Authentication
For clients connecting to a DSE cluster secured with DseAuthenticator
, three authentication
providers are included:
-
PlainTextAuthProvider
: plain-text authentication usingusername
andpassword
. -
DsePlainTextAuthProvider
: SASL authentication using the PLAIN mechanism. -
DseGSSAPIAuthProvider
: GSSAPI authentication.
NOTE: The PlainTextAuthProvider
should only be used when authenticating against Apache
Cassandra® clusters, not DSE. See the OSS driver 4 manual for more on configuring that provider.
To activate a provider, you must include an auth-provider
section in the configuration. For
plain text, you can supply the username
and password
like this:
dse-java-driver {
advanced.auth-provider {
class = DsePlainTextAuthProvider
username = cassandra
password = cassandra
}
}
Example configuration for GSSAPI authentication:
dse-java-driver {
advanced.auth-provider {
class = DseGssApiAuthProvider
login-configuration {
principal = "user principal here ex cassandra@DATASTAX.COM"
useKeyTab = "true"
refreshKrb5Config = "true"
keyTab = "Path to keytab file here"
}
}
}
See the advanced.auth-provider
section in dse-reference.conf for more details.
Proxy authentication
DSE allows a user to connect as another user or role:
-- Allow bob to connect as alice:
GRANT PROXY.LOGIN ON ROLE 'alice' TO 'bob'
Once connected, all authorization checks will be performed against the proxy role (alice in this example).
To use proxy authentication with the driver, you need to provide the authorization-id, in other words the name of the role you want to connect as.
Example for plain text authentication:
dse-java-driver {
advanced.auth-provider {
class = DsePlainTextAuthProvider
username = bob
password = bob's password
authorization-id = alice
}
}
With the GSSAPI (Kerberos) provider:
dse-java-driver {
advanced.auth-provider {
class = DseGssApiAuthProvider
authorization-id = alice
login-configuration {
principal = "user principal here ex bob@DATASTAX.COM"
useKeyTab = "true"
refreshKrb5Config = "true"
keyTab = "Path to keytab file here"
}
}
}
Proxy execution
Proxy execution is similar to proxy authentication, but it applies to a single query, not the whole session.
-- Allow bob to execute queries as alice:
GRANT PROXY.EXECUTE ON ROLE 'alice' TO 'bob'
For this scenario, you would not add the authorization-id = alice
to your configuration.
Instead, use ProxyAuthentication.executeAs to wrap your query with the correct authorization for
the execution:
import com.datastax.dse.driver.api.core.auth.ProxyAuthentication;
SimpleStatement statement = SimpleStatement.newInstance("some query");
// executeAs returns a new instance, you need to re-assign
statement = ProxyAuthentication.executeAs("alice", statement);
session.execute(statement);