Plaintext Proxy Authentication

DSE 5.1 introduced proxy authentication. Proxy authentication allows a client to connect to a node as one user but declare that all actions of the client should actually run as a different user (without needing credentials of that second user).

Consult the DataStax Enterprise Documentation for more details.

Background

Given
a running DSE cluster with DSE plaintext authentication enabled
And
the following schema:
CREATE ROLE end_user WITH PASSWORD = 'end_user' and LOGIN = true;
CREATE ROLE target_user WITH PASSWORD = 'target_user' and LOGIN = true;
CREATE ROLE service_user WITH PASSWORD = 'service_user' and LOGIN = true;
CREATE KEYSPACE simplex WITH REPLICATION = {'class': 'SimpleStrategy', 'replication_factor': 1};
USE simplex;
CREATE TABLE plaintext_proxy_auth (f1 int PRIMARY KEY, f2 int);
INSERT INTO plaintext_proxy_auth (f1, f2) VALUES (1, 2);
GRANT ALL ON plaintext_proxy_auth TO target_user;
GRANT PROXY.LOGIN ON ROLE 'target_user' to 'service_user';

Query the authorized table as a proxied user

Given
the following example:
$cluster = Dse::cluster()
    ->withPlaintextAuthenticator("service_user", "service_user", "target_user")
    ->build();
$session = $cluster->connect("simplex");

$result = $session->execute("SELECT * from plaintext_proxy_auth");
foreach ($result as $row) {
  echo "f1: {$row['f1']}  f2: {$row['f2']}" . PHP_EOL;
}
When
it is executed
Then
its output should contain:
f1: 1  f2: 2

Query the authorized table as the service user

Given
the following example:
try {
    $cluster = Dse::cluster()
        ->withPlaintextAuthenticator("service_user", "service_user")
        ->build();
    $session = $cluster->connect("simplex");

    $session->execute("SELECT * from plaintext_proxy_auth");
    echo "Request succeeded erroneously!" . PHP_EOL;
} catch (Dse\Exception\UnauthorizedException $ex) {
    echo $ex->getMessage() . PHP_EOL;
}
When
it is executed
Then
its output should contain:
User service_user has no SELECT permission on <table simplex.plaintext_proxy_auth> or any of its parents

Query the authorized table as a proxied user where the service user does not have the PROXY.LOGIN privilege

Given
the following example:
try {
    $cluster = Dse::cluster()
        ->withPlaintextAuthenticator("service_user", "service_user", "end_user")
        ->build();
    $session = $cluster->connect("simplex");
    echo "Connection succeeded erroneously!" . PHP_EOL;
} catch (Dse\Exception\AuthenticationException $ex) {
    echo $ex->getMessage() . PHP_EOL;
}
When
it is executed
Then
its output should contain:
Received error response 'Failed to login. Please re-try.' (0x02000100)