Running cqlsh

Sample files for Kerberos, SSL, and Kerboros and SSL.

To run cqlsh, you need to create a cqlshrc file in your ~/.cassandra directory. You cannot use cqlsh when client certificate authentication is enabled (require_client_auth=true). Sample files are available in the following directories:
  • Packaged installs: /usr/share/doc/dse-libcassandra
  • Tarball installs: install_location/resources/cassandra/conf

Kerberos example

[connection]
hostname = 192.168.1.2
port = 9160
factory = cqlshlib.kerberos.kerberos_transport_factory

[kerberos]
hostname = cassandra01.example.com
service = cassandra
principal = bill/cassandra-admin@example.com ;; Optional.
qops = auth-conf ;; Optional, see the following paragraph.
[kerberos-hostnames] ;; Optional section, overrides default hostname in [kerberos] section.
192.168.1.3 = cassandra01.example.com
192.168.1.4 = cassandra02.example.com

If qops is not specified the default (auth) is used. On the client side, the qops option is a comma-delimited list of the QOP values allowed by the client for the connection. The client (cqlsh) value list must contain at least one of the QOP values specified on the server. To clarify, the client can have multiple QOP values, while the server can have only a single QOP value (specified in the dse.yaml).

The Kerberos hostname and service are mandatory settings and must be provided either in the configuration file or as environment variables. The environment variables (KRB_HOST, KRB_SERVICE, and KRB_PRINCIPAL) override any options set in this file. For more information about these settings, see Securing DataStax Enterprise nodes. The hostname and service must match the values set in the dse.yaml.

SSL example

[connection]
hostname = 127.0.0.1
port = 9160
factory = cqlshlib.ssl.ssl_transport_factory

[ssl]
certfile = ~/keys/cassandra.cert
validate = true ;; Optional, true by default.

[certfiles] ;; Optional section, overrides the default certfile in the [ssl] section.
192.168.1.3 = ~/keys/cassandra01.cert
192.168.1.4 = ~/keys/cassandra02.cert
Note: When generating the certificate, be sure to set the CN to the hostname of the node.

You must create a pem key which is used in the cqlshrc file. 

keytool -importkeystore -srckeystore .keystore -destkeystore user.p12 -deststoretype PKCS12
openssl pkcs12 -in user.p12 -out user.pem -nodes

The pem key is required because the host in the certificate is compared to the host of the machine that it is connected to. The SSL certificate must be provided either in the configuration file or as an environment variable. The environment variables (SSL_CERTFILE and SSL_VALIDATE) override any options set in this file.

Kerberos and SSL

For information about using Kerberos with SSL, see Using Kerberos and SSL at the same time.

The settings for using both Kerberos and SSL are a combination of the Kerberos and SSL sections in the above examples, except the factory setting:

factory = cqlshlib.kerberos_ssl.kerberos_ssl_transport_factory

The supported environmental variables are KRB_HOST, KRB_SERVICE, KRB_PRINCIPAL, SSL_CERTFILE, and SSL_VALIDATE variables.