DSE Authentication

The driver includes three authentication providers:

  • PlainTextAuthProvider: Plain-text authentication for Apache Cassandra and DSE.
  • DsePlainTextAuthProvider: Plain-text authentication for DSE unified auth.
  • DseGssapiAuthProvider: GSSAPI authentication.

In case you are using plain-text authentication on the server, you can set the credentials when creating the Client instance.

const dse = require('dse-driver');

const client = new dse.Client({
  contactPoints,
  localDataCenter,
  credentials: { username: 'my_username', password: 'my_p@ssword1!' }
});

Setting the authentication provider

For other authentication methods, you can configure the provider in the Client options:

const dse = require('dse-driver');
const client = new dse.Client({
  contactPoints,
  localDataCenter,
  authProvider: new dse.auth.DseGssapiAuthProvider()
});

Note that to use the DseGssapiAuthProvider you need to add the dependency to kerberos version ~1.0.0 in your application.

DSE Unified Authentication

With DSE 5.1+, unified Authentication allows you to:

  • Proxy Login: Authenticate using a fixed set of authentication credentials but allow authorization of resources based on another user id.
  • Proxy Execute: Authenticate using a fixed set of authentication credentials but execute requests based on another user id.

Proxy Login

Proxy login allows you to authenticate with a user but act as another one. You need to ensure the authenticated user has the permission to use the authorization of resources of the other user.

In the following example, we allow user “ben” to authenticate but use the authorization of “alice”.

We grant login permission to “ben” by using a GRANT CQL query:

GRANT PROXY.LOGIN ON ROLE 'alice' TO 'ben'

Once “ben” is granted proxy login as “alice”:

const dse = require('dse-driver');
const client = new dse.Client({
  contactPoints: [ 'host1', 'host2' ],
  authProvider: new dse.auth.DsePlainTextAuthProvider('ben', 'ben', 'alice')
});

// All requests will be executed using the authorizationId 'alice'
client.execute(query, params, { prepare: true });

Proxy Execute

Proxy execute allows you to execute requests as another user than the authenticated one. You need to ensure the authenticated user has the permission to use the authorization of resources of the specified user.

In the following example will allow the user “ben” to execute requests as “alice”:

We grant execute permission to “ben” by using a GRANT CQL query:

GRANT PROXY.EXECUTE on role user1 to server

Once “ben” is granted permission to execute queries as “alice”:

const dse = require('dse-driver');
const client = new dse.Client({
  contactPoints: [ 'host1', 'host2' ],
  authProvider: new dse.auth.DsePlainTextAuthProvider('ben', 'ben')
});

// The following requests will be executed as 'alice'
client.execute(query, params, { prepare: true, executeAs: 'alice' });

Please see the official documentation for more details.