Kerberos Proxy Authentication

DSE 5.1 introduced proxy authentication. Proxy authentication allows a client to connect to a node as one user but declare that all actions of the client should actually run as a different user (without needing credentials of that second user).

Consult the DataStax Enterprise Documentation for more details.

Background

Given
a running DSE cluster with Kerberos authentication enabled
And
the following schema:
CREATE ROLE 'bob@DATASTAX.COM' WITH LOGIN = true;
CREATE ROLE end_user WITH PASSWORD = 'end_user' and LOGIN = true;
CREATE ROLE target_user WITH PASSWORD = 'target_user' and LOGIN = true;
CREATE KEYSPACE simplex WITH REPLICATION = {'class': 'SimpleStrategy', 'replication_factor': 1};
USE simplex;
CREATE TABLE gssapi_proxy_auth (f1 int PRIMARY KEY, f2 int);
INSERT INTO gssapi_proxy_auth (f1, f2) VALUES (1, 2);
GRANT ALL ON gssapi_proxy_auth TO target_user;
GRANT PROXY.LOGIN ON ROLE 'target_user' to 'bob@DATASTAX.COM';

Query the authorized table as a proxied user

Given
the following example:
// In some Kerberos configurations, hostname resolution must also be enabled
// for proper communication between the client, DSE, and the Kerberos service.
// However, if the client uses libuv 0.10.x, hostname resolution is not supported.
// It is recommended that such deployments use a newer version of libuv.

$cluster = Dse::cluster()
    ->withGssapiAuthenticator("dse", "bob@DATASTAX.COM", "target_user")
    ->withHostnameResolution(true)
    ->build();
$session = $cluster->connect("simplex");

$result = $session->execute("SELECT * from gssapi_proxy_auth");
foreach ($result as $row) {
  echo "f1: {$row['f1']}  f2: {$row['f2']}" . PHP_EOL;
}
And
it is executed with the service user Bob’s GSSAPI credentials
When
it is executed
Then
its output should contain:
f1: 1  f2: 2

Query the authorized table as the service user Bob

Given
the following example:
try {
    // In some Kerberos configurations, hostname resolution must also be enabled
    // for proper communication between the client, DSE, and the Kerberos service.
    // However, if the client uses libuv 0.10.x, hostname resolution is not supported.
    // It is recommended that such deployments use a newer version of libuv.
    $cluster = Dse::cluster()
        ->withGssapiAuthenticator("dse", "bob@DATASTAX.COM")
        ->withHostnameResolution(true)
        ->build();
    $session = $cluster->connect("simplex");

    $session->execute("SELECT * from gssapi_proxy_auth");
    echo "Request succeeded erroneously!" . PHP_EOL;
} catch (Dse\Exception\UnauthorizedException $ex) {
    echo $ex->getMessage() . PHP_EOL;
}
And
it is executed with the service user Bob’s GSSAPI credentials
When
it is executed
Then
its output should contain:
User bob@DATASTAX.COM has no SELECT permission on <table simplex.gssapi_proxy_auth> or any of its parents

Query the authorized table as a proxied user where the service user Bob does not have the PROXY.LOGIN privilege

Given
the following example:
try {
    // In some Kerberos configurations, hostname resolution must also be enabled
    // for proper communication between the client, DSE, and the Kerberos service.
    // However, if the client uses libuv 0.10.x, hostname resolution is not supported.
    // It is recommended that such deployments use a newer version of libuv.
    $cluster = Dse::cluster()
        ->withGssapiAuthenticator("dse", "bob@DATASTAX.COM", "end_user")
        ->withHostnameResolution(true)
        ->build();
    $session = $cluster->connect("simplex");
    echo "Connection succeeded erroneously!" . PHP_EOL;
} catch (Dse\Exception\AuthenticationException $ex) {
    echo $ex->getMessage() . PHP_EOL;
}
When
it is executed
Then
its output should contain:
Received error response 'Failed to login. Please re-try.' (0x02000100)