Using cqlsh with Kerberos/SSL
Configuration steps to use cqlsh with Kerberos and SSL.
To use cqlsh
with Kerberos and SSL, use the sample files as a starting
point and make changes as appropriate for your environment.
Installer-Services | /etc/dse/dse.yaml |
Package installations | /etc/dse/dse.yaml |
Installer-No Services | install_location/resources/dse/conf/dse.yaml |
Tarball installations | install_location/resources/dse/conf/dse.yaml |
Password authentication
-
Create a cqlshrc file in your ~/.cassandra directory to avoid having to pass credentials for every login using
cqlsh
. When present, the .cqlshrc file passes default login information tocqlsh
. Add these entries to the .cqlsh file:
where username is the Cassandra role.[authentication] username = username password = password
- Set the correct permissions and secure this .cqlshrc file so that no unauthorized users can gain access to database login information.
Example files
DataStax Enterprise provides sample files and examples to help configure authentication for Kerberos, SSL, and Kerberos and SSL:Make changes as appropriate for your environment.
Package installations | /etc/dse/cassandra |
Installer-Services installations | /usr/share/dse/resources/cassandra/conf |
Installer-No Services and Tarball installations | install_location/resources/cassandra/conf |
Kerberos example
DataStax Enterprise provides a sample cqlshrc.sample.kerberos file that you can use as a starting point.
Installer-Services and Package installations | /usr/share/doc/dse-libcassandra/cqlshrc.sample.kerberos |
Installer-No Services and Tarball installations | install_location/resources/cassandra/conf/cqlshrc.sample.kerberos |
Example settings for Kerberos authentication:
[connection]
hostname = 192.168.1.2
port = 9042
[kerberos]
service = dse ;; If not set, the default is dse
qops = auth ;; Optional, see the paragraph below
[connection] hostname
and [kerberos] service
settings must match the values in the dse.yaml configuration
file, or be set as environment variables. - In the kerberos_options section of the dse.yaml file, set service_principal. The service_principal must be consistent everywhere: in the dse.yaml file, present in the keytab, and in the cqlshrc file (where service_principal is separated into service/hostname).
- The environment variables (
KRB_HOST
,KRB_SERVICE
, andKRB_PRINCIPAL
) override the options that are set in dse.yaml.The environment variables
KRB_SERVICE
andQOPS
override the options in the .cqlshrc file. The loading order for settings is: environment variable, .cqlshrc setting, default.
qops
is not specified. On the client
side, the qops
option is a comma-delimited list of the QOP values
allowed by the client for the connection. - The client (
cqlsh
) value list must contain at least one of theQOP
values that are specified on the server. - The client can have multiple
QOP
values, while the server can only have a singleQOP
value that is specified in the dse.yaml file.
Set the principal
option to your Kerberos user principal.
principal = username@realm
SSL example
DataStax Enterprise provides a sample cqlshrc.sample.ssl file that you can use as a starting point.
[authentication]
username = fred
password = !!bang!!$
[connection]
hostname = 127.0.0.1
port = 9042
[ssl]
certfile = ~/keys/cassandra.cert
validate = false ;; Optional, true by default. See the paragraph below.
[certfiles] ;; Optional section, overrides the default certfile in the [ssl] section.
10.209.182.160 = /etc/dse/cassandra/conf/dsenode0.cer
10.68.65.199 = /etc/dse/cassandra/conf/dsenode1.cer
keytool -importkeystore -srckeystore .keystore -destkeystore user.p12 -deststoretype PKCS12 openssl pkcs12 -in user.p12 -out user.pem -nodes
This PEM key is required because the host in the certificate is compared to the host
of the machine that it is connected to. The SSL certificate must be provided either
in the configuration file or as an environment variable. The environment variables
(SSL_CERTFILE
and SSL_VALIDATE
) override any
options set in this file.
Kerberos and SSL
DataStax Enterprise provides a sample cqlshrc.sample.kerberos_ssl file that you can use as a starting point.
For information about using Kerberos with SSL, see Using Kerberos and SSL at the same time.
The settings for using both Kerberos and SSL are a combination of the Kerberos and SSL sections in these examples.
The supported environmental variables are KRB_SERVICE
,
SSL_CERTFILE
, and SSL_VALIDATE
variables.
Debugging cqlsh authentication
Use the --debug
option to troubleshoot authentication problems with
cqlsh
. Pass the --debug
option to
cqlsh
to populate the debug log message with the type of
authentication that cqlsh
is attempting.