Authentication

Clients that require authentication when connecting to a secured DSE cluster (using com.datastax.bdp.cassandra.auth.DseAuthenticator) should use the following functions:

  • Plain-text authentication: cass_cluster_set_dse_plaintext_authenticator()
  • GSSAPI authentication: cass_cluster_set_dse_gssapi_authenticator()
/* A DSE cluster using plain-text authentication would use: */
cass_cluster_set_dse_plaintext_authenticator(cluster, "cassandra", "cassandra");

/* A DSE cluster using GSSAPI authentication would use: */
cass_cluster_set_dse_gssapi_authenticator(cluster, "dse", "cassandra@DATASTAX.COM");

Proxy Execution

Proxy execution allows a client to connect to a node as one user but run queries as a different user.

For example, if a webapp accesses DSE as the ‘service’ user, but needs to issue some queries as end user ‘bob’, a DSE admin would first set up permissions in DSE to allow the ‘service’ user to execute queries as ‘bob’:

GRANT PROXY.EXECUTE ON ROLE bob TO service;

To run a statement as ‘bob’, the client simply sets the “execute-as” attribute on the statement and executes as usual:

CassStatement* statement; // Previously defined statement.
cass_statement_set_execute_as(statement, "bob");
future = cass_session_execute(session, statement);

Proxy Authentication

Proxy authentication allows a client to connect to a node as one user but declare that all actions of the client should actually run as a different user (without needing credentials of that second user).

For example, if a webapp accesses DSE as the ‘service’ user, but needs to issue all queries as end user ‘bob’, a DSE admin would first set up permissions in DSE to allow the ‘service’ user to proxy login as ‘bob’:

GRANT PROXY.LOGIN ON ROLE bob TO service;

Then the client authenticates with DSE as follows:

/* A DSE cluster using plain-text authentication would use: */
cass_cluster_set_dse_plaintext_authenticator_proxy(cluster, "service", "service-password", "bob");

/* A DSE cluster using GSSAPI authentication would use: */
cass_cluster_set_dse_gssapi_authenticator_proxy(cluster, "dse", "service@DATASTAX.COM", "bob");

Note that if DSE is set up to leverage multiple authentication systems, the authenticated user may come from one system (e.g. Kerberos) and the proxied user from another (e.g. internal).