used to determine whether auth setup has completed so we know whether to expect the IAuthorizer
      to be ready. Can be overridden for testing.
      */
-    protected BooleanSupplier isAuthSetupComplete = () -> StorageService.instance.isAuthSetupComplete();
+    protected BooleanSupplier isAuthSetupComplete = () -> CassandraDaemon.isAuthSetupComplete();
 
     protected JmxInvocationListener listener = AuditLogManager.instance;
 

From aff2f725ba4246ee067c483359b772c0480f7e18 Mon Sep 17 00:00:00 2001
From: Joel Shepherd <shepherd@amazon.com>
Date: Thu, 26 Mar 2026 00:32:06 +0000
Subject: [PATCH 17/30] Missed from previous commit: d-test AuthTest calls
 CassandraDaemon to set up auth

---
 .../org/apache/cassandra/distributed/test/AuthTest.java       | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/test/distributed/org/apache/cassandra/distributed/test/AuthTest.java b/test/distributed/org/apache/cassandra/distributed/test/AuthTest.java
index 6e66921ad8ed..44ed777c93e3 100644
--- a/test/distributed/org/apache/cassandra/distributed/test/AuthTest.java
+++ b/test/distributed/org/apache/cassandra/distributed/test/AuthTest.java
@@ -37,7 +37,7 @@
 import org.apache.cassandra.distributed.api.TokenSupplier;
 import org.apache.cassandra.locator.SimpleSeedProvider;
 import org.apache.cassandra.net.Verb;
-import org.apache.cassandra.service.StorageService;
+import org.apache.cassandra.service.CassandraDaemon;
 
 import static java.util.concurrent.TimeUnit.SECONDS;
 import static org.apache.cassandra.distributed.api.Feature.GOSSIP;
@@ -64,7 +64,7 @@ public void authSetupIsCalledAfterStartup() throws IOException
             await().pollDelay(1, SECONDS)
                    .pollInterval(1, SECONDS)
                    .atMost(10, SECONDS)
-                   .until(() -> instance.callOnInstance(() -> StorageService.instance.authSetupCalled()));
+                   .until(() -> instance.callOnInstance(() -> CassandraDaemon.authSetupCalled()));
         }
     }
 

From c7b3ce26a6d091d9b09c68aadc6c37deff7272b1 Mon Sep 17 00:00:00 2001
From: Joel Shepherd <shepherd@amazon.com>
Date: Thu, 26 Mar 2026 00:34:28 +0000
Subject: [PATCH 18/30] DatabaseDescriptor's global authenticator now called
 defaultAuthenticator. Test updates to initialize client state and use a
 marker class to distinguish between authenticator returned by default vs by
 negotiation

---
 .../cassandra/config/DatabaseDescriptor.java  |  2 +-
 .../apache/cassandra/auth/AuthTestUtils.java  | 26 ++++++++++++++++++-
 .../transport/ConnectionTrackerTest.java      |  9 +++++--
 3 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/src/java/org/apache/cassandra/config/DatabaseDescriptor.java b/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
index 569113220262..268f7fb78adf 100644
--- a/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
+++ b/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
@@ -2110,7 +2110,7 @@ public static void setDefaultAuthenticator(IAuthenticator authenticator)
      */
     public static boolean isAuthenticationRequired()
     {
-        return authenticator.requireAuthentication();
+        return defaultAuthenticator.requireAuthentication();
     }
 
     /**
diff --git a/test/unit/org/apache/cassandra/auth/AuthTestUtils.java b/test/unit/org/apache/cassandra/auth/AuthTestUtils.java
index 7ab130f3d977..2edd62c3d288 100644
--- a/test/unit/org/apache/cassandra/auth/AuthTestUtils.java
+++ b/test/unit/org/apache/cassandra/auth/AuthTestUtils.java
@@ -242,11 +242,35 @@ UntypedResultSet process(String query, ConsistencyLevel cl)
 
     /**
      * Functionally identical to LocalPasswordAuthenticator, but is used to differentiate between default and
-     * negotiated authenticators in negotiation test cases.
+     * negotiated authenticators in negotiation test cases. Delegates to a shared LocalPasswordAuthenticator
+     * instance to avoid duplicate cache initialization.
      */
     public static class LocalDefaultPasswordAuthenticator extends LocalPasswordAuthenticator
     {
+        private final LocalPasswordAuthenticator delegate;
 
+        public LocalDefaultPasswordAuthenticator(LocalPasswordAuthenticator delegate)
+        {
+            this.delegate = delegate;
+        }
+
+        @Override
+        public void setup()
+        {
+            // Delegate handles setup
+        }
+
+        @Override
+        public SaslNegotiator newSaslNegotiator(InetAddress clientAddress)
+        {
+            return delegate.newSaslNegotiator(clientAddress);
+        }
+
+        @Override
+        public AuthenticatedUser legacyAuthenticate(Map<String, String> credentials)
+        {
+            return delegate.legacyAuthenticate(credentials);
+        }
     }
 
     public static class LocalMutualTLSAuthenticator extends MutualTlsAuthenticator
diff --git a/test/unit/org/apache/cassandra/transport/ConnectionTrackerTest.java b/test/unit/org/apache/cassandra/transport/ConnectionTrackerTest.java
index 0664f6d6944b..f0783e1a7cdc 100644
--- a/test/unit/org/apache/cassandra/transport/ConnectionTrackerTest.java
+++ b/test/unit/org/apache/cassandra/transport/ConnectionTrackerTest.java
@@ -188,13 +188,18 @@ public boolean isRunning()
             }
         });
 
+        ClientState state = connection.getClientState();
+
+        // Set authenticator so ClientState behaves correctly
+        state.setAuthenticator(DatabaseDescriptor.getDefaultAuthenticator());
+
         if (user == null)
         {
+            // For anonymous connections, the authenticator should have already set ANONYMOUS_USER
+            // if authentication is not required
             return connection;
         }
 
-        ClientState state = connection.getClientState();
-
         ClientState spyState = Mockito.spy(state);
         Mockito.when(spyState.getUser()).thenReturn(user);
 

From a817da7b1ba6dbe7a72e9cb9bbddeec414e1df49 Mon Sep 17 00:00:00 2001
From: Joel Shepherd <shepherd@amazon.com>
Date: Thu, 26 Mar 2026 22:58:07 +0000
Subject: [PATCH 19/30] DatabaseDescriptor.isAuthenticationRequired() indicates
 if any configured authenticator requires authentication. ClientState
 disallows anonymous (unauthenticated) users from assuming super user
 privileges if any configured authenticator requires authentication.

---
 .../cassandra/config/DatabaseDescriptor.java  | 39 +++++++++++++++++--
 .../apache/cassandra/service/ClientState.java | 32 +++++++++++----
 2 files changed, 61 insertions(+), 10 deletions(-)

diff --git a/src/java/org/apache/cassandra/config/DatabaseDescriptor.java b/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
index 268f7fb78adf..0e08be94824a 100644
--- a/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
+++ b/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
@@ -224,8 +224,12 @@ public class DatabaseDescriptor
     private static DiskAccessMode compactionReadDiskAccessMode;
 
     private static AbstractCryptoProvider cryptoProvider;
-    private static List<IAuthenticator> negotiableAuthenticators;
+
+    // Cached value: true if any authenticator requires authentication
+    private static boolean authenticationRequired;
+    private static List<IAuthenticator> negotiableAuthenticators = List.of();
     private static IAuthenticator defaultAuthenticator;
+
     private static IAuthorizer authorizer;
     private static INetworkAuthorizer networkAuthorizer;
     private static ICIDRAuthorizer cidrAuthorizer;
@@ -2057,6 +2061,7 @@ public static List<IAuthenticator> getNegotiableAuthenticators()
     public static void setNegotiableAuthenticators(List<IAuthenticator> authenticators)
     {
         DatabaseDescriptor.negotiableAuthenticators = new ArrayList<>(authenticators);
+        updateAuthenticationRequired();
     }
 
     /**
@@ -2103,14 +2108,42 @@ public static void setAuthenticator(IAuthenticator authenticator)
     public static void setDefaultAuthenticator(IAuthenticator authenticator)
     {
         DatabaseDescriptor.defaultAuthenticator = authenticator;
+        updateAuthenticationRequired();
+    }
+
+    /**
+     * Recomputes and caches whether authentication is required.
+     * Called when authenticators are set/updated.
+     */
+    private static void updateAuthenticationRequired()
+    {
+        if (isAuthenticatorNegotiationEnabled())
+        {
+            // Check if ANY negotiable authenticator requires authentication
+            authenticationRequired = negotiableAuthenticators.stream()
+                .anyMatch(IAuthenticator::requireAuthentication);
+        }
+        else if (defaultAuthenticator != null)
+        {
+            // Fallback to default authenticator for non-negotiation mode
+            authenticationRequired = defaultAuthenticator.requireAuthentication();
+        }
+        else
+        {
+            // Not yet initialized
+            authenticationRequired = false;
+        }
     }
 
     /**
-     * Indicates if this node uses an authenticator that requires authentication.
+     * Indicates if this node uses an authenticator that requires authentication. With authenticator negotiation,
+     * returns true if ANY negotiable authenticator requires authentication. This determines whether authentication
+     * infrastructure (caches, role management) should be enabled, as well as to determine whether anonymous (i.e.
+     * unauthenticated) users can elevate permissions to perform CREATE/DROP TRIGGER and other operations.
      */
     public static boolean isAuthenticationRequired()
     {
-        return defaultAuthenticator.requireAuthentication();
+        return authenticationRequired;
     }
 
     /**
diff --git a/src/java/org/apache/cassandra/service/ClientState.java b/src/java/org/apache/cassandra/service/ClientState.java
index 30649597f087..d64a1d3fe5bd 100644
--- a/src/java/org/apache/cassandra/service/ClientState.java
+++ b/src/java/org/apache/cassandra/service/ClientState.java
@@ -655,22 +655,40 @@ public boolean isOrdinaryUser()
 
     /**
      * Checks if this user is a super user.
+     * <p/>
+     * Returns true if:
+     * 1. This is an internal/system client, OR
+     * 2. No authenticators in the system require authentication (backward compat for AllowAllAuthenticator), OR
+     * 3. The user is authenticated and has been granted superuser role
+     * During migration with mixed authentication (some authenticators require auth, some don't),
+     * unauthenticated clients will NOT get the bypass - they'll be checked against the "anonymous" role.
      */
     public boolean isSuper()
     {
-        // TODO: If AllowAllAuthenticator is used as a fallback in negotiation, should clients
-        // who didn't authenticate have superuser privileges while authenticated clients need
-        // explicit grants? This may need policy consideration.
+        // Internal/system clients are always super
+        if (isInternal)
+        {
+            return true;
+        }
 
-        // Authenticator should always be set before this is called in normal operation.
-        // If not set (e.g., internal clients or test code), fall back to global check.
+        // If authenticator not set yet (shouldn't happen in normal operation), fall back to global check
         if (authenticator == null)
         {
             logger.warn("isSuper() called before authenticator was set - this should not happen in normal operation");
-            return !DatabaseDescriptor.isAuthenticationRequired() || (user != null && user.isSuper());
         }
 
-        return !authenticator.requireAuthentication() || (user != null && user.isSuper());
+        // Check global authentication requirement, not this connection's specific authenticator.
+        //
+        // If NO authenticators in the system require authentication (e.g., only AllowAllAuthenticator configured):
+        //   - Returns true (bypass) for backward compatibility with auth-disabled clusters
+        //   - Short-circuits before checking user.isSuper()
+        //
+        // If ANY authenticator in the system requires authentication (e.g., PasswordAuthenticator in negotiable list):
+        //   - Evaluates user.isSuper() to check actual role grants
+        //   - For authenticated users: returns true if they have superuser role
+        //   - For ANONYMOUS_USER: returns false (AuthenticatedUser.isSuper() always returns false for anonymous)
+        //   - This ensures unauthenticated clients during migration get no bypass
+        return !DatabaseDescriptor.isAuthenticationRequired() || (user != null && user.isSuper());
     }
 
     /**

From f78b6209ac9e60f188fafe197862f2bded594c7a Mon Sep 17 00:00:00 2001
From: Joel Shepherd <shepherd@amazon.com>
Date: Tue, 31 Mar 2026 17:31:19 +0000
Subject: [PATCH 20/30] AuthConfig enforces the require_authentication flag for
 negotiated authentication, and validates authorizer compatibility with the
 authentication configuration

---
 .../org/apache/cassandra/auth/AuthConfig.java | 140 +++++++++++++++++-
 ...assandra-auth-negotiation-permissive.yaml} |   8 +-
 .../apache/cassandra/auth/AuthConfigTest.java |  43 +++++-
 .../auth/AuthenticatorNegotiatorTest.java     |  80 ++++++----
 4 files changed, 231 insertions(+), 40 deletions(-)
 rename test/conf/{cassandra-auth-negotiation.yaml => cassandra-auth-negotiation-permissive.yaml} (94%)

diff --git a/src/java/org/apache/cassandra/auth/AuthConfig.java b/src/java/org/apache/cassandra/auth/AuthConfig.java
index f59b24a0285a..c645608d6e1a 100644
--- a/src/java/org/apache/cassandra/auth/AuthConfig.java
+++ b/src/java/org/apache/cassandra/auth/AuthConfig.java
@@ -175,11 +175,30 @@ public static void applyAuth()
 
         DatabaseDescriptor.setNegotiableAuthenticators(negotiableAuthenticators);
 
+        // Defensive check: Verify default authenticator is in negotiable list
+        // This is critical for security - many code paths assume default is always available
+        // TODO - This will probably need to be removed before the PR ... at least we should try.
+        if (negotiationConfigured && !DatabaseDescriptor.getNegotiableAuthenticators().contains(defaultAuthenticator))
+        {
+            throw new ConfigurationException("Default authenticator must be in negotiable authenticators list. " +
+                                           "This indicates a bug in authenticator initialization.", false);
+        }
+
+        // Validate require_authentication setting if negotiation is configured
+        if (negotiationConfigured)
+        {
+            validateRequireAuthentication(conf, defaultAuthenticator, negotiableAuthenticators);
+        }
+
         // authorizer
 
         IAuthorizer authorizer = authInstantiate(conf.authorizer, AllowAllAuthorizer.class);
 
-        if (!defaultAuthenticator.requireAuthentication() && authorizer.requireAuthorization())
+        if (negotiationConfigured)
+        {
+            validateAuthenticatorAuthorizerCompatibility(conf, authorizer, negotiableAuthenticators);
+        }
+        else if (!defaultAuthenticator.requireAuthentication() && authorizer.requireAuthorization())
         {
             throw new ConfigurationException(authorizer.getClass().getName() + " has authorization enabled which requires " +
                                              defaultAuthenticator.getClass().getName() + " to enable authentication", false);
@@ -206,7 +225,11 @@ public static void applyAuth()
 
         INetworkAuthorizer networkAuthorizer = authInstantiate(conf.network_authorizer, AllowAllNetworkAuthorizer.class);
 
-        if (networkAuthorizer.requireAuthorization() && !defaultAuthenticator.requireAuthentication())
+        if (negotiationConfigured)
+        {
+            validateAuthenticatorNetworkAuthorizerCompatibility(conf, networkAuthorizer, negotiableAuthenticators);
+        }
+        else if (networkAuthorizer.requireAuthorization() && !defaultAuthenticator.requireAuthentication())
         {
             throw new ConfigurationException(conf.network_authorizer + " can't be used with " + conf.authenticator.class_name, false);
         }
@@ -217,7 +240,11 @@ public static void applyAuth()
 
         ICIDRAuthorizer cidrAuthorizer = authInstantiate(conf.cidr_authorizer, AllowAllCIDRAuthorizer.class);
 
-        if (cidrAuthorizer.requireAuthorization() && !defaultAuthenticator.requireAuthentication())
+        if (negotiationConfigured)
+        {
+            validateAuthenticatorCIDRAuthorizerCompatibility(conf, cidrAuthorizer, negotiableAuthenticators);
+        }
+        else if (cidrAuthorizer.requireAuthorization() && !defaultAuthenticator.requireAuthentication())
         {
             throw new ConfigurationException(conf.cidr_authorizer + " can't be used with " + conf.authenticator, false);
         }
@@ -260,4 +287,111 @@ private static <T> T defaultAuthInstantiate(Class<T> defaultCls) {
             throw new ConfigurationException("Failed to instantiate " + defaultCls.getName(), e);
         }
     }
+
+    /**
+     * Validates the require_authentication setting when authenticator negotiation is configured.
+     * If require_authentication is true, all authenticators must require authentication.
+     * If require_authentication is false and non-authenticating authenticators are present, logs a warning.
+     */
+    private static void validateRequireAuthentication(Config conf,
+                                                      IAuthenticator defaultAuthenticator,
+                                                      List<IAuthenticator> negotiableAuthenticators)
+    {
+        boolean requireAuthentication = conf.authenticator_negotiation.require_authentication;
+        
+        // Check all negotiable authenticators (includes default)
+        for (IAuthenticator auth : negotiableAuthenticators)
+        {
+            if (!auth.requireAuthentication())
+            {
+                if (requireAuthentication)
+                {
+                    throw new ConfigurationException(
+                        "require_authentication is true but authenticator doesn't require authentication: " 
+                        + auth.getClass().getName(), false);
+                }
+                else
+                {
+                    logger.warn("require_authentication is false and authenticator doesn't require authentication: {}. " +
+                               "This allows unauthenticated access. Set require_authentication: true to enforce authentication.",
+                               auth.getClass().getName());
+                }
+            }
+        }
+    }
+
+    /**
+     * Validates compatibility between authenticators and authorizer when negotiation is configured.
+     * If any authenticator doesn't require authentication and authorizer requires authorization:
+     * - require_authentication: true -> fail (strict mode)
+     * - require_authentication: false -> warn (permissive mode for migration)
+     */
+    private static void validateAuthenticatorAuthorizerCompatibility(Config conf,
+                                                                     IAuthorizer authorizer,
+                                                                     List<IAuthenticator> negotiableAuthenticators)
+    {
+        if (!authorizer.requireAuthorization())
+            return;
+        
+        validateAuthorizerCompatibility(conf, authorizer.getClass().getName(), 
+                                       negotiableAuthenticators, "limited access based on 'anonymous' role permissions");
+    }
+
+    /**
+     * Validates compatibility between authenticators and network authorizer when negotiation is configured.
+     */
+    private static void validateAuthenticatorNetworkAuthorizerCompatibility(Config conf,
+                                                                            INetworkAuthorizer networkAuthorizer,
+                                                                            List<IAuthenticator> negotiableAuthenticators)
+    {
+        if (!networkAuthorizer.requireAuthorization())
+            return;
+        
+        validateAuthorizerCompatibility(conf, networkAuthorizer.getClass().getName(), 
+                                       negotiableAuthenticators, "limited network access");
+    }
+
+    /**
+     * Validates compatibility between authenticators and CIDR authorizer when negotiation is configured.
+     */
+    private static void validateAuthenticatorCIDRAuthorizerCompatibility(Config conf,
+                                                                         ICIDRAuthorizer cidrAuthorizer,
+                                                                         List<IAuthenticator> negotiableAuthenticators)
+    {
+        if (!cidrAuthorizer.requireAuthorization())
+            return;
+        
+        validateAuthorizerCompatibility(conf, cidrAuthorizer.getClass().getName(), 
+                                       negotiableAuthenticators, "limited CIDR-based access");
+    }
+
+    /**
+     * Common validation logic for authorizer compatibility.
+     * Checks if any authenticator doesn't require authentication when an authorizer requires authorization.
+     */
+    private static void validateAuthorizerCompatibility(Config conf,
+                                                        String authorizerName,
+                                                        List<IAuthenticator> negotiableAuthenticators,
+                                                        String accessDescription)
+    {
+        boolean hasNonAuthenticating = negotiableAuthenticators.stream()
+            .anyMatch(auth -> !auth.requireAuthentication());
+        
+        if (hasNonAuthenticating)
+        {
+            if (conf.authenticator_negotiation.require_authentication)
+            {
+                throw new ConfigurationException(
+                    "require_authentication is true but some negotiable authenticators don't require authentication. " +
+                    "This is incompatible with " + authorizerName + " which requires authorization.", false);
+            }
+            else
+            {
+                logger.warn("{} requires authorization but some negotiable authenticators don't require authentication. " +
+                           "Unauthenticated clients will have {}. " +
+                           "Set require_authentication: true to enforce authentication.",
+                           authorizerName, accessDescription);
+            }
+        }
+    }
 }
diff --git a/test/conf/cassandra-auth-negotiation.yaml b/test/conf/cassandra-auth-negotiation-permissive.yaml
similarity index 94%
rename from test/conf/cassandra-auth-negotiation.yaml
rename to test/conf/cassandra-auth-negotiation-permissive.yaml
index 3d2db9b7ed27..531dbaf48a30 100644
--- a/test/conf/cassandra-auth-negotiation.yaml
+++ b/test/conf/cassandra-auth-negotiation-permissive.yaml
@@ -17,7 +17,8 @@
 #
 
 #
-# Minimal cassandra.yaml for testing authenticator negotiation.
+# Minimal cassandra.yaml for testing permissive authenticator negotiation (some authenticators don't
+# require authentication).
 #
 cluster_name: Test Cluster
 memtable_allocation_type: offheap_objects
@@ -87,15 +88,14 @@ authenticator:
   class_name : org.apache.cassandra.auth.PasswordAuthenticator
 authenticator_negotiation:
   enabled: true
-  require_authentication: true
+  require_authentication: false
   default_authenticator:
-    class_name: PasswordAuthenticator
+    class_name: AllowAllAuthenticator
   authenticators:
     - class_name: MutualTlsAuthenticator
       parameters:
         validator_class_name: org.apache.cassandra.auth.SpiffeCertificateValidator
     - class_name: PasswordAuthenticator
-    - class_name: AllowAllAuthenticator
 role_manager:
   class_name: CassandraRoleManager
   parameters:
diff --git a/test/unit/org/apache/cassandra/auth/AuthConfigTest.java b/test/unit/org/apache/cassandra/auth/AuthConfigTest.java
index 74d49765dc3d..72315a2ff42b 100644
--- a/test/unit/org/apache/cassandra/auth/AuthConfigTest.java
+++ b/test/unit/org/apache/cassandra/auth/AuthConfigTest.java
@@ -27,11 +27,14 @@
 
 import org.junit.After;
 import org.junit.Before;
+import org.junit.Rule;
 import org.junit.Test;
+import org.junit.rules.ExpectedException;
 
 import org.apache.cassandra.config.Config;
 import org.apache.cassandra.config.DatabaseDescriptor;
 import org.apache.cassandra.config.ParameterizedClass;
+import org.apache.cassandra.exceptions.ConfigurationException;
 import org.apache.cassandra.locator.InetAddressAndPort;
 import org.apache.cassandra.utils.MBeanWrapper;
 
@@ -55,6 +58,9 @@ public class AuthConfigTest
 
     private static final String CREDENTIALS_CACHE_MBEAN = MBEAN_NAME_BASE + PasswordAuthenticator.CredentialsCacheMBean.CACHE_NAME;
 
+    @Rule
+    public ExpectedException expectedException = ExpectedException.none();
+
     @Before
     public void setup()
     {
@@ -70,22 +76,52 @@ public void teardown()
     @Test
     public void testConfigureAuthenticatorNegotiation()
     {
-        Config config = load("cassandra-auth-negotiation.yaml");
+        Config config = load("cassandra-auth-negotiation-permissive.yaml");
         DatabaseDescriptor.unsafeDaemonInitialization(()->config);
 
         IAuthenticator authenticator = DatabaseDescriptor.getDefaultAuthenticator();
         assertThat(authenticator instanceof PasswordAuthenticator);
         assertNotNull(authenticator);
         assertTrue(DatabaseDescriptor.isAuthenticatorNegotiationEnabled());
+        assertTrue(DatabaseDescriptor.isAuthenticationRequired());
         List<IAuthenticator> negotiableAuthenticators = DatabaseDescriptor.getNegotiableAuthenticators();
         assertNotNull(negotiableAuthenticators);
-        // TODO - See TODO in AuthConfig. Right now we're adding the PasswordAuthenticator twice.
         assertEquals(3, negotiableAuthenticators.size());
         assertTrue(DatabaseDescriptor.getAuthenticator(PasswordAuthenticator.class).isPresent());
         assertTrue(DatabaseDescriptor.getAuthenticator(MutualTlsAuthenticator.class).isPresent());
         assertTrue(DatabaseDescriptor.getAuthenticator(AllowAllAuthenticator.class).isPresent());
     }
 
+    @Test
+    public void testConfigureAuthenticatorNegotiationStrict()
+    {
+        Config config = load("cassandra-auth-negotiation-strict.yaml");
+        DatabaseDescriptor.unsafeDaemonInitialization(() -> config);
+
+        IAuthenticator authenticator = DatabaseDescriptor.getDefaultAuthenticator();
+        assertThat(authenticator instanceof PasswordAuthenticator);
+        assertNotNull(authenticator);
+        assertTrue(DatabaseDescriptor.isAuthenticatorNegotiationEnabled());
+        assertTrue(DatabaseDescriptor.isAuthenticationRequired());
+        List<IAuthenticator> negotiableAuthenticators = DatabaseDescriptor.getNegotiableAuthenticators();
+        assertNotNull(negotiableAuthenticators);
+        assertEquals(2, negotiableAuthenticators.size());
+        assertTrue(DatabaseDescriptor.getAuthenticator(PasswordAuthenticator.class).isPresent());
+        assertTrue(DatabaseDescriptor.getAuthenticator(MutualTlsAuthenticator.class).isPresent());
+        assertFalse(DatabaseDescriptor.getAuthenticator(AllowAllAuthenticator.class).isPresent());
+    }
+
+    @Test
+    public void testRequireAuthenticationRejectsAllowAll()
+    {
+        expectedException.expect(ConfigurationException.class);
+        expectedException.expectMessage("require_authentication");
+        expectedException.expectMessage("AllowAllAuthenticator");
+        
+        Config config = load("cassandra-auth-negotiation-invalid.yaml");
+        DatabaseDescriptor.unsafeDaemonInitialization(() -> config);
+    }
+
     @Test
     public void testNewInstanceForMutualTlsInternodeAuthenticator() throws IOException, CertificateException
     {
@@ -117,6 +153,9 @@ public void testNewInstanceForPasswordAuthenticator()
         IAuthenticator authenticator = DatabaseDescriptor.getDefaultAuthenticator();
         assertNotNull(authenticator);
 
+        // Verify negotiation is NOT enabled for legacy config
+        assertFalse(DatabaseDescriptor.isAuthenticatorNegotiationEnabled());
+
         assertThat(DatabaseDescriptor.getAuthenticator(PasswordAuthenticator.class))
             .isPresent()
             .get()
diff --git a/test/unit/org/apache/cassandra/auth/AuthenticatorNegotiatorTest.java b/test/unit/org/apache/cassandra/auth/AuthenticatorNegotiatorTest.java
index 7187476bbe4a..18004292b7ac 100644
--- a/test/unit/org/apache/cassandra/auth/AuthenticatorNegotiatorTest.java
+++ b/test/unit/org/apache/cassandra/auth/AuthenticatorNegotiatorTest.java
@@ -17,12 +17,15 @@
  */
 package org.apache.cassandra.auth;
 
-import java.util.Collections;
+import java.util.Arrays;
+import java.util.Collection;
 import java.util.Set;
 
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
 
 import org.apache.cassandra.config.Config;
 import org.apache.cassandra.config.DatabaseDescriptor;
@@ -34,12 +37,27 @@
 
 /**
  * Tests the authenticator negotiation logic in {@link AuthenticatorNegotiator}.
+ * Runs the same tests with both permissive (allows AllowAllAuthenticator) and strict
+ * (requires authentication) configurations.
  */
+@RunWith(Parameterized.class)
 public class AuthenticatorNegotiatorTest
 {
     private static final String IDENTITIES_CACHE_MBEAN = MBEAN_NAME_BASE + MutualTlsAuthenticator.CACHE_NAME;
     private static final String CREDENTIALS_CACHE_MBEAN = MBEAN_NAME_BASE + PasswordAuthenticator.CredentialsCacheMBean.CACHE_NAME;
 
+    @Parameterized.Parameter
+    public String configFile;
+
+    @Parameterized.Parameters(name = "{0}")
+    public static Collection<String> configs()
+    {
+        return Arrays.asList(
+            "test/conf/cassandra-auth-negotiation-permissive.yaml",
+            "test/conf/cassandra-auth-negotiation-strict.yaml"
+        );
+    }
+
     @Before
     public void setup()
     {
@@ -67,14 +85,20 @@ private void unregisterCaches()
         catch (Exception ignored) {}
     }
 
+    private void initializeWithConfig()
+    {
+        Config config = load(configFile);
+        DatabaseDescriptor.unsafeDaemonInitialization(() -> config);
+    }
+
     // Server will use the default authenticator if the client doesn't provide any options.
     @Test
     public void testEmptyClientAuthenticators()
     {
-        Config config = load("cassandra-auth-negotiation.yaml");
-        DatabaseDescriptor.unsafeDaemonInitialization(() -> config);
+        initializeWithConfig();
 
-        IAuthenticator result = AuthenticatorNegotiator.negotiateAuthenticator(Collections.emptySet());
+        Set<String> clientModes = Set.of();
+        IAuthenticator result = AuthenticatorNegotiator.negotiateAuthenticator(clientModes);
 
         assertSame(DatabaseDescriptor.getDefaultAuthenticator(), result);
     }
@@ -84,8 +108,7 @@ public void testEmptyClientAuthenticators()
     @Test
     public void testMatchesServersPreferredAuthenticator()
     {
-        Config config = load("cassandra-auth-negotiation.yaml");
-        DatabaseDescriptor.unsafeDaemonInitialization(() -> config);
+        initializeWithConfig();
 
         Set<String> clientModes = Set.of("MutualTls", "Password");
         IAuthenticator result = AuthenticatorNegotiator.negotiateAuthenticator(clientModes);
@@ -99,8 +122,7 @@ public void testMatchesServersPreferredAuthenticator()
     @Test
     public void testMatchesServersAcceptedAuthenticator()
     {
-        Config config = load("cassandra-auth-negotiation.yaml");
-        DatabaseDescriptor.unsafeDaemonInitialization(() -> config);
+        initializeWithConfig();
 
         Set<String> clientModes = Set.of("Password", "Unauthenticated");
         IAuthenticator result = AuthenticatorNegotiator.negotiateAuthenticator(clientModes);
@@ -115,8 +137,7 @@ public void testMatchesServersAcceptedAuthenticator()
     @Test
     public void testNoMatchingAuthenticatorUsesDefaultAuthenticator()
     {
-        Config config = load("cassandra-auth-negotiation.yaml");
-        DatabaseDescriptor.unsafeDaemonInitialization(() -> config);
+        initializeWithConfig();
 
         Set<String> clientModes = Set.of("Kerberos", "JWT", "OAuth");
         IAuthenticator result = AuthenticatorNegotiator.negotiateAuthenticator(clientModes);
@@ -129,8 +150,7 @@ public void testNoMatchingAuthenticatorUsesDefaultAuthenticator()
     @Test
     public void testCaseInsensitiveMatching()
     {
-        Config config = load("cassandra-auth-negotiation.yaml");
-        DatabaseDescriptor.unsafeDaemonInitialization(() -> config);
+        initializeWithConfig();
 
         Set<String> clientModes = Set.of("password", "MUTUALTLS");
         IAuthenticator result = AuthenticatorNegotiator.negotiateAuthenticator(clientModes);
@@ -138,27 +158,12 @@ public void testCaseInsensitiveMatching()
         assertTrue(result instanceof MutualTlsAuthenticator);
     }
 
-    // Server is not configured to support negotiation. Client attempts to offer authentication options anyway.
-    // Server should simplu respond with its default authenticator (password auth).
-    @Test
-    public void testNegotiationDisabled()
-    {
-        Config config = load("cassandra-passwordauth.yaml");
-        DatabaseDescriptor.unsafeDaemonInitialization(() -> config);
-
-        Set<String> clientModes = Set.of("MutualTls");
-        IAuthenticator result = AuthenticatorNegotiator.negotiateAuthenticator(clientModes);
-
-        assertSame(DatabaseDescriptor.getDefaultAuthenticator(), result);
-    }
-
-    // Server supports MTLS, Password and AllowAll. Client supports no-auth, Password and MTLS. Server should
+    // Server supports MTLS, Password and AllowAll. Client supports AllowAll, Password and MTLS. Server should
     // select its most preferred option (MTLS) even though it's not the first option offered by the client.
     @Test
     public void testPriorityOrderWithMultipleMatches()
     {
-        Config config = load("cassandra-auth-negotiation.yaml");
-        DatabaseDescriptor.unsafeDaemonInitialization(() -> config);
+        initializeWithConfig();
 
         Set<String> clientModes = Set.of("Unauthenticated", "Password", "MutualTls");
         IAuthenticator result = AuthenticatorNegotiator.negotiateAuthenticator(clientModes);
@@ -171,12 +176,25 @@ public void testPriorityOrderWithMultipleMatches()
     @Test
     public void testDuplicateClientAuthenticators()
     {
-        Config config = load("cassandra-auth-negotiation.yaml");
-        DatabaseDescriptor.unsafeDaemonInitialization(() -> config);
+        initializeWithConfig();
 
         Set<String> clientModes = Set.of("Password", "MutualTls", "password");
         IAuthenticator result = AuthenticatorNegotiator.negotiateAuthenticator(clientModes);
 
         assertTrue(result instanceof MutualTlsAuthenticator);
     }
+
+    // Server is not configured for negotiation. Client attempts to offer authentication options anyway.
+    // Server should simply respond with its default authenticator (password auth).
+    @Test
+    public void testNegotiationDisabled()
+    {
+        Config config = load("cassandra-passwordauth.yaml");
+        DatabaseDescriptor.unsafeDaemonInitialization(() -> config);
+
+        Set<String> clientModes = Set.of("MutualTls");
+        IAuthenticator result = AuthenticatorNegotiator.negotiateAuthenticator(clientModes);
+
+        assertSame(DatabaseDescriptor.getDefaultAuthenticator(), result);
+    }
 }

From 2a5d57f224d3ba63ca51a5608a6488db796e7883 Mon Sep 17 00:00:00 2001
From: Joel Shepherd <shepherd@amazon.com>
Date: Tue, 31 Mar 2026 17:33:21 +0000
Subject: [PATCH 21/30] Additional test configuration files for AuthConfigTest

---
 .../cassandra-auth-negotiation-invalid.yaml   | 103 ++++++++++++++++++
 .../cassandra-auth-negotiation-strict.yaml    | 102 +++++++++++++++++
 2 files changed, 205 insertions(+)
 create mode 100644 test/conf/cassandra-auth-negotiation-invalid.yaml
 create mode 100644 test/conf/cassandra-auth-negotiation-strict.yaml

diff --git a/test/conf/cassandra-auth-negotiation-invalid.yaml b/test/conf/cassandra-auth-negotiation-invalid.yaml
new file mode 100644
index 000000000000..ebf750470d32
--- /dev/null
+++ b/test/conf/cassandra-auth-negotiation-invalid.yaml
@@ -0,0 +1,103 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+#
+# Minimal cassandra.yaml for testing invalid authenticator negotiation (configured to require authentication
+# but defaults to AllowAllAuthenticator).
+#
+cluster_name: Test Cluster
+memtable_allocation_type: offheap_objects
+commitlog_sync: periodic
+commitlog_sync_period: 10s
+commitlog_segment_size: 5MiB
+commitlog_directory: build/test/cassandra/commitlog
+cdc_raw_directory: build/test/cassandra/cdc_raw
+cdc_enabled: false
+hints_directory: build/test/cassandra/hints
+partitioner: org.apache.cassandra.dht.ByteOrderedPartitioner
+listen_address: 127.0.0.1
+storage_port: 7012
+ssl_storage_port: 17012
+start_native_transport: true
+native_transport_port: 9042
+column_index_size: 4KiB
+saved_caches_directory: build/test/cassandra/saved_caches
+data_file_directories:
+  - build/test/cassandra/data
+disk_access_mode: mmap_index_only
+seed_provider:
+  - class_name: org.apache.cassandra.locator.SimpleSeedProvider
+    parameters:
+      - seeds: "127.0.0.1:7012"
+endpoint_snitch: org.apache.cassandra.locator.SimpleSnitch
+dynamic_snitch: true
+incremental_backups: true
+concurrent_compactors: 4
+compaction_throughput: 0MiB/s
+row_cache_class_name: org.apache.cassandra.cache.OHCProvider
+row_cache_size: 16MiB
+prepared_statements_cache_size: 1MiB
+corrupted_tombstone_strategy: exception
+stream_entire_sstables: true
+stream_throughput_outbound: 23841858MiB/s
+sasi_indexes_enabled: true
+materialized_views_enabled: true
+drop_compact_storage_enabled: true
+file_cache_enabled: true
+auto_hints_cleanup_enabled: true
+default_keyspace_rf: 1
+
+client_encryption_options:
+  enabled: true
+  require_client_auth: true
+  keystore: test/conf/cassandra_ssl_test.keystore
+  keystore_password: cassandra
+  truststore: test/conf/cassandra_ssl_test.truststore
+  truststore_password: cassandra
+
+server_encryption_options:
+  internode_encryption: all
+  enabled: true
+  keystore: test/conf/cassandra_ssl_test.keystore
+  keystore_password: cassandra
+  outbound_keystore: test/conf/cassandra_ssl_test_outbound.keystore
+  outbound_keystore_password: cassandra
+  truststore: test/conf/cassandra_ssl_test.truststore
+  truststore_password: cassandra
+  require_client_auth: true
+internode_authenticator:
+  class_name : org.apache.cassandra.auth.MutualTlsInternodeAuthenticator
+  parameters :
+    validator_class_name: org.apache.cassandra.auth.SpiffeCertificateValidator
+authenticator:
+  class_name : org.apache.cassandra.auth.PasswordAuthenticator
+authenticator_negotiation:
+  enabled: true
+  require_authentication: true
+  default_authenticator:
+    class_name: AllowAllAuthenticator
+  authenticators:
+    - class_name: MutualTlsAuthenticator
+      parameters:
+        validator_class_name: org.apache.cassandra.auth.SpiffeCertificateValidator
+    - class_name: PasswordAuthenticator
+role_manager:
+  class_name: CassandraRoleManager
+  parameters:
+accord:
+  journal_directory: build/test/cassandra/accord_journal
diff --git a/test/conf/cassandra-auth-negotiation-strict.yaml b/test/conf/cassandra-auth-negotiation-strict.yaml
new file mode 100644
index 000000000000..13a71b6642a1
--- /dev/null
+++ b/test/conf/cassandra-auth-negotiation-strict.yaml
@@ -0,0 +1,102 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+#
+# Minimal cassandra.yaml for testing strict authenticator negotiation (all authenticators must enforce authentication).
+#
+cluster_name: Test Cluster
+memtable_allocation_type: offheap_objects
+commitlog_sync: periodic
+commitlog_sync_period: 10s
+commitlog_segment_size: 5MiB
+commitlog_directory: build/test/cassandra/commitlog
+cdc_raw_directory: build/test/cassandra/cdc_raw
+cdc_enabled: false
+hints_directory: build/test/cassandra/hints
+partitioner: org.apache.cassandra.dht.ByteOrderedPartitioner
+listen_address: 127.0.0.1
+storage_port: 7012
+ssl_storage_port: 17012
+start_native_transport: true
+native_transport_port: 9042
+column_index_size: 4KiB
+saved_caches_directory: build/test/cassandra/saved_caches
+data_file_directories:
+  - build/test/cassandra/data
+disk_access_mode: mmap_index_only
+seed_provider:
+  - class_name: org.apache.cassandra.locator.SimpleSeedProvider
+    parameters:
+      - seeds: "127.0.0.1:7012"
+endpoint_snitch: org.apache.cassandra.locator.SimpleSnitch
+dynamic_snitch: true
+incremental_backups: true
+concurrent_compactors: 4
+compaction_throughput: 0MiB/s
+row_cache_class_name: org.apache.cassandra.cache.OHCProvider
+row_cache_size: 16MiB
+prepared_statements_cache_size: 1MiB
+corrupted_tombstone_strategy: exception
+stream_entire_sstables: true
+stream_throughput_outbound: 23841858MiB/s
+sasi_indexes_enabled: true
+materialized_views_enabled: true
+drop_compact_storage_enabled: true
+file_cache_enabled: true
+auto_hints_cleanup_enabled: true
+default_keyspace_rf: 1
+
+client_encryption_options:
+  enabled: true
+  require_client_auth: true
+  keystore: test/conf/cassandra_ssl_test.keystore
+  keystore_password: cassandra
+  truststore: test/conf/cassandra_ssl_test.truststore
+  truststore_password: cassandra
+
+server_encryption_options:
+  internode_encryption: all
+  enabled: true
+  keystore: test/conf/cassandra_ssl_test.keystore
+  keystore_password: cassandra
+  outbound_keystore: test/conf/cassandra_ssl_test_outbound.keystore
+  outbound_keystore_password: cassandra
+  truststore: test/conf/cassandra_ssl_test.truststore
+  truststore_password: cassandra
+  require_client_auth: true
+internode_authenticator:
+  class_name : org.apache.cassandra.auth.MutualTlsInternodeAuthenticator
+  parameters :
+    validator_class_name: org.apache.cassandra.auth.SpiffeCertificateValidator
+authenticator:
+  class_name : org.apache.cassandra.auth.PasswordAuthenticator
+authenticator_negotiation:
+  enabled: true
+  require_authentication: true
+  default_authenticator:
+    class_name: PasswordAuthenticator
+  authenticators:
+    - class_name: MutualTlsAuthenticator
+      parameters:
+        validator_class_name: org.apache.cassandra.auth.SpiffeCertificateValidator
+    - class_name: PasswordAuthenticator
+role_manager:
+  class_name: CassandraRoleManager
+  parameters:
+accord:
+  journal_directory: build/test/cassandra/accord_journal

From 88fbb8bc47a4c6a6499f52752cae7c43374de2d7 Mon Sep 17 00:00:00 2001
From: Joel Shepherd <shepherd@amazon.com>
Date: Wed, 1 Apr 2026 21:00:38 +0000
Subject: [PATCH 22/30] Correcting test description

---
 .../org/apache/cassandra/distributed/test/AuthTest.java        | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/test/distributed/org/apache/cassandra/distributed/test/AuthTest.java b/test/distributed/org/apache/cassandra/distributed/test/AuthTest.java
index 44ed777c93e3..9e08ebbd45d9 100644
--- a/test/distributed/org/apache/cassandra/distributed/test/AuthTest.java
+++ b/test/distributed/org/apache/cassandra/distributed/test/AuthTest.java
@@ -52,8 +52,7 @@ public class AuthTest extends TestBaseImpl
 {
     /**
      * Simply tests that initialisation of a test Instance results in
-     * StorageService.instance.doAuthSetup being called as the regular
-     * startup does in CassandraDaemon.setup
+     * CassandraDaemon.doAuthSetup being called just as the regular startup does.
      */
     @Test
     public void authSetupIsCalledAfterStartup() throws IOException

From e02565e90d81fd93a54314f174557576fe3a2a0b Mon Sep 17 00:00:00 2001
From: Joel Shepherd <shepherd@amazon.com>
Date: Wed, 1 Apr 2026 21:01:44 +0000
Subject: [PATCH 23/30] Adding dtests that exercise a non-negotiating client
 against a server with and without auth negotiation enabled

---
 .../auth/AuthenticatorNegotiationTest.java    | 381 ++++++++++++++++++
 .../test/auth/LegacyAuthenticationTest.java   | 175 ++++++++
 2 files changed, 556 insertions(+)
 create mode 100644 test/distributed/org/apache/cassandra/distributed/test/auth/AuthenticatorNegotiationTest.java
 create mode 100644 test/distributed/org/apache/cassandra/distributed/test/auth/LegacyAuthenticationTest.java

diff --git a/test/distributed/org/apache/cassandra/distributed/test/auth/AuthenticatorNegotiationTest.java b/test/distributed/org/apache/cassandra/distributed/test/auth/AuthenticatorNegotiationTest.java
new file mode 100644
index 000000000000..7cba687df62f
--- /dev/null
+++ b/test/distributed/org/apache/cassandra/distributed/test/auth/AuthenticatorNegotiationTest.java
@@ -0,0 +1,381 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cassandra.distributed.test.auth;
+
+import java.io.IOException;
+
+import com.datastax.driver.core.PlainTextAuthProvider;
+import com.datastax.driver.core.Session;
+
+import org.junit.Test;
+
+import org.apache.cassandra.distributed.Cluster;
+import org.apache.cassandra.distributed.test.TestBaseImpl;
+
+import static org.apache.cassandra.distributed.api.Feature.GOSSIP;
+import static org.apache.cassandra.distributed.api.Feature.NATIVE_PROTOCOL;
+import static org.apache.cassandra.distributed.api.Feature.NETWORK;
+import static org.apache.cassandra.distributed.util.Auth.waitForExistingRoles;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+
+/**
+ * Exercises authenticator negotation for non-negotiating clients. When negotiation is enabled, non-negotiating
+ * clients should always get the configured default authenticator. In addition, clients authenticating through
+ * the AllowAllAuthenticator should authenticate as 'anonymous' and, because negotiation is enabled with at least
+ * authenticator that requires authentication, should not have elevated super-user privileges (required to, for
+ * example, create, drop or list roles, or create or drop triggers.
+ * <p/>
+ * This is in contrast to 'anonymous' behavior when negotiation is not enabled. In that case, all clients use the
+ * same authenticator, and if that authenticator does not require authentication the 'anonymous' user will default
+ * to having super-user privileges.
+ */
+public class AuthenticatorNegotiationTest extends TestBaseImpl
+{
+    /**
+     * Tests that unauthenticated clients get the anonymous role (not superuser bypass) when
+     * authentication is required globally. This validates the security fix in ClientState.isSuper()
+     * where it checks DatabaseDescriptor.isAuthenticationRequired() instead of per-connection
+     * authenticator.requireAuthentication().
+     * 
+     * Configuration: negotiation enabled with PasswordAuthenticator in negotiable list,
+     * but default=AllowAllAuthenticator so non-negotiating clients connect unauthenticated.
+     * Since ANY negotiable authenticator requires auth, unauthenticated clients should NOT
+     * get superuser bypass.
+     */
+    @Test
+    public void testUnauthenticatedClientsGetAnonymousRole() throws IOException
+    {
+        try (Cluster cluster = builder().withNodes(1)
+                                        .withConfig(config -> {
+                                            config.with(NETWORK, GOSSIP, NATIVE_PROTOCOL)
+                                                  .set("authenticator", "AllowAllAuthenticator")
+                                                  .set("authorizer", "CassandraAuthorizer");
+                                            
+                                            // Configure negotiation: default allows all, but negotiable includes PasswordAuthenticator
+                                            // This means isAuthenticationRequired() returns true (PasswordAuthenticator requires auth)
+                                            config.set("authenticator_negotiation", 
+                                                      new java.util.HashMap<String, Object>() {{
+                                                          put("enabled", true);
+                                                          put("require_authentication", false); // permissive mode
+                                                          put("default_authenticator", new java.util.HashMap<String, String>() {{
+                                                              put("class_name", "AllowAllAuthenticator");
+                                                          }});
+                                                          put("authenticators", java.util.Arrays.asList(
+                                                              new java.util.HashMap<String, String>() {{
+                                                                  put("class_name", "AllowAllAuthenticator");
+                                                              }},
+                                                              new java.util.HashMap<String, String>() {{
+                                                                  put("class_name", "PasswordAuthenticator");
+                                                              }}
+                                                          ));
+                                                      }});
+                                        })
+                                        .start())
+        {
+            // Non-negotiating client connects without credentials, falls back to AllowAllAuthenticator
+            // Gets anonymous user, but should NOT get superuser bypass because isAuthenticationRequired() is true
+            com.datastax.driver.core.Cluster.Builder builder = 
+                com.datastax.driver.core.Cluster.builder()
+                    .addContactPoint("127.0.0.1");
+            /*
+                    .withSocketOptions(new com.datastax.driver.core.SocketOptions()
+                        .setConnectTimeoutMillis(60000)  // 60 seconds
+                        .setReadTimeoutMillis(60000));   // 60 seconds
+             */
+
+            try (com.datastax.driver.core.Cluster c = builder.build(); 
+                 Session session = c.connect())
+            {
+                assertNotNull("Session should be established", session);
+                
+                // Verify we're logged in as anonymous
+                assertCurrentRole(session, "anonymous");
+                
+                // Positive test: Anonymous user SHOULD be able to read from system tables
+                com.datastax.driver.core.ResultSet rs = session.execute("SELECT * FROM system.local");
+                assertNotNull("Anonymous user should be able to read system.local", rs);
+                assertTrue("Should get at least one row", rs.iterator().hasNext());
+                
+                // Negative test: Anonymous user should NOT be able to create roles (requires superuser)
+                // This verifies no superuser bypass is granted
+                try
+                {
+                    session.execute("CREATE ROLE test_role");
+                    org.junit.Assert.fail("Anonymous user should not be able to create roles (no superuser bypass)");
+                }
+                catch (com.datastax.driver.core.exceptions.UnauthorizedException e)
+                {
+                    // Expected - anonymous user doesn't have permission
+                    assertTrue("Should get permission denied",
+                              e.getMessage().contains("User anonymous does not have sufficient privileges to perform the requested operation"));
+                }
+            }
+        }
+    }
+
+    /**
+     * Tests that the ClientState.isSuper() bypass is disabled when authentication is required globally.
+     * This directly tests the security fix where isSuper() checks DatabaseDescriptor.isAuthenticationRequired()
+     * instead of the per-connection authenticator.requireAuthentication().
+     * 
+     * CREATE TRIGGER calls ClientState.ensureIsSuperuser() which delegates to isSuper(), making it
+     * the perfect test for the bypass logic.
+     * 
+     * Configuration: negotiation enabled with PasswordAuthenticator in negotiable list,
+     * but default=AllowAllAuthenticator so non-negotiating clients connect unauthenticated.
+     * Since ANY negotiable authenticator requires auth, isSuper() should return false for anonymous.
+     */
+    @Test
+    public void testSuperuserBypassDisabledWithAuthenticationRequired() throws IOException
+    {
+        try (Cluster cluster = builder().withNodes(1)
+                                        .withConfig(config -> {
+                                            config.with(NETWORK, GOSSIP, NATIVE_PROTOCOL)
+                                                  .set("authenticator", "AllowAllAuthenticator");
+                                            
+                                            // Configure negotiation: default allows all, but negotiable includes PasswordAuthenticator
+                                            config.set("authenticator_negotiation", 
+                                                      new java.util.HashMap<String, Object>() {{
+                                                          put("enabled", true);
+                                                          put("require_authentication", false); // permissive mode
+                                                          put("default_authenticator", new java.util.HashMap<String, String>() {{
+                                                              put("class_name", "AllowAllAuthenticator");
+                                                          }});
+                                                          put("authenticators", java.util.Arrays.asList(
+                                                              new java.util.HashMap<String, String>() {{
+                                                                  put("class_name", "AllowAllAuthenticator");
+                                                              }},
+                                                              new java.util.HashMap<String, String>() {{
+                                                                  put("class_name", "PasswordAuthenticator");
+                                                              }}
+                                                          ));
+                                                      }});
+                                        })
+                                        .start())
+        {
+            // Create a test table first (as authenticated user)
+            waitForExistingRoles(cluster.get(1));
+            
+            com.datastax.driver.core.Cluster.Builder authBuilder = 
+                com.datastax.driver.core.Cluster.builder()
+                    .addContactPoint("127.0.0.1")
+                    .withAuthProvider(new PlainTextAuthProvider("cassandra", "cassandra"))
+                    .withSocketOptions(new com.datastax.driver.core.SocketOptions()
+                        .setConnectTimeoutMillis(60000)
+                        .setReadTimeoutMillis(60000));
+            
+            try (com.datastax.driver.core.Cluster c = authBuilder.build(); 
+                 Session session = c.connect())
+            {
+                session.execute("CREATE KEYSPACE IF NOT EXISTS test_ks WITH replication = {'class': 'SimpleStrategy', 'replication_factor': 1}");
+                session.execute("CREATE TABLE IF NOT EXISTS test_ks.test_table (id int PRIMARY KEY, value text)");
+            }
+            
+            // Non-negotiating client connects without credentials, falls back to AllowAllAuthenticator
+            com.datastax.driver.core.Cluster.Builder anonBuilder = 
+                com.datastax.driver.core.Cluster.builder()
+                    .addContactPoint("127.0.0.1")
+                    .withSocketOptions(new com.datastax.driver.core.SocketOptions()
+                        .setConnectTimeoutMillis(60000)
+                        .setReadTimeoutMillis(60000));
+
+            try (com.datastax.driver.core.Cluster c = anonBuilder.build(); 
+                 Session session = c.connect())
+            {
+                // Verify we're logged in as anonymous
+                assertCurrentRole(session, "anonymous");
+                
+                // CREATE TRIGGER calls ensureIsSuperuser() which checks isSuper()
+                // With the fix, isSuper() returns false because isAuthenticationRequired() is true
+                try
+                {
+                    session.execute("CREATE TRIGGER test_trigger ON test_ks.test_table USING 'org.apache.cassandra.triggers.AuditTrigger'");
+                    org.junit.Assert.fail("Anonymous user should not be able to create triggers (superuser bypass disabled)");
+                }
+                catch (com.datastax.driver.core.exceptions.UnauthorizedException e)
+                {
+                    // Expected - isSuper() returned false, no bypass granted
+                    assertTrue("Should get superuser required message",
+                              e.getMessage().contains("Only superusers are allowed to perform CREATE TRIGGER queries"));
+                }
+            }
+            
+            // Cleanup
+            try (com.datastax.driver.core.Cluster c = authBuilder.build(); 
+                 Session session = c.connect())
+            {
+                session.execute("DROP KEYSPACE IF EXISTS test_ks");
+            }
+        }
+    }
+
+    /**
+     * Tests that authenticated superusers retain their privileges when authenticator negotiation
+     * is enabled. This is a positive control test to ensure the permission system works correctly
+     * and isn't just blocking everything.
+     * 
+     * Configuration: default=PasswordAuthenticator, negotiable=[PasswordAuthenticator, AllowAllAuthenticator]
+     * Non-negotiating client falls back to PasswordAuthenticator and must authenticate.
+     */
+    @Test
+    public void testAuthenticatedSuperuserHasPrivileges() throws IOException
+    {
+        try (Cluster cluster = builder().withNodes(1)
+                                        .withConfig(config -> {
+                                            config.with(NETWORK, GOSSIP, NATIVE_PROTOCOL)
+                                                  .set("authenticator", "PasswordAuthenticator")
+                                                  .set("authorizer", "CassandraAuthorizer");
+                                            
+                                            // Configure negotiation with PasswordAuthenticator as default
+                                            config.set("authenticator_negotiation", 
+                                                      new java.util.HashMap<String, Object>() {{
+                                                          put("enabled", true);
+                                                          put("require_authentication", false); // permissive mode
+                                                          put("default_authenticator", new java.util.HashMap<String, String>() {{
+                                                              put("class_name", "PasswordAuthenticator");
+                                                          }});
+                                                          put("authenticators", java.util.Arrays.asList(
+                                                              new java.util.HashMap<String, String>() {{
+                                                                  put("class_name", "PasswordAuthenticator");
+                                                              }},
+                                                              new java.util.HashMap<String, String>() {{
+                                                                  put("class_name", "AllowAllAuthenticator");
+                                                              }}
+                                                          ));
+                                                      }});
+                                        })
+                                        .start())
+        {
+            waitForExistingRoles(cluster.get(1));
+            
+            // Non-negotiating client with credentials falls back to PasswordAuthenticator
+            com.datastax.driver.core.Cluster.Builder authBuilder = 
+                com.datastax.driver.core.Cluster.builder()
+                    .addContactPoint("127.0.0.1")
+                    .withAuthProvider(new PlainTextAuthProvider("cassandra", "cassandra"))
+                    .withSocketOptions(new com.datastax.driver.core.SocketOptions()
+                        .setConnectTimeoutMillis(60000)
+                        .setReadTimeoutMillis(60000));
+            
+            try (com.datastax.driver.core.Cluster c = authBuilder.build(); 
+                 Session session = c.connect())
+            {
+                assertNotNull("Authenticated session should be established", session);
+                
+                // Verify we're logged in as cassandra
+                assertCurrentRole(session, "cassandra");
+                
+                // Authenticated superuser should be able to create roles
+                session.execute("CREATE ROLE IF NOT EXISTS test_role");
+                
+                // Verify the role was created
+                com.datastax.driver.core.ResultSet rs = session.execute("LIST ROLES");
+                assertNotNull("Should be able to list roles", rs);
+                
+                // Clean up
+                session.execute("DROP ROLE IF EXISTS test_role");
+            }
+        }
+    }
+
+    /**
+     * Tests that when authenticator negotiation is enabled with a mix of authenticators, a client that doesn't
+     * support negotiation can still connect by falling back to the default authenticator (PasswordAuthenticator).
+     * 
+     * Configuration: default=PasswordAuthenticator, negotiable=[PasswordAuthenticator, AllowAllAuthenticator]
+     * This ensures we can verify the server actually picked the default, not just any authenticator.
+     */
+    @Test
+    public void testFallbackToDefaultAuthenticator() throws IOException
+    {
+        try (Cluster cluster = builder().withNodes(1)
+                                        .withConfig(config -> {
+                                            config.with(NETWORK, GOSSIP, NATIVE_PROTOCOL)
+                                                  .set("authenticator", "PasswordAuthenticator");
+                                            
+                                            // Configure authenticator negotiation with nested config
+                                            config.set("authenticator_negotiation", 
+                                                      new java.util.HashMap<String, Object>() {{
+                                                          put("enabled", true);
+                                                          put("require_authentication", false); // permissive mode
+                                                          put("default_authenticator", new java.util.HashMap<String, String>() {{
+                                                              put("class_name", "PasswordAuthenticator");
+                                                          }});
+                                                          put("authenticators", java.util.Arrays.asList(
+                                                              new java.util.HashMap<String, String>() {{
+                                                                  put("class_name", "PasswordAuthenticator");
+                                                              }},
+                                                              new java.util.HashMap<String, String>() {{
+                                                                  put("class_name", "AllowAllAuthenticator");
+                                                              }}
+                                                          ));
+                                                      }});
+                                        })
+                                        .start())
+        {
+            waitForExistingRoles(cluster.get(1));
+            
+            // Use DataStax driver which doesn't support negotiation protocol
+            // It should fall back to default (PasswordAuthenticator) and require credentials
+            com.datastax.driver.core.Cluster.Builder builder =
+                com.datastax.driver.core.Cluster.builder().addContactPoint("127.0.0.1")
+                                                          .withAuthProvider(new PlainTextAuthProvider("cassandra", "cassandra"));
+
+
+            try (com.datastax.driver.core.Cluster c = builder.build(); 
+                 Session session = c.connect())
+            {
+                // Verify we're logged in as cassandra (authenticated via PasswordAuthenticator)
+                assertCurrentRole(session, "cassandra");
+                
+                // If we successfully connected with credentials, the server fell back to PasswordAuthenticator
+                // (If it had picked AllowAllAuthenticator, credentials wouldn't be required)
+                assertNotNull("Session should be established via default authenticator fallback", session);
+
+                // Execute a query to verify the connection is fully functional
+                session.execute("SELECT * FROM system.local");
+            }
+        }
+    }
+
+    /**
+     * Helper method to verify the current authenticated user identity by executing LIST ROLES.
+     * 
+     * @param session the session to execute the query on
+     * @param expectedRole the expected role name (e.g., "anonymous", "cassandra")
+     */
+    private void assertCurrentRole(Session session, String expectedRole)
+    {
+        String actualRole;
+        try
+        {
+            com.datastax.driver.core.ResultSet rs = session.execute("LIST ROLES");
+            actualRole = rs.one().getString("role");
+        }
+        catch (com.datastax.driver.core.exceptions.UnauthorizedException e)
+        {
+            // LIST ROLES calls ensureNotAnonymous(), so exception probably means we're anonymous
+            actualRole = e.getMessage().contains("not anonymous") ? "anonymous" : null;
+        }
+        
+        assertEquals("Current authenticated role", expectedRole, actualRole);
+    }
+}
diff --git a/test/distributed/org/apache/cassandra/distributed/test/auth/LegacyAuthenticationTest.java b/test/distributed/org/apache/cassandra/distributed/test/auth/LegacyAuthenticationTest.java
new file mode 100644
index 000000000000..a447edf6d1c0
--- /dev/null
+++ b/test/distributed/org/apache/cassandra/distributed/test/auth/LegacyAuthenticationTest.java
@@ -0,0 +1,175 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cassandra.distributed.test.auth;
+
+import java.io.IOException;
+
+import com.datastax.driver.core.PlainTextAuthProvider;
+import com.datastax.driver.core.Session;
+import com.datastax.driver.core.exceptions.AuthenticationException;
+
+import org.junit.Test;
+
+import org.apache.cassandra.distributed.Cluster;
+import org.apache.cassandra.distributed.test.TestBaseImpl;
+
+import static org.apache.cassandra.distributed.api.Feature.GOSSIP;
+import static org.apache.cassandra.distributed.api.Feature.NATIVE_PROTOCOL;
+import static org.apache.cassandra.distributed.api.Feature.NETWORK;
+import static org.apache.cassandra.distributed.util.Auth.waitForExistingRoles;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+
+/**
+ * Tests for legacy (pre-negotiation) authentication behavior.
+ * These tests verify authentication works correctly when:
+ * 1. No authenticator_negotiation config is present (legacy single authenticator)
+ * 2. authenticator_negotiation.enabled is explicitly set to false
+ */
+public class LegacyAuthenticationTest extends TestBaseImpl
+{
+    /**
+     * Tests legacy PasswordAuthenticator configuration (no negotiation config).
+     * Verifies that authentication is required and works correctly.
+     */
+    @Test
+    public void testLegacyPasswordAuthenticator() throws IOException
+    {
+        try (Cluster cluster = builder().withNodes(1)
+                                        .withConfig(config -> config.with(NETWORK, GOSSIP, NATIVE_PROTOCOL)
+                                                                    .set("authenticator", "PasswordAuthenticator"))
+                                        .start())
+        {
+            waitForExistingRoles(cluster.get(1));
+            
+            // Should be able to connect with valid credentials
+            com.datastax.driver.core.Cluster.Builder authBuilder = 
+                com.datastax.driver.core.Cluster.builder()
+                    .addContactPoint("127.0.0.1")
+                    .withAuthProvider(new PlainTextAuthProvider("cassandra", "cassandra"));
+
+            try (com.datastax.driver.core.Cluster c = authBuilder.build(); 
+                 Session session = c.connect())
+            {
+                assertNotNull("Should connect with valid credentials", session);
+                assertCurrentRole(session, "cassandra");
+                session.execute("SELECT * FROM system.local");
+            }
+            
+            // Should NOT be able to connect without credentials
+            com.datastax.driver.core.Cluster.Builder noAuthBuilder = 
+                com.datastax.driver.core.Cluster.builder()
+                    .addContactPoint("127.0.0.1");
+
+            try (com.datastax.driver.core.Cluster c = noAuthBuilder.build())
+            {
+                c.connect();
+                org.junit.Assert.fail("Should not be able to connect without credentials");
+            }
+            catch (AuthenticationException e)
+            {
+                // Expected - authentication required
+            }
+        }
+    }
+
+    /**
+     * Tests legacy AllowAllAuthenticator configuration (no negotiation config).
+     * Verifies that no authentication is required.
+     */
+    @Test
+    public void testLegacyAllowAllAuthenticator() throws IOException
+    {
+        try (Cluster cluster = builder().withNodes(1)
+                                        .withConfig(config -> config.with(NETWORK, GOSSIP, NATIVE_PROTOCOL)
+                                                                    .set("authenticator", "AllowAllAuthenticator"))
+                                        .start())
+        {
+            // Should be able to connect without credentials
+            com.datastax.driver.core.Cluster.Builder builder = 
+                com.datastax.driver.core.Cluster.builder()
+                    .addContactPoint("127.0.0.1");
+
+            try (com.datastax.driver.core.Cluster c = builder.build(); 
+                 Session session = c.connect())
+            {
+                assertNotNull("Should connect without credentials", session);
+                assertCurrentRole(session, "anonymous");
+                session.execute("SELECT * FROM system.local");
+            }
+        }
+    }
+
+    /**
+     * Tests that when authenticator_negotiation.enabled is explicitly set to false,
+     * the system behaves like legacy mode (uses the single authenticator config).
+     */
+    @Test
+    public void testNegotiationExplicitlyDisabled() throws IOException
+    {
+        try (Cluster cluster = builder().withNodes(1)
+                                        .withConfig(config -> {
+                                            config.with(NETWORK, GOSSIP, NATIVE_PROTOCOL)
+                                                  .set("authenticator", "PasswordAuthenticator");
+                                            
+                                            // Explicitly disable negotiation
+                                            config.set("authenticator_negotiation", 
+                                                      new java.util.HashMap<String, Object>() {{
+                                                          put("enabled", false);
+                                                      }});
+                                        })
+                                        .start())
+        {
+            waitForExistingRoles(cluster.get(1));
+            
+            // Should behave exactly like legacy PasswordAuthenticator
+            com.datastax.driver.core.Cluster.Builder authBuilder = 
+                com.datastax.driver.core.Cluster.builder()
+                    .addContactPoint("127.0.0.1")
+                    .withAuthProvider(new PlainTextAuthProvider("cassandra", "cassandra"));
+
+            try (com.datastax.driver.core.Cluster c = authBuilder.build(); 
+                 Session session = c.connect())
+            {
+                assertNotNull("Should connect with valid credentials", session);
+                assertCurrentRole(session, "cassandra");
+                session.execute("SELECT * FROM system.local");
+            }
+        }
+    }
+
+    /**
+     * Helper method to verify the current authenticated user identity.
+     */
+    private void assertCurrentRole(Session session, String expectedRole)
+    {
+        String actualRole;
+        try
+        {
+            com.datastax.driver.core.ResultSet rs = session.execute("LIST ROLES");
+            actualRole = rs.one().getString("role");
+        }
+        catch (com.datastax.driver.core.exceptions.UnauthorizedException e)
+        {
+            actualRole = e.getMessage().contains("not anonymous") ? "anonymous" : null;
+        }
+        
+        assertEquals("Current authenticated role", expectedRole, actualRole);
+    }
+}

From 84e4c4a7e30109cc32e9b4b8e8ce9b38868b692e Mon Sep 17 00:00:00 2001
From: Joel Shepherd <shepherd@amazon.com>
Date: Wed, 1 Apr 2026 21:36:56 +0000
Subject: [PATCH 24/30] Removing duplicate, unused code in OptionsMessage -
 currently handled in InitConnectionHandler

---
 .../transport/messages/OptionsMessage.java    | 25 +------------------
 1 file changed, 1 insertion(+), 24 deletions(-)

diff --git a/src/java/org/apache/cassandra/transport/messages/OptionsMessage.java b/src/java/org/apache/cassandra/transport/messages/OptionsMessage.java
index 829bc93b953f..43b87218985f 100644
--- a/src/java/org/apache/cassandra/transport/messages/OptionsMessage.java
+++ b/src/java/org/apache/cassandra/transport/messages/OptionsMessage.java
@@ -17,14 +17,9 @@
  */
 package org.apache.cassandra.transport.messages;
 
-import java.util.ArrayList;
 import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
 
-import org.apache.cassandra.cql3.QueryProcessor;
 import org.apache.cassandra.service.QueryState;
-import org.apache.cassandra.transport.Compressor;
 import org.apache.cassandra.transport.Dispatcher;
 import org.apache.cassandra.transport.Message;
 import org.apache.cassandra.transport.ProtocolVersion;
@@ -61,25 +56,7 @@ public OptionsMessage()
     @Override
     protected Message.Response execute(QueryState state, Dispatcher.RequestTime requestTime, boolean traceRequest)
     {
-        // JDEBUG - This duplicates code in InitialConnectionHandler (line 78+). Why? Is this used?
-        /*
-        List<String> cqlVersions = new ArrayList<String>();
-        cqlVersions.add(QueryProcessor.CQL_VERSION.toString());
-
-        List<String> compressions = new ArrayList<String>();
-        if (Compressor.SnappyCompressor.instance != null)
-            compressions.add("snappy");
-        // LZ4 is always available since worst case scenario it default to a pure JAVA implem.
-        compressions.add("lz4");
-
-        Map<String, List<String>> supported = new HashMap<String, List<String>>();
-
-        supported.put(StartupMessage.CQL_VERSION, cqlVersions);
-        supported.put(StartupMessage.COMPRESSION, compressions);
-        supported.put(StartupMessage.PROTOCOL_VERSIONS, ProtocolVersion.supportedVersions());
-
-        return new SupportedMessage(supported);
-         */
+        // Execute is handled in InitialConnectionHandler.decode().
         return new SupportedMessage(new HashMap<>());
     }
 

From dc36093f1b9c898d2a6d51dd72cfea2c1c600d0b Mon Sep 17 00:00:00 2001
From: Joel Shepherd <shepherd@amazon.com>
Date: Mon, 6 Apr 2026 23:24:22 +0000
Subject: [PATCH 25/30] Addressing checkstyle complaints

---
 src/java/org/apache/cassandra/auth/CassandraRoleManager.java | 3 ++-
 src/java/org/apache/cassandra/auth/IAuthenticator.java       | 5 +++--
 src/java/org/apache/cassandra/config/DatabaseDescriptor.java | 1 +
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/java/org/apache/cassandra/auth/CassandraRoleManager.java b/src/java/org/apache/cassandra/auth/CassandraRoleManager.java
index de37bbf10072..d46526a71d22 100644
--- a/src/java/org/apache/cassandra/auth/CassandraRoleManager.java
+++ b/src/java/org/apache/cassandra/auth/CassandraRoleManager.java
@@ -42,7 +42,9 @@
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Strings;
 import com.google.common.collect.ImmutableSet;
+
 import org.apache.commons.lang3.StringUtils;
+import org.mindrot.jbcrypt.BCrypt;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -78,7 +80,6 @@
 import org.apache.cassandra.utils.FBUtilities;
 import org.apache.cassandra.utils.MBeanWrapper;
 import org.apache.cassandra.utils.NoSpamLogger;
-import org.mindrot.jbcrypt.BCrypt;
 
 import static org.apache.cassandra.service.QueryState.forInternalCalls;
 import static org.apache.cassandra.utils.ByteBufferUtil.bytes;
diff --git a/src/java/org/apache/cassandra/auth/IAuthenticator.java b/src/java/org/apache/cassandra/auth/IAuthenticator.java
index 7e683a9b0a9e..cdaa12d03f8b 100644
--- a/src/java/org/apache/cassandra/auth/IAuthenticator.java
+++ b/src/java/org/apache/cassandra/auth/IAuthenticator.java
@@ -20,7 +20,6 @@
 import java.net.InetAddress;
 import java.security.cert.Certificate;
 import java.util.Collections;
-import java.util.Locale;
 import java.util.Map;
 import java.util.Objects;
 import java.util.Set;
@@ -32,6 +31,8 @@
 import org.apache.cassandra.service.ClientState;
 import org.apache.cassandra.transport.messages.AuthenticateMessage;
 
+import static org.apache.cassandra.utils.LocalizeString.toLowerCaseLocalized;
+
 public interface IAuthenticator
 {
     /**
@@ -258,7 +259,7 @@ abstract class AuthenticationMode
         public AuthenticationMode(@Nonnull String displayName)
         {
             this.displayName = displayName;
-            this.normalizedDisplayName = displayName.toLowerCase(Locale.ROOT);
+            this.normalizedDisplayName = toLowerCaseLocalized(displayName);
         }
 
         /**
diff --git a/src/java/org/apache/cassandra/config/DatabaseDescriptor.java b/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
index 0e08be94824a..dc06fabe84e7 100644
--- a/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
+++ b/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
@@ -2066,6 +2066,7 @@ public static void setNegotiableAuthenticators(List<IAuthenticator> authenticato
 
     /**
      * Returns the default authenticator configured for this node.
+     * @deprecated Use {@link #getDefaultAuthenticator()} instead.
      */
     @Deprecated(since = "6.0.0")
     public static IAuthenticator getAuthenticator()

From 9fe133f3ca99f14add7bca8f52e0d92fd61dae48 Mon Sep 17 00:00:00 2001
From: Joel Shepherd <shepherd@amazon.com>
Date: Fri, 24 Apr 2026 20:00:05 +0000
Subject: [PATCH 26/30] Deleting duplicate methods introduced by merge error

---
 .../cassandra/auth/PasswordAuthenticator.java  | 18 ------------------
 1 file changed, 18 deletions(-)

diff --git a/src/java/org/apache/cassandra/auth/PasswordAuthenticator.java b/src/java/org/apache/cassandra/auth/PasswordAuthenticator.java
index 389a7c45acf6..27a1692e5eba 100644
--- a/src/java/org/apache/cassandra/auth/PasswordAuthenticator.java
+++ b/src/java/org/apache/cassandra/auth/PasswordAuthenticator.java
@@ -111,24 +111,6 @@ public Set<IRoleManager.Option> getAlterableRoleOptions()
         return ALTERABLE_ROLE_OPTIONS;
     }
 
-    /**
-     * {@inheritDoc}
-     */
-    @Override
-    public Set<IRoleManager.Option> getSupportedRoleOptions()
-    {
-        return SUPPORTED_ROLE_OPTIONS;
-    }
-
-    /**
-     * {@inheritDoc}
-     */
-    @Override
-    public Set<IRoleManager.Option> getAlterableRoleOptions()
-    {
-        return ALTERABLE_ROLE_OPTIONS;
-    }
-
     // No anonymous access.
     @Override
     public boolean requireAuthentication()

From 94bd99a7aa7193ac954ee7251780d9887fbe75c3 Mon Sep 17 00:00:00 2001
From: Joel Shepherd <shepherd@amazon.com>
Date: Mon, 27 Apr 2026 22:18:04 +0000
Subject: [PATCH 27/30] Commenting out new authentication_negotiation
 configuration and provided reasonable default values

---
 conf/cassandra.yaml | 21 +++++++++------------
 1 file changed, 9 insertions(+), 12 deletions(-)

diff --git a/conf/cassandra.yaml b/conf/cassandra.yaml
index fdf1ea2367dc..0b0187011f4b 100644
--- a/conf/cassandra.yaml
+++ b/conf/cassandra.yaml
@@ -198,7 +198,7 @@ batchlog_replay_throttle: 1024KiB
 # - MutualTlsAuthenticator is certificate-based authentication, using the same certificates used to establish
 #     connection security.
 authenticator:
-  class_name: PasswordAuthenticator
+  class_name: AllowAllAuthenticator
 # MutualTlsAuthenticator can be configured using the following configuration. One can add their own validator
 # which implements MutualTlsCertificateValidator class and provide logic for extracting identity out of certificates
 # and validating certificates.
@@ -209,30 +209,27 @@ authenticator:
 # Configure authenticator negotiation, to allow nodes to support multiple authentication mechanisms and
 # negotiate (resolve) a specific mechanism with a client at connection time. When this configuration is present,
 # it supersedes the 'authenticator' configuration entirely.
-authenticator_negotiation:
+# authenticator_negotiation:
   # If true, client connections will go through authn negotiation. If false, they will use the authenticator
   # configured by the default_authenticator key.
-  enabled: true
+  # enabled: false
   # If true, all configured authenticators, including the default authenticator, must 'require authenticiation':
   # i.e., 'AllowAllAuthenticator' and other authenticators that don't require authentication cannot be used and
   # will cause the node to fail at starttup. This prevents 'fail-open' negotiation. If false, AllowAllAuthenticator
   # and other non-authenticating authenticators are allowed. This is discouraged but may make migrating to
   # negotiated authentication easier for deployments that do not enforce authentication today.
-  require_authentication: false
+  # require_authentication: true
   # The authenticator to be used for clients that don't support negotiation, or clients that support none of
   # the authenticators listed in the 'authenticators' section.
-  default_authenticator:
-    class_name: PasswordAuthenticator
+  # default_authenticator:
+    # class_name: PasswordAuthenticator
   # The authenticators that this node supports for negotiation. These are configured as documented for the
   # 'authenticator' section. List authenticators in order from most- to least-preferred. For negotiating
   # clients, the server will select the first authenticator in this list that the client indicates it can
   # support.
-  authenticators:
-    - class_name: MutualTlsAuthenticator
-      parameters:
-        validator_class_name: org.apache.cassandra.auth.SpiffeCertificateValidator
-    - class_name: PasswordAuthenticator
-    - class_name: AllowAllAuthenticator
+  # authenticators:
+    # - class_name: PasswordAuthenticator
+    # - class_name: AllowAllAuthenticator
 
 # Authorization backend, implementing IAuthorizer; used to limit access/provide permissions
 # Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllAuthorizer,

From 8dff90b90dc169d5346cf3165c6ac6b135677718 Mon Sep 17 00:00:00 2001
From: Joel Shepherd <shepherd@amazon.com>
Date: Mon, 27 Apr 2026 22:19:24 +0000
Subject: [PATCH 28/30] Self-review corrections: simplifying AuthConfig,
 implementing password cache in PasswordAuthenticator as a singleton, minor
 code and comment clean-up elsewhere

---
 .../org/apache/cassandra/auth/AuthConfig.java | 383 ++++++++++--------
 .../auth/AuthenticatorNegotiator.java         |  23 +-
 .../cassandra/auth/PasswordAuthenticator.java |  14 +-
 .../cassandra/config/DatabaseDescriptor.java  |  33 +-
 .../cassandra/service/CassandraDaemon.java    |   2 +-
 .../apache/cassandra/service/ClientState.java |  33 +-
 .../transport/InitialConnectionHandler.java   |   2 +-
 .../cassandra/distributed/test/AuthTest.java  |   2 +-
 .../auth/AuthenticatorNegotiationTest.java    |  76 ++--
 9 files changed, 276 insertions(+), 292 deletions(-)

diff --git a/src/java/org/apache/cassandra/auth/AuthConfig.java b/src/java/org/apache/cassandra/auth/AuthConfig.java
index f33eafeda9fc..6cd7fc4362e8 100644
--- a/src/java/org/apache/cassandra/auth/AuthConfig.java
+++ b/src/java/org/apache/cassandra/auth/AuthConfig.java
@@ -24,8 +24,6 @@
 
 import com.google.common.annotations.VisibleForTesting;
 
-import com.google.common.annotations.VisibleForTesting;
-
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -46,6 +44,29 @@ public final class AuthConfig
 
     private static boolean initialized;
 
+    /**
+     * Normalized authenticator configuration that abstracts away the difference between
+     * legacy single-authenticator config and negotiated multi-authenticator config.
+     */
+    private static class AuthenticatorConfig
+    {
+        final IAuthenticator defaultAuthenticator;
+        final List<IAuthenticator> negotiableAuthenticators;
+        final boolean requireAuthentication;
+        final boolean isNegotiationEnabled;
+
+        AuthenticatorConfig(IAuthenticator defaultAuthenticator,
+                           List<IAuthenticator> negotiableAuthenticators,
+                           boolean requireAuthentication,
+                           boolean isNegotiationEnabled)
+        {
+            this.defaultAuthenticator = defaultAuthenticator;
+            this.negotiableAuthenticators = negotiableAuthenticators;
+            this.requireAuthentication = requireAuthentication;
+            this.isNegotiationEnabled = isNegotiationEnabled;
+        }
+    }
+
     /**
      * Resets the initialized flag, enabling AuthConfig to be reconfigured multiple times within a single
      * test case.
@@ -66,158 +87,52 @@ public static void applyAuth()
 
         Config conf = DatabaseDescriptor.getRawConfig();
 
-        /* Authentication, authorization and role management backend, implementing IAuthenticator, I*Authorizer & IRoleManager */
-
-        // Determine if authenticator_negotiation section was configured
-        boolean negotiationConfigured = conf.authenticator_negotiation.default_authenticator != null
-                                        || conf.authenticator_negotiation.enabled
-                                        || !conf.authenticator_negotiation.authenticators.isEmpty();
-
-        // Determine default authenticator based on configuration precedence
-        IAuthenticator defaultAuthenticator;
-
-        if (negotiationConfigured)
-        {
-            ParameterizedClass defaultAuthConfig = conf.authenticator_negotiation.default_authenticator;
-
-            if (defaultAuthConfig == null)
-                // authenticator_negotiation is configured but default_authenticator is missing - fail to start
-                throw new ConfigurationException(
-                    "authenticator_negotiation section requires default_authenticator to be specified", false);
-
-            defaultAuthenticator = (IAuthenticator) authInstantiate(defaultAuthConfig)
-                                                    .orElseThrow(() -> new ConfigurationException(
-                                                    "Unable to load default_authenticator from authenticator_negotiation section: "
-                                                    + conf.authenticator_negotiation.default_authenticator.class_name, false
-                                                    ));
-        }
-        else
-        {
-            // Fall back to legacy authenticator config
-            defaultAuthenticator = authInstantiate(conf.authenticator, AllowAllAuthenticator.class);
-        }
+        // Load and normalize authenticator configuration
+        AuthenticatorConfig authConfig = loadAuthenticatorConfig(conf);
 
         // the configuration options regarding credentials caching are only guaranteed to
         // work with PasswordAuthenticator, so log a message if some other authenticator
         // is in use and non-default values are detected
-        if (!(defaultAuthenticator instanceof PasswordAuthenticator || defaultAuthenticator instanceof MutualTlsAuthenticator)
+        if (!(authConfig.defaultAuthenticator instanceof PasswordAuthenticator || authConfig.defaultAuthenticator instanceof MutualTlsAuthenticator)
             && (conf.credentials_update_interval != null
                 || conf.credentials_validity.toMilliseconds() != 2000
                 || conf.credentials_cache_max_entries != 1000))
         {
             logger.info("Configuration options credentials_update_interval, credentials_validity and " +
                         "credentials_cache_max_entries may not be applicable for the configured authenticator ({})",
-                        defaultAuthenticator.getClass().getName());
+                        authConfig.defaultAuthenticator.getClass().getName());
         }
 
-        DatabaseDescriptor.setDefaultAuthenticator(defaultAuthenticator);
-
-        List<IAuthenticator> negotiableAuthenticators = new ArrayList<>();
-
-        if (negotiationConfigured)
-        {
-            logger.info("Authentication negotiation enabled: initializing authenticators");
-            List<ParameterizedClass> authenticators = conf.authenticator_negotiation.authenticators;
-
-            if (authenticators != null)
-            {
-                for (ParameterizedClass clazz: authenticators)
-                {
-                    // We generally can't instantiate multiple instances of an authenticator, so if the
-                    // default is also in the list of negotiaable authenticators, just re-use the instance
-                    // that we have.
-                    // TODO - This comparison is potentially broken because depending on how the authenticator
-                    //  is configured in YAML, this equals() may or may not work. The parameterized class created
-                    //  from 'default_authenticator: PasswordAuthenticator' or
-                    //  'default_authenticator:\n\tclass_name: PasswordAuthenticator'
-                    //  is different from that created from
-                    //  'default_authenticator:\n\t- class_name: PasswordAuthenticator'.
-                    //  The latter, inadvertantly, attempts to set default_authenticator to a list (indicated by the '-').
-                    //  Since default_authenticator isn't a list, SnakeYAML grabs the first list element and constructs
-                    //  the ParameterizedClass instance using the default constructor and reflection, which results in
-                    //  'parameters' being null instead of being an empty map which is what the first two forms will
-                    //  create. This causes ParameterizedClass.equals() to return 'false' when a ParameterizedClass
-                    //  generated from the 'authenticators' list is compared to the default_authenticator if the default
-                    //  authenticator was specified using that third form (list style). This results in the default
-                    //  authenticator being placed at the end of the authenticators list instead of in its
-                    //  configured order, which can lead to the negotiator picking a weaker authenticator than the order
-                    //  of authenticators in the configuration indicates. I'm not sure how to resolve this right now.
-                    //  One possibility is to 'fix' the equals() and hashCode() methods in ParameterizedClass to treat
-                    //  null and empty 'parameters' the same (by coercing null to empty).
-                    if (clazz.equals(conf.authenticator_negotiation.default_authenticator))
-                    {
-                        negotiableAuthenticators.add(defaultAuthenticator);
-                        continue;
-                    }
-
-                    Optional<IAuthenticator> authenticator = authInstantiate(clazz);
-
-                    if (authenticator.isEmpty())
-                    {
-                        logger.warn("Unable to instantiate configured authenticator {}", clazz.class_name);
-                    }
-                    else
-                    {
-                        negotiableAuthenticators.add(authenticator.get());
-                    }
-                }
-            }
-
-            logger.info("Configured negotiable authenticators {}", negotiableAuthenticators);
-        }
-
-        // Ensure default authenticator is available for negotiation (as lowest priority) so clients can
-        // explicitly signal support for it, rather than falling back to it blindly when negotiation fails.
-        if (!negotiableAuthenticators.contains(defaultAuthenticator))
-        {
-            logger.info("Adding default authenticator as least-preferred for negotiation: {}",
-                        defaultAuthenticator.getClass().getName());
-            negotiableAuthenticators.add(defaultAuthenticator);
-        }
-
-        DatabaseDescriptor.setNegotiableAuthenticators(negotiableAuthenticators);
-
-        // Defensive check: Verify default authenticator is in negotiable list
-        // This is critical for security - many code paths assume default is always available
-        // TODO - This will probably need to be removed before the PR ... at least we should try.
-        if (negotiationConfigured && !DatabaseDescriptor.getNegotiableAuthenticators().contains(defaultAuthenticator))
-        {
-            throw new ConfigurationException("Default authenticator must be in negotiable authenticators list. " +
-                                           "This indicates a bug in authenticator initialization.", false);
-        }
+        DatabaseDescriptor.setDefaultAuthenticator(authConfig.defaultAuthenticator);
+        DatabaseDescriptor.setNegotiableAuthenticators(authConfig.negotiableAuthenticators);
 
         // Validate require_authentication setting if negotiation is configured
-        if (negotiationConfigured)
+        if (authConfig.isNegotiationEnabled)
         {
-            validateRequireAuthentication(conf, defaultAuthenticator, negotiableAuthenticators);
+            validateRequireAuthentication(authConfig);
         }
 
         // authorizer
 
         IAuthorizer authorizer = authInstantiate(conf.authorizer, AllowAllAuthorizer.class);
-
-        if (negotiationConfigured)
-        {
-            validateAuthenticatorAuthorizerCompatibility(conf, authorizer, negotiableAuthenticators);
-        }
-        else if (!defaultAuthenticator.requireAuthentication() && authorizer.requireAuthorization())
-        {
-            throw new ConfigurationException(authorizer.getClass().getName() + " has authorization enabled which requires " +
-                                             defaultAuthenticator.getClass().getName() + " to enable authentication", false);
-        }
-
+        validateAuthenticatorAuthorizerCompatibility(authConfig, authorizer);
         DatabaseDescriptor.setAuthorizer(authorizer);
 
         // role manager
 
         IRoleManager roleManager = authInstantiate(conf.role_manager, CassandraRoleManager.class);
 
-        if (defaultAuthenticator instanceof PasswordAuthenticator && !(roleManager instanceof CassandraRoleManager))
-            throw new ConfigurationException(defaultAuthenticator.getClass().getName() + " requires " + CassandraRoleManager.class.getName(), false);
+        // PasswordAuthenticator requires CassandraRoleManager. Check if any negotiable authenticator is
+        // a PasswordAuthenticator.
+        boolean hasPasswordAuth = authConfig.negotiableAuthenticators.stream()
+            .anyMatch(auth -> auth instanceof PasswordAuthenticator);
+
+        if (hasPasswordAuth && !(roleManager instanceof CassandraRoleManager))
+            throw new ConfigurationException("PasswordAuthenticator requires " + CassandraRoleManager.class.getName(), false);
 
         DatabaseDescriptor.setRoleManager(roleManager);
 
-        // authenticator
+        // internode authenticator
 
         IInternodeAuthenticator internodeAuthenticator = authInstantiate(conf.internode_authenticator,
                                                                          AllowAllInternodeAuthenticator.class);
@@ -226,37 +141,19 @@ else if (!defaultAuthenticator.requireAuthentication() && authorizer.requireAuth
         // network authorizer
 
         INetworkAuthorizer networkAuthorizer = authInstantiate(conf.network_authorizer, AllowAllNetworkAuthorizer.class);
-
-        if (negotiationConfigured)
-        {
-            validateAuthenticatorNetworkAuthorizerCompatibility(conf, networkAuthorizer, negotiableAuthenticators);
-        }
-        else if (networkAuthorizer.requireAuthorization() && !defaultAuthenticator.requireAuthentication())
-        {
-            throw new ConfigurationException(conf.network_authorizer + " can't be used with " + conf.authenticator.class_name, false);
-        }
-
+        validateAuthenticatorNetworkAuthorizerCompatibility(authConfig, networkAuthorizer);
         DatabaseDescriptor.setNetworkAuthorizer(networkAuthorizer);
 
         // cidr authorizer
 
         ICIDRAuthorizer cidrAuthorizer = authInstantiate(conf.cidr_authorizer, AllowAllCIDRAuthorizer.class);
-
-        if (negotiationConfigured)
-        {
-            validateAuthenticatorCIDRAuthorizerCompatibility(conf, cidrAuthorizer, negotiableAuthenticators);
-        }
-        else if (cidrAuthorizer.requireAuthorization() && !defaultAuthenticator.requireAuthentication())
-        {
-            throw new ConfigurationException(conf.cidr_authorizer + " can't be used with " + conf.authenticator, false);
-        }
-
+        validateAuthenticatorCIDRAuthorizerCompatibility(authConfig, cidrAuthorizer);
         DatabaseDescriptor.setCIDRAuthorizer(cidrAuthorizer);
 
         // Validate at last to have authenticator, authorizer, role-manager and internode-auth setup
         // in case these rely on each other.
 
-        defaultAuthenticator.validateConfiguration();
+        authConfig.defaultAuthenticator.validateConfiguration();
         authorizer.validateConfiguration();
         roleManager.validateConfiguration();
         networkAuthorizer.validateConfiguration();
@@ -291,22 +188,18 @@ private static <T> T defaultAuthInstantiate(Class<T> defaultCls) {
     }
 
     /**
-     * Validates the require_authentication setting when authenticator negotiation is configured.
-     * If require_authentication is true, all authenticators must require authentication.
-     * If require_authentication is false and non-authenticating authenticators are present, logs a warning.
+     * Validates the require_authentication setting when authenticator negotiation is configured. If
+     * require_authentication is true, all authenticators must require authentication. If require_authentication is
+     * false and non-authenticating authenticators are present, logs a warning and continues.
      */
-    private static void validateRequireAuthentication(Config conf,
-                                                      IAuthenticator defaultAuthenticator,
-                                                      List<IAuthenticator> negotiableAuthenticators)
+    private static void validateRequireAuthentication(AuthenticatorConfig authConfig)
     {
-        boolean requireAuthentication = conf.authenticator_negotiation.require_authentication;
-        
         // Check all negotiable authenticators (includes default)
-        for (IAuthenticator auth : negotiableAuthenticators)
+        for (IAuthenticator auth : authConfig.negotiableAuthenticators)
         {
             if (!auth.requireAuthentication())
             {
-                if (requireAuthentication)
+                if (authConfig.requireAuthentication)
                 {
                     throw new ConfigurationException(
                         "require_authentication is true but authenticator doesn't require authentication: " 
@@ -324,64 +217,96 @@ private static void validateRequireAuthentication(Config conf,
 
     /**
      * Validates compatibility between authenticators and authorizer when negotiation is configured.
-     * If any authenticator doesn't require authentication and authorizer requires authorization:
+     * If any authenticator doesn't require authentication and the authorizer requires authorization:
      * - require_authentication: true -> fail (strict mode)
      * - require_authentication: false -> warn (permissive mode for migration)
      */
-    private static void validateAuthenticatorAuthorizerCompatibility(Config conf,
-                                                                     IAuthorizer authorizer,
-                                                                     List<IAuthenticator> negotiableAuthenticators)
+    private static void validateAuthenticatorAuthorizerCompatibility(AuthenticatorConfig authConfig,
+                                                                     IAuthorizer authorizer)
     {
         if (!authorizer.requireAuthorization())
             return;
+
+        // Legacy mode: simple check
+        if (!authConfig.isNegotiationEnabled)
+        {
+            if (!authConfig.defaultAuthenticator.requireAuthentication())
+            {
+                throw new ConfigurationException(authorizer.getClass().getName() + " has authorization enabled which requires " +
+                                               authConfig.defaultAuthenticator.getClass().getName() + " to enable authentication", false);
+            }
+            return;
+        }
         
-        validateAuthorizerCompatibility(conf, authorizer.getClass().getName(), 
-                                       negotiableAuthenticators, "limited access based on 'anonymous' role permissions");
+        // Negotiation mode: check all authenticators
+        validateAuthorizerCompatibility(authConfig, authorizer.getClass().getName(), 
+                                       "limited access based on 'anonymous' role permissions");
     }
 
     /**
      * Validates compatibility between authenticators and network authorizer when negotiation is configured.
      */
-    private static void validateAuthenticatorNetworkAuthorizerCompatibility(Config conf,
-                                                                            INetworkAuthorizer networkAuthorizer,
-                                                                            List<IAuthenticator> negotiableAuthenticators)
+    private static void validateAuthenticatorNetworkAuthorizerCompatibility(AuthenticatorConfig authConfig,
+                                                                            INetworkAuthorizer networkAuthorizer)
     {
         if (!networkAuthorizer.requireAuthorization())
             return;
+
+        // Legacy mode: simple check
+        if (!authConfig.isNegotiationEnabled)
+        {
+            if (!authConfig.defaultAuthenticator.requireAuthentication())
+            {
+                throw new ConfigurationException(networkAuthorizer.getClass().getName() + " can't be used with " + 
+                                               authConfig.defaultAuthenticator.getClass().getName(), false);
+            }
+            return;
+        }
         
-        validateAuthorizerCompatibility(conf, networkAuthorizer.getClass().getName(), 
-                                       negotiableAuthenticators, "limited network access");
+        // Negotiation mode: check all authenticators
+        validateAuthorizerCompatibility(authConfig, networkAuthorizer.getClass().getName(), 
+                                       "limited network access");
     }
 
     /**
      * Validates compatibility between authenticators and CIDR authorizer when negotiation is configured.
      */
-    private static void validateAuthenticatorCIDRAuthorizerCompatibility(Config conf,
-                                                                         ICIDRAuthorizer cidrAuthorizer,
-                                                                         List<IAuthenticator> negotiableAuthenticators)
+    private static void validateAuthenticatorCIDRAuthorizerCompatibility(AuthenticatorConfig authConfig,
+                                                                         ICIDRAuthorizer cidrAuthorizer)
     {
         if (!cidrAuthorizer.requireAuthorization())
             return;
+
+        // Legacy mode: simple check
+        if (!authConfig.isNegotiationEnabled)
+        {
+            if (!authConfig.defaultAuthenticator.requireAuthentication())
+            {
+                throw new ConfigurationException(cidrAuthorizer.getClass().getName() + " can't be used with " + 
+                                               authConfig.defaultAuthenticator.getClass().getName(), false);
+            }
+            return;
+        }
         
-        validateAuthorizerCompatibility(conf, cidrAuthorizer.getClass().getName(), 
-                                       negotiableAuthenticators, "limited CIDR-based access");
+        // Negotiation mode: check all authenticators
+        validateAuthorizerCompatibility(authConfig, cidrAuthorizer.getClass().getName(), 
+                                       "limited CIDR-based access");
     }
 
     /**
      * Common validation logic for authorizer compatibility.
      * Checks if any authenticator doesn't require authentication when an authorizer requires authorization.
      */
-    private static void validateAuthorizerCompatibility(Config conf,
+    private static void validateAuthorizerCompatibility(AuthenticatorConfig authConfig,
                                                         String authorizerName,
-                                                        List<IAuthenticator> negotiableAuthenticators,
                                                         String accessDescription)
     {
-        boolean hasNonAuthenticating = negotiableAuthenticators.stream()
+        boolean hasNonAuthenticating = authConfig.negotiableAuthenticators.stream()
             .anyMatch(auth -> !auth.requireAuthentication());
         
         if (hasNonAuthenticating)
         {
-            if (conf.authenticator_negotiation.require_authentication)
+            if (authConfig.requireAuthentication)
             {
                 throw new ConfigurationException(
                     "require_authentication is true but some negotiable authenticators don't require authentication. " +
@@ -396,4 +321,110 @@ private static void validateAuthorizerCompatibility(Config conf,
             }
         }
     }
+
+    /**
+     * Loads and normalizes authenticator configuration from either legacy or negotiation config.
+     * Returns a normalized structure containing default authenticator, negotiable authenticators list,
+     * and configuration flags.
+     */
+    private static AuthenticatorConfig loadAuthenticatorConfig(Config conf)
+    {
+        // Determine if authenticator_negotiation was configured
+        boolean negotiationConfigured = conf.authenticator_negotiation.enabled;
+
+        // Determine default authenticator based on configuration precedence
+        IAuthenticator defaultAuthenticator;
+
+        if (negotiationConfigured)
+        {
+            ParameterizedClass defaultAuthenticatorConfig = conf.authenticator_negotiation.default_authenticator;
+
+            if (defaultAuthenticatorConfig == null)
+                // authenticator_negotiation is configured but default_authenticator is missing - fail to start
+                throw new ConfigurationException(
+                    "authenticator_negotiation section requires default_authenticator to be specified", false);
+
+            defaultAuthenticator = (IAuthenticator) authInstantiate(defaultAuthenticatorConfig)
+                                                    .orElseThrow(() -> new ConfigurationException(
+                                                    "Unable to load default_authenticator from authenticator_negotiation section: "
+                                                    + conf.authenticator_negotiation.default_authenticator.class_name, false
+                                                    ));
+        }
+        else
+        {
+            // Fall back to legacy authenticator config
+            defaultAuthenticator = authInstantiate(conf.authenticator, AllowAllAuthenticator.class);
+        }
+
+        List<IAuthenticator> negotiableAuthenticators = new ArrayList<>();
+
+        if (negotiationConfigured)
+        {
+            logger.info("Authentication negotiation enabled: initializing authenticators");
+            List<ParameterizedClass> authenticators = conf.authenticator_negotiation.authenticators;
+
+            if (authenticators != null)
+            {
+                for (ParameterizedClass clazz: authenticators)
+                {
+                    // We generally can't instantiate multiple instances of an authenticator, so if the
+                    // default is also in the list of negotiable authenticators, just re-use the instance
+                    // that we have.
+                    // TODO - This comparison is potentially broken because depending on how the authenticator
+                    //  is configured in YAML, this equals() may or may not work. The parameterized class created
+                    //  from 'default_authenticator: PasswordAuthenticator' or
+                    //  'default_authenticator:\n\tclass_name: PasswordAuthenticator'
+                    //  is different from that created from
+                    //  'default_authenticator:\n\t- class_name: PasswordAuthenticator'.
+                    //  The latter, inadvertantly, attempts to set default_authenticator to a list (indicated by the '-').
+                    //  Since default_authenticator isn't a list, SnakeYAML grabs the first list element and constructs
+                    //  the ParameterizedClass instance using the default constructor and reflection, which results in
+                    //  'parameters' being null instead of being an empty map which is what the first two forms will
+                    //  create. This causes ParameterizedClass.equals() to return 'false' when a ParameterizedClass
+                    //  generated from the 'authenticators' list is compared to the default_authenticator if the default
+                    //  authenticator was specified using that third form (list style). This results in the default
+                    //  authenticator being placed at the end of the authenticators list instead of in its
+                    //  configured order, which can lead to the negotiator picking a weaker authenticator than the order
+                    //  of authenticators in the configuration indicates. I'm not sure how to resolve this right now.
+                    //  One possibility is to 'fix' the equals() and hashCode() methods in ParameterizedClass to treat
+                    //  null and empty 'parameters' the same (by coercing null to empty).
+                    //  https://issues.apache.org/jira/browse/CASSANDRA-21238
+                    if (clazz.equals(conf.authenticator_negotiation.default_authenticator))
+                    {
+                        negotiableAuthenticators.add(defaultAuthenticator);
+                        continue;
+                    }
+
+                    Optional<IAuthenticator> authenticator = authInstantiate(clazz);
+
+                    if (authenticator.isEmpty())
+                    {
+                        logger.warn("Unable to instantiate configured authenticator {}", clazz.class_name);
+                    }
+                    else
+                    {
+                        negotiableAuthenticators.add(authenticator.get());
+                    }
+                }
+            }
+
+            logger.info("Configured negotiable authenticators {}", negotiableAuthenticators);
+        }
+
+        // Ensure default authenticator is available for negotiation (as lowest priority) so clients can
+        // explicitly signal support for it, rather than falling back to it blindly when negotiation fails.
+        if (!negotiableAuthenticators.contains(defaultAuthenticator))
+        {
+            logger.info("Adding default authenticator as least-preferred for negotiation: {}",
+                        defaultAuthenticator.getClass().getName());
+            negotiableAuthenticators.add(defaultAuthenticator);
+        }
+
+        return new AuthenticatorConfig(
+            defaultAuthenticator,
+            negotiableAuthenticators,
+            conf.authenticator_negotiation.require_authentication,
+            negotiationConfigured
+        );
+    }
 }
diff --git a/src/java/org/apache/cassandra/auth/AuthenticatorNegotiator.java b/src/java/org/apache/cassandra/auth/AuthenticatorNegotiator.java
index c1dd8660c77b..b8e7328179e9 100644
--- a/src/java/org/apache/cassandra/auth/AuthenticatorNegotiator.java
+++ b/src/java/org/apache/cassandra/auth/AuthenticatorNegotiator.java
@@ -48,21 +48,18 @@ public class AuthenticatorNegotiator
      */
     public static IAuthenticator negotiateAuthenticator(@Nonnull Set<String> clientAuthenticators)
     {
-        if (DatabaseDescriptor.isAuthenticatorNegotiationEnabled())
-        {
-            Set<IAuthenticator.AuthenticationMode> clientAuthenticationModes =
-                clientAuthenticators.stream()
-                                    .map(name -> new IAuthenticator.AuthenticationMode(name) {})
-                                    .collect(Collectors.toSet());
+        Set<IAuthenticator.AuthenticationMode> clientAuthenticationModes =
+            clientAuthenticators.stream()
+                                .map(name -> new IAuthenticator.AuthenticationMode(name) {})
+                                .collect(Collectors.toSet());
 
-            for (IAuthenticator authenticator : DatabaseDescriptor.getNegotiableAuthenticators())
+        for (IAuthenticator authenticator : DatabaseDescriptor.getNegotiableAuthenticators())
+        {
+            if (!Collections.disjoint(clientAuthenticationModes, authenticator.getSupportedAuthenticationModes()))
             {
-                if (!Collections.disjoint(clientAuthenticationModes, authenticator.getSupportedAuthenticationModes()))
-                {
-                    logger.info("Negotiated authenticator with client with options {}: selected {}",
-                                clientAuthenticationModes, authenticator.getClass().getName());
-                    return authenticator;
-                }
+                logger.info("Negotiated authenticator with client with options {}: selected {}",
+                            clientAuthenticationModes, authenticator.getClass().getName());
+                return authenticator;
             }
         }
 
diff --git a/src/java/org/apache/cassandra/auth/PasswordAuthenticator.java b/src/java/org/apache/cassandra/auth/PasswordAuthenticator.java
index 27a1692e5eba..236749d6269e 100644
--- a/src/java/org/apache/cassandra/auth/PasswordAuthenticator.java
+++ b/src/java/org/apache/cassandra/auth/PasswordAuthenticator.java
@@ -75,6 +75,7 @@ public class PasswordAuthenticator implements IAuthenticator, AuthCache.BulkLoad
     public static final String USERNAME_KEY = "username";
     public static final String PASSWORD_KEY = "password";
     private static final Set<AuthenticationMode> AUTHENTICATION_MODES = Collections.singleton(AuthenticationMode.PASSWORD);
+    static final byte NUL = 0;
 
     @VisibleForTesting
     static final Set<IRoleManager.Option> SUPPORTED_ROLE_OPTIONS =
@@ -89,9 +90,8 @@ public class PasswordAuthenticator implements IAuthenticator, AuthCache.BulkLoad
                        IRoleManager.Option.HASHED_PASSWORD,
                        IRoleManager.Option.GENERATED_PASSWORD);
 
-    static final byte NUL = 0;
+    private static CredentialsCache cache;
     private SelectStatement authenticateStatement;
-    private CredentialsCache cache;
 
     /**
      * {@inheritDoc}
@@ -243,8 +243,14 @@ public void setup()
     {
         // Cache initialization is deferred to setup() to avoid duplicate cache registration when subclasses
         // of PasswordAuthenticator (e.g., MutualTlsWithPasswordFallbackAuthenticator) are also instantiated.
-        cache = new CredentialsCache(this);
-        AuthCacheService.instance.register(cache);
+        synchronized (PasswordAuthenticator.class)
+        {
+            if (cache == null)
+            {
+                cache = new CredentialsCache(this);
+                AuthCacheService.instance.register(cache);
+            }
+        }
 
         String query = String.format("SELECT %s FROM %s.%s WHERE role = ?",
                                      SALTED_HASH,
diff --git a/src/java/org/apache/cassandra/config/DatabaseDescriptor.java b/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
index b414a85e8005..ba79a6624859 100644
--- a/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
+++ b/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
@@ -2043,7 +2043,8 @@ public static void setCryptoProvider(AbstractCryptoProvider cryptoProvider)
     }
 
     @VisibleForTesting /* Only for testing */
-    public static void setAuthenticatorNegotationEnabled(boolean isEnabled) {
+    public static void setAuthenticatorNegotationEnabled(boolean isEnabled)
+    {
         conf.authenticator_negotiation.enabled = isEnabled;
     }
 
@@ -2055,12 +2056,12 @@ public static boolean isAuthenticatorNegotiationEnabled()
 
     public static List<IAuthenticator> getNegotiableAuthenticators()
     {
-        return DatabaseDescriptor.negotiableAuthenticators;
+        return negotiableAuthenticators;
     }
 
     public static void setNegotiableAuthenticators(List<IAuthenticator> authenticators)
     {
-        DatabaseDescriptor.negotiableAuthenticators = new ArrayList<>(authenticators);
+        negotiableAuthenticators = new ArrayList<>(authenticators);
         updateAuthenticationRequired();
     }
 
@@ -2108,7 +2109,7 @@ public static void setAuthenticator(IAuthenticator authenticator)
 
     public static void setDefaultAuthenticator(IAuthenticator authenticator)
     {
-        DatabaseDescriptor.defaultAuthenticator = authenticator;
+        defaultAuthenticator = authenticator;
         updateAuthenticationRequired();
     }
 
@@ -2124,40 +2125,24 @@ private static void updateAuthenticationRequired()
             authenticationRequired = negotiableAuthenticators.stream()
                 .anyMatch(IAuthenticator::requireAuthentication);
         }
-        else if (defaultAuthenticator != null)
-        {
-            // Fallback to default authenticator for non-negotiation mode
-            authenticationRequired = defaultAuthenticator.requireAuthentication();
-        }
         else
         {
-            // Not yet initialized
-            authenticationRequired = false;
+            // Fallback to default authenticator for non-negotiation mode
+            authenticationRequired = defaultAuthenticator != null && defaultAuthenticator.requireAuthentication();
         }
     }
 
     /**
      * Indicates if this node uses an authenticator that requires authentication. With authenticator negotiation,
      * returns true if ANY negotiable authenticator requires authentication. This determines whether authentication
-     * infrastructure (caches, role management) should be enabled, as well as to determine whether anonymous (i.e.
-     * unauthenticated) users can elevate permissions to perform CREATE/DROP TRIGGER and other operations.
+     * infrastructure (caches, role management) should be enabled, and whether anonymous (i.e. unauthenticated)
+     * users can elevate permissions to perform CREATE/DROP TRIGGER and other operations.
      */
     public static boolean isAuthenticationRequired()
     {
         return authenticationRequired;
     }
 
-    /**
-     * Indicates if this node is configured with an authenticator of the specified type.
-     * @param clazz The class of the authenticator.
-     * @return True if this node has an authenticator of the specified type, false otherwise.
-     */
-    private static boolean hasAuthenticator(Class<? extends IAuthenticator> clazz)
-    {
-        return negotiableAuthenticators.stream()
-                                       .anyMatch(auth -> clazz.isAssignableFrom(auth.getClass()));
-    }
-
     public static IAuthorizer getAuthorizer()
     {
         return authorizer;
diff --git a/src/java/org/apache/cassandra/service/CassandraDaemon.java b/src/java/org/apache/cassandra/service/CassandraDaemon.java
index c74b08ab1f46..2cee8e164f66 100644
--- a/src/java/org/apache/cassandra/service/CassandraDaemon.java
+++ b/src/java/org/apache/cassandra/service/CassandraDaemon.java
@@ -693,7 +693,7 @@ public static boolean isAuthSetupComplete()
     }
 
     @VisibleForTesting
-    public static boolean authSetupCalled()
+    public static boolean isAuthSetupCalled()
     {
         return authSetupCalled.get();
     }
diff --git a/src/java/org/apache/cassandra/service/ClientState.java b/src/java/org/apache/cassandra/service/ClientState.java
index d64a1d3fe5bd..6a267d0eda94 100644
--- a/src/java/org/apache/cassandra/service/ClientState.java
+++ b/src/java/org/apache/cassandra/service/ClientState.java
@@ -655,39 +655,20 @@ public boolean isOrdinaryUser()
 
     /**
      * Checks if this user is a super user.
-     * <p/>
-     * Returns true if:
-     * 1. This is an internal/system client, OR
-     * 2. No authenticators in the system require authentication (backward compat for AllowAllAuthenticator), OR
-     * 3. The user is authenticated and has been granted superuser role
-     * During migration with mixed authentication (some authenticators require auth, some don't),
-     * unauthenticated clients will NOT get the bypass - they'll be checked against the "anonymous" role.
+     * <p>
+     * Returns true if either no authenticators require authentication (for backward compatibility with
+     * AllowAllAuthenticator), or if the user has been granted superuser role. With mixed authentication (some
+     * authenticators require authentication, some don't), unauthenticated clients are checked against the "anonymous"
+     * role and do not receive superuser privileges.
      */
     public boolean isSuper()
     {
-        // Internal/system clients are always super
-        if (isInternal)
-        {
-            return true;
-        }
-
-        // If authenticator not set yet (shouldn't happen in normal operation), fall back to global check
+        // Warn if no authenticator is configured for this client (shouldn't happen in normal operation).
         if (authenticator == null)
         {
-            logger.warn("isSuper() called before authenticator was set - this should not happen in normal operation");
+            logger.warn("isSuper() called before client state authenticator was set");
         }
 
-        // Check global authentication requirement, not this connection's specific authenticator.
-        //
-        // If NO authenticators in the system require authentication (e.g., only AllowAllAuthenticator configured):
-        //   - Returns true (bypass) for backward compatibility with auth-disabled clusters
-        //   - Short-circuits before checking user.isSuper()
-        //
-        // If ANY authenticator in the system requires authentication (e.g., PasswordAuthenticator in negotiable list):
-        //   - Evaluates user.isSuper() to check actual role grants
-        //   - For authenticated users: returns true if they have superuser role
-        //   - For ANONYMOUS_USER: returns false (AuthenticatedUser.isSuper() always returns false for anonymous)
-        //   - This ensures unauthenticated clients during migration get no bypass
         return !DatabaseDescriptor.isAuthenticationRequired() || (user != null && user.isSuper());
     }
 
diff --git a/src/java/org/apache/cassandra/transport/InitialConnectionHandler.java b/src/java/org/apache/cassandra/transport/InitialConnectionHandler.java
index bdff28a2d6f8..511708d89a98 100644
--- a/src/java/org/apache/cassandra/transport/InitialConnectionHandler.java
+++ b/src/java/org/apache/cassandra/transport/InitialConnectionHandler.java
@@ -89,7 +89,7 @@ protected void decode(ChannelHandlerContext ctx, ByteBuf buffer, List<Object> li
 
                     Map<String, List<String>> supportedOptions = new HashMap<>();
                     if (DatabaseDescriptor.isAuthenticatorNegotiationEnabled())
-                            supportedOptions.put(StartupMessage.AUTHENTICATORS, new ArrayList<>());
+                        supportedOptions.put(StartupMessage.AUTHENTICATORS, List.of());
                     supportedOptions.put(StartupMessage.CQL_VERSION, cqlVersions);
                     supportedOptions.put(StartupMessage.COMPRESSION, compressions);
                     supportedOptions.put(StartupMessage.PROTOCOL_VERSIONS, ProtocolVersion.supportedVersions());
diff --git a/test/distributed/org/apache/cassandra/distributed/test/AuthTest.java b/test/distributed/org/apache/cassandra/distributed/test/AuthTest.java
index 9e08ebbd45d9..68ce76aff725 100644
--- a/test/distributed/org/apache/cassandra/distributed/test/AuthTest.java
+++ b/test/distributed/org/apache/cassandra/distributed/test/AuthTest.java
@@ -63,7 +63,7 @@ public void authSetupIsCalledAfterStartup() throws IOException
             await().pollDelay(1, SECONDS)
                    .pollInterval(1, SECONDS)
                    .atMost(10, SECONDS)
-                   .until(() -> instance.callOnInstance(() -> CassandraDaemon.authSetupCalled()));
+                   .until(() -> instance.callOnInstance(() -> CassandraDaemon.isAuthSetupCalled()));
         }
     }
 
diff --git a/test/distributed/org/apache/cassandra/distributed/test/auth/AuthenticatorNegotiationTest.java b/test/distributed/org/apache/cassandra/distributed/test/auth/AuthenticatorNegotiationTest.java
index 7cba687df62f..59aebae0b43e 100644
--- a/test/distributed/org/apache/cassandra/distributed/test/auth/AuthenticatorNegotiationTest.java
+++ b/test/distributed/org/apache/cassandra/distributed/test/auth/AuthenticatorNegotiationTest.java
@@ -38,10 +38,10 @@
 
 /**
  * Exercises authenticator negotation for non-negotiating clients. When negotiation is enabled, non-negotiating
- * clients should always get the configured default authenticator. In addition, clients authenticating through
- * the AllowAllAuthenticator should authenticate as 'anonymous' and, because negotiation is enabled with at least
- * authenticator that requires authentication, should not have elevated super-user privileges (required to, for
- * example, create, drop or list roles, or create or drop triggers.
+ * clients should always get the configured default authenticator. In addition, when negotiation is enabled with at
+ * least one authenticator that requires authentication, clients authenticating through the AllowAllAuthenticator (or
+ * any other authenticator that does not require authentication) should authenticate as 'anonymous' and should not be
+ * granted super-user privileges by default.
  * <p/>
  * This is in contrast to 'anonymous' behavior when negotiation is not enabled. In that case, all clients use the
  * same authenticator, and if that authenticator does not require authentication the 'anonymous' user will default
@@ -50,15 +50,14 @@
 public class AuthenticatorNegotiationTest extends TestBaseImpl
 {
     /**
-     * Tests that unauthenticated clients get the anonymous role (not superuser bypass) when
-     * authentication is required globally. This validates the security fix in ClientState.isSuper()
-     * where it checks DatabaseDescriptor.isAuthenticationRequired() instead of per-connection
-     * authenticator.requireAuthentication().
+     * Tests that unauthenticated clients do not receive automatic superuser privileges when authentication is
+     * required globally. This validates the security fix in ClientState.isSuper() where it checks
+     * DatabaseDescriptor.isAuthenticationRequired() instead of per-connection authenticator.requireAuthentication().
      * 
      * Configuration: negotiation enabled with PasswordAuthenticator in negotiable list,
      * but default=AllowAllAuthenticator so non-negotiating clients connect unauthenticated.
      * Since ANY negotiable authenticator requires auth, unauthenticated clients should NOT
-     * get superuser bypass.
+     * receive automatic superuser privileges.
      */
     @Test
     public void testUnauthenticatedClientsGetAnonymousRole() throws IOException
@@ -90,16 +89,12 @@ public void testUnauthenticatedClientsGetAnonymousRole() throws IOException
                                         })
                                         .start())
         {
-            // Non-negotiating client connects without credentials, falls back to AllowAllAuthenticator
-            // Gets anonymous user, but should NOT get superuser bypass because isAuthenticationRequired() is true
+            // Non-negotiating client connects without credentials, falls back to AllowAllAuthenticator. Gets
+            // anonymous user, but should NOT receive automatic superuser privileges because isAuthenticationRequired()
+            // is true.
             com.datastax.driver.core.Cluster.Builder builder = 
                 com.datastax.driver.core.Cluster.builder()
                     .addContactPoint("127.0.0.1");
-            /*
-                    .withSocketOptions(new com.datastax.driver.core.SocketOptions()
-                        .setConnectTimeoutMillis(60000)  // 60 seconds
-                        .setReadTimeoutMillis(60000));   // 60 seconds
-             */
 
             try (com.datastax.driver.core.Cluster c = builder.build(); 
                  Session session = c.connect())
@@ -115,11 +110,11 @@ public void testUnauthenticatedClientsGetAnonymousRole() throws IOException
                 assertTrue("Should get at least one row", rs.iterator().hasNext());
                 
                 // Negative test: Anonymous user should NOT be able to create roles (requires superuser)
-                // This verifies no superuser bypass is granted
+                // This verifies no automatic superuser privileges are granted
                 try
                 {
                     session.execute("CREATE ROLE test_role");
-                    org.junit.Assert.fail("Anonymous user should not be able to create roles (no superuser bypass)");
+                    org.junit.Assert.fail("Anonymous user should not be able to create roles (no automatic superuser privileges)");
                 }
                 catch (com.datastax.driver.core.exceptions.UnauthorizedException e)
                 {
@@ -132,13 +127,10 @@ public void testUnauthenticatedClientsGetAnonymousRole() throws IOException
     }
 
     /**
-     * Tests that the ClientState.isSuper() bypass is disabled when authentication is required globally.
-     * This directly tests the security fix where isSuper() checks DatabaseDescriptor.isAuthenticationRequired()
-     * instead of the per-connection authenticator.requireAuthentication().
-     * 
-     * CREATE TRIGGER calls ClientState.ensureIsSuperuser() which delegates to isSuper(), making it
-     * the perfect test for the bypass logic.
-     * 
+     * Tests that automatic superuser privileges are not granted to unauthenticated clients when authentication
+     * is required globally. This directly tests the security fix where isSuper() checks
+     * DatabaseDescriptor.isAuthenticationRequired() instead of the per-connection authenticator.requireAuthentication().
+     *
      * Configuration: negotiation enabled with PasswordAuthenticator in negotiable list,
      * but default=AllowAllAuthenticator so non-negotiating clients connect unauthenticated.
      * Since ANY negotiable authenticator requires auth, isSuper() should return false for anonymous.
@@ -177,11 +169,8 @@ public void testSuperuserBypassDisabledWithAuthenticationRequired() throws IOExc
             com.datastax.driver.core.Cluster.Builder authBuilder = 
                 com.datastax.driver.core.Cluster.builder()
                     .addContactPoint("127.0.0.1")
-                    .withAuthProvider(new PlainTextAuthProvider("cassandra", "cassandra"))
-                    .withSocketOptions(new com.datastax.driver.core.SocketOptions()
-                        .setConnectTimeoutMillis(60000)
-                        .setReadTimeoutMillis(60000));
-            
+                    .withAuthProvider(new PlainTextAuthProvider("cassandra", "cassandra"));
+
             try (com.datastax.driver.core.Cluster c = authBuilder.build(); 
                  Session session = c.connect())
             {
@@ -192,10 +181,7 @@ public void testSuperuserBypassDisabledWithAuthenticationRequired() throws IOExc
             // Non-negotiating client connects without credentials, falls back to AllowAllAuthenticator
             com.datastax.driver.core.Cluster.Builder anonBuilder = 
                 com.datastax.driver.core.Cluster.builder()
-                    .addContactPoint("127.0.0.1")
-                    .withSocketOptions(new com.datastax.driver.core.SocketOptions()
-                        .setConnectTimeoutMillis(60000)
-                        .setReadTimeoutMillis(60000));
+                    .addContactPoint("127.0.0.1");
 
             try (com.datastax.driver.core.Cluster c = anonBuilder.build(); 
                  Session session = c.connect())
@@ -208,11 +194,11 @@ public void testSuperuserBypassDisabledWithAuthenticationRequired() throws IOExc
                 try
                 {
                     session.execute("CREATE TRIGGER test_trigger ON test_ks.test_table USING 'org.apache.cassandra.triggers.AuditTrigger'");
-                    org.junit.Assert.fail("Anonymous user should not be able to create triggers (superuser bypass disabled)");
+                    org.junit.Assert.fail("Anonymous user should not be able to create triggers (no automatic superuser privileges)");
                 }
                 catch (com.datastax.driver.core.exceptions.UnauthorizedException e)
                 {
-                    // Expected - isSuper() returned false, no bypass granted
+                    // Expected - isSuper() returned false, no automatic superuser privileges granted
                     assertTrue("Should get superuser required message",
                               e.getMessage().contains("Only superusers are allowed to perform CREATE TRIGGER queries"));
                 }
@@ -228,9 +214,9 @@ public void testSuperuserBypassDisabledWithAuthenticationRequired() throws IOExc
     }
 
     /**
-     * Tests that authenticated superusers retain their privileges when authenticator negotiation
-     * is enabled. This is a positive control test to ensure the permission system works correctly
-     * and isn't just blocking everything.
+     * Tests that authenticated superusers retain their privileges when authenticator negotiation is enabled.
+     * This is a positive control test to ensure the permission system works correctly and isn't just blocking
+     * all privileged access.
      * 
      * Configuration: default=PasswordAuthenticator, negotiable=[PasswordAuthenticator, AllowAllAuthenticator]
      * Non-negotiating client falls back to PasswordAuthenticator and must authenticate.
@@ -270,11 +256,8 @@ public void testAuthenticatedSuperuserHasPrivileges() throws IOException
             com.datastax.driver.core.Cluster.Builder authBuilder = 
                 com.datastax.driver.core.Cluster.builder()
                     .addContactPoint("127.0.0.1")
-                    .withAuthProvider(new PlainTextAuthProvider("cassandra", "cassandra"))
-                    .withSocketOptions(new com.datastax.driver.core.SocketOptions()
-                        .setConnectTimeoutMillis(60000)
-                        .setReadTimeoutMillis(60000));
-            
+                    .withAuthProvider(new PlainTextAuthProvider("cassandra", "cassandra"));
+
             try (com.datastax.driver.core.Cluster c = authBuilder.build(); 
                  Session session = c.connect())
             {
@@ -336,8 +319,9 @@ public void testFallbackToDefaultAuthenticator() throws IOException
             // Use DataStax driver which doesn't support negotiation protocol
             // It should fall back to default (PasswordAuthenticator) and require credentials
             com.datastax.driver.core.Cluster.Builder builder =
-                com.datastax.driver.core.Cluster.builder().addContactPoint("127.0.0.1")
-                                                          .withAuthProvider(new PlainTextAuthProvider("cassandra", "cassandra"));
+                com.datastax.driver.core.Cluster.builder()
+                                                .addContactPoint("127.0.0.1")
+                                                .withAuthProvider(new PlainTextAuthProvider("cassandra", "cassandra"));
 
 
             try (com.datastax.driver.core.Cluster c = builder.build(); 

From 2c6a870576e8950239307fb1d4d01cbf97f4ef78 Mon Sep 17 00:00:00 2001
From: Joel Shepherd <shepherd@amazon.com>
Date: Mon, 27 Apr 2026 22:38:43 +0000
Subject: [PATCH 29/30] Making checkstyle happy again

---
 .../org/apache/cassandra/cql3/CQLTester.java  | 37 ++++++++++---------
 1 file changed, 19 insertions(+), 18 deletions(-)

diff --git a/test/unit/org/apache/cassandra/cql3/CQLTester.java b/test/unit/org/apache/cassandra/cql3/CQLTester.java
index 98d4059daffa..c24f36336b58 100644
--- a/test/unit/org/apache/cassandra/cql3/CQLTester.java
+++ b/test/unit/org/apache/cassandra/cql3/CQLTester.java
@@ -64,13 +64,29 @@
 import javax.management.remote.rmi.RMIConnectorServer;
 import javax.net.ssl.SSLException;
 
+import com.codahale.metrics.Gauge;
+import com.datastax.driver.core.CloseFuture;
+import com.datastax.driver.core.Cluster;
+import com.datastax.driver.core.ColumnDefinitions;
+import com.datastax.driver.core.DataType;
+import com.datastax.driver.core.NettyOptions;
+import com.datastax.driver.core.ResultSet;
+import com.datastax.driver.core.Row;
+import com.datastax.driver.core.Session;
+import com.datastax.driver.core.SimpleStatement;
+import com.datastax.driver.core.SocketOptions;
+import com.datastax.driver.core.Statement;
+import com.datastax.driver.core.TypeCodec;
+import com.datastax.driver.core.UDTValue;
+import com.datastax.driver.core.UserType;
+import com.datastax.driver.core.exceptions.UnauthorizedException;
+import com.datastax.shaded.netty.channel.EventLoopGroup;
 import com.google.common.base.Objects;
 import com.google.common.base.Strings;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import com.google.common.collect.Iterables;
 
-import org.apache.cassandra.auth.SpiffeCertificateValidator;
 import org.apache.commons.lang3.ArrayUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.assertj.core.api.Assertions;
@@ -91,29 +107,14 @@
 import accord.utils.Gen;
 import accord.utils.Property;
 import accord.utils.RandomSource;
-import com.codahale.metrics.Gauge;
-import com.datastax.driver.core.CloseFuture;
-import com.datastax.driver.core.Cluster;
-import com.datastax.driver.core.ColumnDefinitions;
-import com.datastax.driver.core.DataType;
-import com.datastax.driver.core.NettyOptions;
-import com.datastax.driver.core.ResultSet;
-import com.datastax.driver.core.Row;
-import com.datastax.driver.core.Session;
-import com.datastax.driver.core.SimpleStatement;
-import com.datastax.driver.core.SocketOptions;
-import com.datastax.driver.core.Statement;
-import com.datastax.driver.core.TypeCodec;
-import com.datastax.driver.core.UDTValue;
-import com.datastax.driver.core.UserType;
-import com.datastax.driver.core.exceptions.UnauthorizedException;
-import com.datastax.shaded.netty.channel.EventLoopGroup;
+
 import org.apache.cassandra.SchemaLoader;
 import org.apache.cassandra.ServerTestUtils;
 import org.apache.cassandra.Util;
 import org.apache.cassandra.auth.AuthTestUtils;
 import org.apache.cassandra.auth.IAuthenticator;
 import org.apache.cassandra.auth.IRoleManager;
+import org.apache.cassandra.auth.SpiffeCertificateValidator;
 import org.apache.cassandra.concurrent.Stage;
 import org.apache.cassandra.config.CassandraRelevantProperties;
 import org.apache.cassandra.config.Config;

From ca72b2e79cec8424450340c31dc65ceb0b492fab Mon Sep 17 00:00:00 2001
From: Joel Shepherd <shepherd@amazon.com>
Date: Tue, 28 Apr 2026 23:49:32 +0000
Subject: [PATCH 30/30] Further self-review: changes mostly for readability and
 a bit moore conciseness

---
 .../org/apache/cassandra/auth/AuthConfig.java | 118 ++++++++----------
 .../apache/cassandra/auth/IAuthenticator.java |   2 +-
 .../cassandra/config/DatabaseDescriptor.java  |  33 +++--
 ...java => AuthenticatorNegotiationTest.java} |  14 ++-
 ... AuthenticatorWithoutNegotiationTest.java} |   3 +-
 5 files changed, 75 insertions(+), 95 deletions(-)
 rename test/unit/org/apache/cassandra/transport/{NegotiatedAuthenticationTest.java => AuthenticatorNegotiationTest.java} (94%)
 rename test/unit/org/apache/cassandra/transport/{NonNegotiatedAuthenticationTest.java => AuthenticatorWithoutNegotiationTest.java} (98%)

diff --git a/src/java/org/apache/cassandra/auth/AuthConfig.java b/src/java/org/apache/cassandra/auth/AuthConfig.java
index 6cd7fc4362e8..9e3b73fa7601 100644
--- a/src/java/org/apache/cassandra/auth/AuthConfig.java
+++ b/src/java/org/apache/cassandra/auth/AuthConfig.java
@@ -91,16 +91,18 @@ public static void applyAuth()
         AuthenticatorConfig authConfig = loadAuthenticatorConfig(conf);
 
         // the configuration options regarding credentials caching are only guaranteed to
-        // work with PasswordAuthenticator, so log a message if some other authenticator
-        // is in use and non-default values are detected
-        if (!(authConfig.defaultAuthenticator instanceof PasswordAuthenticator || authConfig.defaultAuthenticator instanceof MutualTlsAuthenticator)
+        // work with PasswordAuthenticator and MutualTlsAuthenticator, so log a message if none of the
+        // configured authenticators use credentials caching and non-default values are detected
+        boolean hasCredentialsCaching = authConfig.negotiableAuthenticators.stream()
+            .anyMatch(auth -> auth instanceof PasswordAuthenticator || auth instanceof MutualTlsAuthenticator);
+
+        if (!hasCredentialsCaching
             && (conf.credentials_update_interval != null
                 || conf.credentials_validity.toMilliseconds() != 2000
                 || conf.credentials_cache_max_entries != 1000))
         {
             logger.info("Configuration options credentials_update_interval, credentials_validity and " +
-                        "credentials_cache_max_entries may not be applicable for the configured authenticator ({})",
-                        authConfig.defaultAuthenticator.getClass().getName());
+                        "credentials_cache_max_entries may not be applicable for the configured authenticators");
         }
 
         DatabaseDescriptor.setDefaultAuthenticator(authConfig.defaultAuthenticator);
@@ -153,7 +155,7 @@ public static void applyAuth()
         // Validate at last to have authenticator, authorizer, role-manager and internode-auth setup
         // in case these rely on each other.
 
-        authConfig.defaultAuthenticator.validateConfiguration();
+        authConfig.negotiableAuthenticators.forEach(IAuthenticator::validateConfiguration);
         authorizer.validateConfiguration();
         roleManager.validateConfiguration();
         networkAuthorizer.validateConfiguration();
@@ -195,21 +197,21 @@ private static <T> T defaultAuthInstantiate(Class<T> defaultCls) {
     private static void validateRequireAuthentication(AuthenticatorConfig authConfig)
     {
         // Check all negotiable authenticators (includes default)
-        for (IAuthenticator auth : authConfig.negotiableAuthenticators)
+        for (IAuthenticator authenticator : authConfig.negotiableAuthenticators)
         {
-            if (!auth.requireAuthentication())
+            if (!authenticator.requireAuthentication())
             {
                 if (authConfig.requireAuthentication)
                 {
                     throw new ConfigurationException(
                         "require_authentication is true but authenticator doesn't require authentication: " 
-                        + auth.getClass().getName(), false);
+                        + authenticator.getClass().getName(), false);
                 }
                 else
                 {
                     logger.warn("require_authentication is false and authenticator doesn't require authentication: {}. " +
-                               "This allows unauthenticated access. Set require_authentication: true to enforce authentication.",
-                               auth.getClass().getName());
+                               "This may allow unauthenticated access.",
+                               authenticator.getClass().getName());
                 }
             }
         }
@@ -227,20 +229,18 @@ private static void validateAuthenticatorAuthorizerCompatibility(AuthenticatorCo
         if (!authorizer.requireAuthorization())
             return;
 
-        // Legacy mode: simple check
-        if (!authConfig.isNegotiationEnabled)
+        // If negotiating, all authenticators have to work with the authorizer (require authentication).
+        if (authConfig.isNegotiationEnabled)
         {
-            if (!authConfig.defaultAuthenticator.requireAuthentication())
-            {
-                throw new ConfigurationException(authorizer.getClass().getName() + " has authorization enabled which requires " +
-                                               authConfig.defaultAuthenticator.getClass().getName() + " to enable authentication", false);
-            }
+            validateAuthorizerCompatibility(authConfig, authorizer.getClass().getName(),
+                                            "limited access based on 'anonymous' role permissions");
             return;
         }
-        
-        // Negotiation mode: check all authenticators
-        validateAuthorizerCompatibility(authConfig, authorizer.getClass().getName(), 
-                                       "limited access based on 'anonymous' role permissions");
+
+        // Otherwise, just the default authenticator has to work with the authorizer.
+        if (!authConfig.defaultAuthenticator.requireAuthentication())
+            throw new ConfigurationException(authorizer.getClass().getName() + " has authorization enabled which requires " +
+                                             authConfig.defaultAuthenticator.getClass().getName() + " to enable authentication", false);
     }
 
     /**
@@ -252,20 +252,18 @@ private static void validateAuthenticatorNetworkAuthorizerCompatibility(Authenti
         if (!networkAuthorizer.requireAuthorization())
             return;
 
-        // Legacy mode: simple check
-        if (!authConfig.isNegotiationEnabled)
+        // If negotiating, all authenticators have to work with the authorizer (require authentication).
+        if (authConfig.isNegotiationEnabled)
         {
-            if (!authConfig.defaultAuthenticator.requireAuthentication())
-            {
-                throw new ConfigurationException(networkAuthorizer.getClass().getName() + " can't be used with " + 
-                                               authConfig.defaultAuthenticator.getClass().getName(), false);
-            }
+            validateAuthorizerCompatibility(authConfig, networkAuthorizer.getClass().getName(),
+                                            "limited network access");
             return;
         }
-        
-        // Negotiation mode: check all authenticators
-        validateAuthorizerCompatibility(authConfig, networkAuthorizer.getClass().getName(), 
-                                       "limited network access");
+
+        // Otherwise, just the default authenticator has to work with the authorizer.
+        if (!authConfig.defaultAuthenticator.requireAuthentication())
+            throw new ConfigurationException(networkAuthorizer.getClass().getName() + " can't be used with " +
+                                             authConfig.defaultAuthenticator.getClass().getName(), false);
     }
 
     /**
@@ -277,20 +275,18 @@ private static void validateAuthenticatorCIDRAuthorizerCompatibility(Authenticat
         if (!cidrAuthorizer.requireAuthorization())
             return;
 
-        // Legacy mode: simple check
-        if (!authConfig.isNegotiationEnabled)
+        // If negotiating, all authenticators have to work with the authorizer (require authentication).
+        if (authConfig.isNegotiationEnabled)
         {
-            if (!authConfig.defaultAuthenticator.requireAuthentication())
-            {
-                throw new ConfigurationException(cidrAuthorizer.getClass().getName() + " can't be used with " + 
-                                               authConfig.defaultAuthenticator.getClass().getName(), false);
-            }
+            validateAuthorizerCompatibility(authConfig, cidrAuthorizer.getClass().getName(),
+                                            "limited CIDR-based access");
             return;
         }
-        
-        // Negotiation mode: check all authenticators
-        validateAuthorizerCompatibility(authConfig, cidrAuthorizer.getClass().getName(), 
-                                       "limited CIDR-based access");
+
+        // Otherwise, just the default authenticator has to work with the authorizer.
+        if (!authConfig.defaultAuthenticator.requireAuthentication())
+            throw new ConfigurationException(cidrAuthorizer.getClass().getName() + " can't be used with " +
+                                             authConfig.defaultAuthenticator.getClass().getName(), false);
     }
 
     /**
@@ -302,7 +298,7 @@ private static void validateAuthorizerCompatibility(AuthenticatorConfig authConf
                                                         String accessDescription)
     {
         boolean hasNonAuthenticating = authConfig.negotiableAuthenticators.stream()
-            .anyMatch(auth -> !auth.requireAuthentication());
+            .anyMatch(authenticator -> !authenticator.requireAuthentication());
         
         if (hasNonAuthenticating)
         {
@@ -329,13 +325,13 @@ private static void validateAuthorizerCompatibility(AuthenticatorConfig authConf
      */
     private static AuthenticatorConfig loadAuthenticatorConfig(Config conf)
     {
-        // Determine if authenticator_negotiation was configured
-        boolean negotiationConfigured = conf.authenticator_negotiation.enabled;
+        // Determine if authenticator_negotiation was enabled
+        boolean negotiationEnabled = conf.authenticator_negotiation.enabled;
 
         // Determine default authenticator based on configuration precedence
         IAuthenticator defaultAuthenticator;
 
-        if (negotiationConfigured)
+        if (negotiationEnabled)
         {
             ParameterizedClass defaultAuthenticatorConfig = conf.authenticator_negotiation.default_authenticator;
 
@@ -358,7 +354,7 @@ private static AuthenticatorConfig loadAuthenticatorConfig(Config conf)
 
         List<IAuthenticator> negotiableAuthenticators = new ArrayList<>();
 
-        if (negotiationConfigured)
+        if (negotiationEnabled)
         {
             logger.info("Authentication negotiation enabled: initializing authenticators");
             List<ParameterizedClass> authenticators = conf.authenticator_negotiation.authenticators;
@@ -370,24 +366,10 @@ private static AuthenticatorConfig loadAuthenticatorConfig(Config conf)
                     // We generally can't instantiate multiple instances of an authenticator, so if the
                     // default is also in the list of negotiable authenticators, just re-use the instance
                     // that we have.
-                    // TODO - This comparison is potentially broken because depending on how the authenticator
-                    //  is configured in YAML, this equals() may or may not work. The parameterized class created
-                    //  from 'default_authenticator: PasswordAuthenticator' or
-                    //  'default_authenticator:\n\tclass_name: PasswordAuthenticator'
-                    //  is different from that created from
-                    //  'default_authenticator:\n\t- class_name: PasswordAuthenticator'.
-                    //  The latter, inadvertantly, attempts to set default_authenticator to a list (indicated by the '-').
-                    //  Since default_authenticator isn't a list, SnakeYAML grabs the first list element and constructs
-                    //  the ParameterizedClass instance using the default constructor and reflection, which results in
-                    //  'parameters' being null instead of being an empty map which is what the first two forms will
-                    //  create. This causes ParameterizedClass.equals() to return 'false' when a ParameterizedClass
-                    //  generated from the 'authenticators' list is compared to the default_authenticator if the default
-                    //  authenticator was specified using that third form (list style). This results in the default
-                    //  authenticator being placed at the end of the authenticators list instead of in its
-                    //  configured order, which can lead to the negotiator picking a weaker authenticator than the order
-                    //  of authenticators in the configuration indicates. I'm not sure how to resolve this right now.
-                    //  One possibility is to 'fix' the equals() and hashCode() methods in ParameterizedClass to treat
-                    //  null and empty 'parameters' the same (by coercing null to empty).
+                    // TODO - ParameterizedClass.equals() fails when comparing configs with null vs empty parameters
+                    //  (e.g., 'default_authenticator: PasswordAuthenticator' vs 'default_authenticator:\n\t- class_name: PasswordAuthenticator').
+                    //  This causes duplicate authenticator instances and incorrect negotiation order.
+                    //  Fix: Normalize null to empty map in ParameterizedClass.equals()/hashCode().
                     //  https://issues.apache.org/jira/browse/CASSANDRA-21238
                     if (clazz.equals(conf.authenticator_negotiation.default_authenticator))
                     {
@@ -424,7 +406,7 @@ private static AuthenticatorConfig loadAuthenticatorConfig(Config conf)
             defaultAuthenticator,
             negotiableAuthenticators,
             conf.authenticator_negotiation.require_authentication,
-            negotiationConfigured
+            negotiationEnabled
         );
     }
 }
diff --git a/src/java/org/apache/cassandra/auth/IAuthenticator.java b/src/java/org/apache/cassandra/auth/IAuthenticator.java
index cdaa12d03f8b..7f2667329fcb 100644
--- a/src/java/org/apache/cassandra/auth/IAuthenticator.java
+++ b/src/java/org/apache/cassandra/auth/IAuthenticator.java
@@ -289,7 +289,7 @@ public boolean equals(Object o)
             if (this == o) return true;
             if (!(o instanceof AuthenticationMode)) return false;
             AuthenticationMode that = (AuthenticationMode) o;
-            return normalizedDisplayName.equalsIgnoreCase(that.normalizedDisplayName);
+            return normalizedDisplayName.equals(that.normalizedDisplayName);
         }
 
         @Override
diff --git a/src/java/org/apache/cassandra/config/DatabaseDescriptor.java b/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
index ba79a6624859..c742fc13731d 100644
--- a/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
+++ b/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
@@ -226,7 +226,7 @@ public class DatabaseDescriptor
     private static AbstractCryptoProvider cryptoProvider;
 
     // Cached value: true if any authenticator requires authentication
-    private static boolean authenticationRequired;
+    private static boolean isAuthenticationRequired;
     private static List<IAuthenticator> negotiableAuthenticators = List.of();
     private static IAuthenticator defaultAuthenticator;
 
@@ -2062,7 +2062,7 @@ public static List<IAuthenticator> getNegotiableAuthenticators()
     public static void setNegotiableAuthenticators(List<IAuthenticator> authenticators)
     {
         negotiableAuthenticators = new ArrayList<>(authenticators);
-        updateAuthenticationRequired();
+        isAuthenticationRequired = computeAuthenticationRequired();
     }
 
     /**
@@ -2110,26 +2110,23 @@ public static void setAuthenticator(IAuthenticator authenticator)
     public static void setDefaultAuthenticator(IAuthenticator authenticator)
     {
         defaultAuthenticator = authenticator;
-        updateAuthenticationRequired();
+        isAuthenticationRequired = computeAuthenticationRequired();
     }
 
     /**
-     * Recomputes and caches whether authentication is required.
-     * Called when authenticators are set/updated.
+     * Computes whether authentication is required based on current authenticator configuration.
+     * Checks both the default authenticator and any negotiable authenticators.
+     * Returns true if ANY authenticator requires authentication, false otherwise.
      */
-    private static void updateAuthenticationRequired()
+    private static boolean computeAuthenticationRequired()
     {
-        if (isAuthenticatorNegotiationEnabled())
-        {
-            // Check if ANY negotiable authenticator requires authentication
-            authenticationRequired = negotiableAuthenticators.stream()
-                .anyMatch(IAuthenticator::requireAuthentication);
-        }
-        else
-        {
-            // Fallback to default authenticator for non-negotiation mode
-            authenticationRequired = defaultAuthenticator != null && defaultAuthenticator.requireAuthentication();
-        }
+        // Check default authenticator first (handles legacy setAuthenticator() calls)
+        if (defaultAuthenticator != null && defaultAuthenticator.requireAuthentication())
+            return true;
+
+        // Also check negotiable authenticators list
+        return negotiableAuthenticators.stream()
+                                       .anyMatch(IAuthenticator::requireAuthentication);
     }
 
     /**
@@ -2140,7 +2137,7 @@ private static void updateAuthenticationRequired()
      */
     public static boolean isAuthenticationRequired()
     {
-        return authenticationRequired;
+        return isAuthenticationRequired;
     }
 
     public static IAuthorizer getAuthorizer()
diff --git a/test/unit/org/apache/cassandra/transport/NegotiatedAuthenticationTest.java b/test/unit/org/apache/cassandra/transport/AuthenticatorNegotiationTest.java
similarity index 94%
rename from test/unit/org/apache/cassandra/transport/NegotiatedAuthenticationTest.java
rename to test/unit/org/apache/cassandra/transport/AuthenticatorNegotiationTest.java
index 74ce4060a782..928448c2622d 100644
--- a/test/unit/org/apache/cassandra/transport/NegotiatedAuthenticationTest.java
+++ b/test/unit/org/apache/cassandra/transport/AuthenticatorNegotiationTest.java
@@ -45,11 +45,11 @@
 import static org.junit.Assert.fail;
 
 /**
- * Tests the authentication negotiation protocol flow for a server that is configured to support authenticator
- * negotiation, including compatibility scenarios defined in CEP-50. Covers the compatibility matrix for
- * negotiating and non-negotiating clients.
+ * Tests the protocol flow for a server that is configured to support authenticator negotiation, including
+ * compatibility scenarios defined in CEP-50. Covers the compatibility matrix for negotiating and non-negotiating
+ * clients.
  */
-public class NegotiatedAuthenticationTest extends CQLTester
+public class AuthenticatorNegotiationTest extends CQLTester
 {
     @BeforeClass
     public static void setup()
@@ -158,7 +158,8 @@ public void testNonNegotiatingClientWithNegotiatingServer()
         }
     }
 
-    // Scenario 4: Full negotiation - no matching authenticators, falls back to default
+    // Scenario 4: Negotating client + Negotiating server
+    // Full negotiation but no matching authenticators: falls back to default authenticator
     @Test
     public void testFullNegotiationNoMatch()
     {
@@ -188,7 +189,8 @@ public void testFullNegotiationNoMatch()
         }
     }
 
-    // Scenario 5: Full negotiation - failed authentication
+    // Scenario 5: Negotating client + Negotiating server
+    // Successful negotiation but failed authentication should result in ERROR to client
     @Test
     public void testNegotiatedAuthenticationFailure()
     {
diff --git a/test/unit/org/apache/cassandra/transport/NonNegotiatedAuthenticationTest.java b/test/unit/org/apache/cassandra/transport/AuthenticatorWithoutNegotiationTest.java
similarity index 98%
rename from test/unit/org/apache/cassandra/transport/NonNegotiatedAuthenticationTest.java
rename to test/unit/org/apache/cassandra/transport/AuthenticatorWithoutNegotiationTest.java
index cf6bf3252573..5c1e1d54c6cf 100644
--- a/test/unit/org/apache/cassandra/transport/NonNegotiatedAuthenticationTest.java
+++ b/test/unit/org/apache/cassandra/transport/AuthenticatorWithoutNegotiationTest.java
@@ -44,7 +44,7 @@
  * Tests authentication protocol flow when server does NOT support negotiation.
  * Covers scenario 3 from CEP-50: Negotiating client + Non-negotiating server.
  */
-public class NonNegotiatedAuthenticationTest extends CQLTester
+public class AuthenticatorWithoutNegotiationTest extends CQLTester
 {
     @BeforeClass
     public static void setup()
@@ -89,7 +89,6 @@ public void testNegotiatingClientWithNonNegotiatingServer()
         }
     }
 
-
     // Scenario 2: Stubborn negotiating client + Non-negotiating server.
     // Client sends OPTIONS, server SUPPORTED lacks AUTHENTICATORS, client sends authenticators with STARTUP message
     // anyway, server ignores and executes non-negotiating auth flow.