dse.auth - Authentication

class AuthProvider

An abstract class that defines the interface that will be used for creating Authenticator instances when opening new connections to Cassandra.

Methods

new_authenticator

(host)

Implementations of this class should return a new instance of Authenticator or one of its subclasses.

class Authenticator

An abstract class that handles SASL authentication with Cassandra servers.

Each time a new connection is created and the server requires authentication, a new instance of this class will be created by the corresponding AuthProvider to handler that authentication. The lifecycle of the new Authenticator will the be:

1) The initial_response() method will be called. The return value will be sent to the server to initiate the handshake.

2) The server will respond to each client response by either issuing a challenge or indicating that the authentication is complete (successful or not). If a new challenge is issued, evaluate_challenge() will be called to produce a response that will be sent to the server. This challenge/response negotiation will continue until the server responds that authentication is successful (or an AuthenticationFailed is raised).

3) When the server indicates that authentication is successful, on_authentication_success() will be called a token string that that the server may optionally have sent.

The exact nature of the negotiation between the client and server is specific to the authentication mechanism configured server-side.

Attributes

server_authenticator_class

= None

Set during the connection AUTHENTICATE phase

Methods

initial_response

()

Returns an message to send to the server to initiate the SASL handshake. None may be returned to send an empty message.

evaluate_challenge

(challenge)

Called when the server sends a challenge message. Generally, this method should return None when authentication is complete from a client perspective. Otherwise, a string should be returned.

on_authentication_success

(token)

Called when the server indicates that authentication was successful. Depending on the authentication mechanism, token may be None or a string.

class PlainTextAuthProvider

An AuthProvider that works with Cassandra’s PasswordAuthenticator.

Example usage:

from dse.cluster import Cluster
from dse.auth import PlainTextAuthProvider

auth_provider = PlainTextAuthProvider(
        username='cassandra', password='cassandra')
cluster = Cluster(auth_provider=auth_provider)

Methods

new_authenticator

(host)

Implementations of this class should return a new instance of Authenticator or one of its subclasses.

class PlainTextAuthenticator

Methods

evaluate_challenge

(challenge)

Called when the server sends a challenge message. Generally, this method should return None when authentication is complete from a client perspective. Otherwise, a string should be returned.

class SaslAuthProvider

An AuthProvider supporting general SASL auth mechanisms

Suitable for GSSAPI or other SASL mechanisms

Example usage:

from dse.cluster import Cluster
from dse.auth import SaslAuthProvider

sasl_kwargs = {'service': 'something',
               'mechanism': 'GSSAPI',
               'qops': 'auth'.split(',')}
auth_provider = SaslAuthProvider(**sasl_kwargs)
cluster = Cluster(auth_provider=auth_provider)

Methods

new_authenticator

(host)

Implementations of this class should return a new instance of Authenticator or one of its subclasses.

class SaslAuthenticator

A pass-through Authenticator using the third party package ‘pure-sasl’ for authentication

Methods

initial_response

()

Returns an message to send to the server to initiate the SASL handshake. None may be returned to send an empty message.

evaluate_challenge

(challenge)

Called when the server sends a challenge message. Generally, this method should return None when authentication is complete from a client perspective. Otherwise, a string should be returned.

Attributes

dse.auth.

DSEPlainTextAuthProvider

class DSEGSSAPIAuthProvider

Auth provider for GSS API authentication. Works with legacy KerberosAuthenticator or DseAuthenticator if kerberos scheme is enabled.

Parameters
  • service – name of the service

  • qops – iterable of “Quality of Protection” allowed; see puresasl.QOP

  • resolve_host_name – boolean flag indicating whether the authenticator should reverse-lookup an FQDN when creating a new authenticator. Default is True, which will resolve, or return the numeric address if there is no PTR record. Setting False creates the authenticator with the numeric address known by Cassandra

  • properties – additional keyword properties to pass for the puresasl.mechanisms.GSSAPIMechanism class. Presently, ‘principal’ (user) is the only one referenced in the pure-sasl implementation

Methods

new_authenticator

(host)

Implementations of this class should return a new instance of Authenticator or one of its subclasses.