DSE Authentication
The driver includes three authentication providers:
-
PlainTextAuthProvider
: Plain-text authentication for Apache Cassandra and DSE. -
DsePlainTextAuthProvider
: Plain-text authentication for DSE unified auth. -
DseGssapiAuthProvider
: GSSAPI authentication.
In case you are using plain-text authentication on the server, you can set the credentials
when creating the
Client
instance.
const dse = require('dse-driver');
const client = new dse.Client({
contactPoints,
localDataCenter,
credentials: { username: 'my_username', password: 'my_p@ssword1!' }
});
Setting the authentication provider
For other authentication methods, you can configure the provider in the Client
options:
const dse = require('dse-driver');
const client = new dse.Client({
contactPoints,
localDataCenter,
authProvider: new dse.auth.DseGssapiAuthProvider()
});
Note that to use the DseGssapiAuthProvider
you need to add the dependency to kerberos
version ~1.0.0
in your
application.
DSE Unified Authentication
With DSE 5.1+, unified Authentication allows you to:
- Proxy Login: Authenticate using a fixed set of authentication credentials but allow authorization of resources based on another user id.
- Proxy Execute: Authenticate using a fixed set of authentication credentials but execute requests based on another user id.
Proxy Login
Proxy login allows you to authenticate with a user but act as another one. You need to ensure the authenticated user has the permission to use the authorization of resources of the other user.
In the following example, we allow user “ben” to authenticate but use the authorization of “alice”.
We grant login permission to “ben” by using a GRANT
CQL query:
GRANT PROXY.LOGIN ON ROLE 'alice' TO 'ben'
Once “ben” is granted proxy login as “alice”:
const dse = require('dse-driver');
const client = new dse.Client({
contactPoints: [ 'host1', 'host2' ],
authProvider: new dse.auth.DsePlainTextAuthProvider('ben', 'ben', 'alice')
});
// All requests will be executed using the authorizationId 'alice'
client.execute(query, params, { prepare: true });
Proxy Execute
Proxy execute allows you to execute requests as another user than the authenticated one. You need to ensure the authenticated user has the permission to use the authorization of resources of the specified user.
In the following example will allow the user “ben” to execute requests as “alice”:
We grant execute permission to “ben” by using a GRANT
CQL query:
GRANT PROXY.EXECUTE on role user1 to server
Once “ben” is granted permission to execute queries as “alice”:
const dse = require('dse-driver');
const client = new dse.Client({
contactPoints: [ 'host1', 'host2' ],
authProvider: new dse.auth.DsePlainTextAuthProvider('ben', 'ben')
});
// The following requests will be executed as 'alice'
client.execute(query, params, { prepare: true, executeAs: 'alice' });
Please see the official documentation for more details.