Test Kerberos authentication with cqlsh

Confirm that Kerberos authentication is working correctly by configuring and using cqlsh

Use the cqlsh tool to authenticate to DataStax Enterprise using a Kerberos principal. To use Kerberos authentication with cqlsh, create a cqlshrc file and configure the options for your Kerberos realm.

Procedure

  1. On the KDC server, add the user principals in kadmin using the addprinc command. 
    $ kadmin
addprinc jane

    In Kerberos, there's a difference between a service principal and a user principal. Typically, user principals have the form username@Kerberos realm name, while service principals have the form servicename/hostname@Kerberos realm name. For example, a user principal is jane@EXAMPLE.COM, while a service principal is cassandra/node1.example.com@EXAMPLE.COM.

    Do not confuse the default cassandra database superuser with the cassandra Unix user that corresponds with the cassandra Kerberos service principals (for example cassandra/node1.example.com@EXAMPLE.COM) used in this tutorial.

  2. On the DataStax Enterprise node where you will run cqlsh, add the user principals to the system_auth.users table.
    1. Temporarily disable Kerberos authentication in cassandra.yaml and restart the node.

      In cassandra.yaml:

      # authenticator: com.datastax.bdp.cassandra.auth.KerberosAuthenticator
authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer

      Restart the node:

      $ sudo service dse restart
    2. Create a new superuser with the same name as the user principal. 
      $ cqlsh
cqlsh> create user 'jane@EXAMPLE.COM' SUPERUSER;
      The Cassandra username must match the full user principal name, including the Kerberos realm.
    3. Re-enable the Kerberos authenticator in cassandra.yaml. 
      authenticator: com.datastax.bdp.cassandra.auth.KerberosAuthenticator
    4. Restart the node. 
      $ sudo service dse restart
  3. On the DataStax Enterprise node where you will run cqlsh, install the Python dependencies for cqlsh Kerberos authentication.

    RedHat and CentOS

    $ sudo yum install python-pip
$ sudo pip install pure-sasl
$ sudo yum install python27-kerberos
    Note: You must use the python27-kerberos package from the DataStax RPM repository. The python-kerberos package from the main RPM repositories will not work with cqlsh.

    Debian and Ubuntu

    $ sudo apt-get install python-pip
$ sudo pip install pure-sasl
$ sudo apt-get install python-kerberos
  4. Create a cqlshrc file based on the sample file included with DataStax Enterprise.

    Package installs

    $ mkdir ~/.cassandra
$ cp /usr/share/doc/dse-libcassandra-4.8.3/cqlshrc.sample.kerberos ~/.cassandra/cqlshrc

    Tarball installs

    $ mkdir ~/.cassandra
$ cp DSE_HOME/resources/cassandra/conf/cqlshrc.sample.kerberos ~/.cassandra/cqlshrc
  5. Edit cqlshrc and set the options according to your cluster and Kerberos realm.

    Set the hostname option in the [connection] section to the hostname of the node. In the [kerberos] section set the hostname option to the hostname of the node and set the principal option to the name of the user principal you created.

    [connection]
hostname = node1.example.com
port = 9042

[kerberos]
hostname = node1.example.com
service = cassandra
; optional
principal = jane@EXAMPLE.COM
  6. Get a Kerberos ticket for your user principal. 
    $ kinit jane
Password for jane@EXAMPLE.COM: 
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: jane@EXAMPLE.COM

Valid starting       Expires              Service principal
12/14/2015 19:18:36  12/15/2015 05:18:36  krbtgt/EXAMPLE.COM@EXAMPLE.COM
	renew until 12/21/2015 19:18:34
  7. Start cqlsh. 
    $ cqlsh
Connected to Test Cluster at node1.example.com:9042.
[cqlsh 5.0.1 | Cassandra 2.1.11.969 | DSE 4.8.3 | CQL spec 3.2.1 | Native protocol v3]
Use HELP for help.
cqlsh>