dse.auth
- Authentication
class AuthProvider
An abstract class that defines the interface that will be used for
creating Authenticator
instances when opening new
connections to Cassandra.
Methods
new_authenticator
(host)Implementations of this class should return a new instance
of Authenticator
or one of its subclasses.
class Authenticator
An abstract class that handles SASL authentication with Cassandra servers.
Each time a new connection is created and the server requires authentication,
a new instance of this class will be created by the corresponding
AuthProvider
to handler that authentication. The lifecycle of the
new Authenticator
will the be:
1) The initial_response()
method will be called. The return
value will be sent to the server to initiate the handshake.
2) The server will respond to each client response by either issuing a
challenge or indicating that the authentication is complete (successful or not).
If a new challenge is issued, evaluate_challenge()
will be called to produce a response that will be sent to the
server. This challenge/response negotiation will continue until the server
responds that authentication is successful (or an AuthenticationFailed
is raised).
3) When the server indicates that authentication is successful,
on_authentication_success()
will be called a token string that
that the server may optionally have sent.
The exact nature of the negotiation between the client and server is specific to the authentication mechanism configured server-side.
Attributes
server_authenticator_class
= NoneSet during the connection AUTHENTICATE phase
Methods
initial_response
()Returns an message to send to the server to initiate the SASL handshake.
None
may be returned to send an empty message.
evaluate_challenge
(challenge)Called when the server sends a challenge message. Generally, this method
should return None
when authentication is complete from a
client perspective. Otherwise, a string should be returned.
on_authentication_success
(token)Called when the server indicates that authentication was successful.
Depending on the authentication mechanism, token may be None
or a string.
class PlainTextAuthProvider
An AuthProvider
that works with Cassandra’s PasswordAuthenticator.
Example usage:
from dse.cluster import Cluster
from dse.auth import PlainTextAuthProvider
auth_provider = PlainTextAuthProvider(
username='cassandra', password='cassandra')
cluster = Cluster(auth_provider=auth_provider)
Methods
new_authenticator
(host)Implementations of this class should return a new instance
of Authenticator
or one of its subclasses.
class PlainTextAuthenticator
Methods
evaluate_challenge
(challenge)Called when the server sends a challenge message. Generally, this method
should return None
when authentication is complete from a
client perspective. Otherwise, a string should be returned.
class SaslAuthProvider
An AuthProvider
supporting general SASL auth mechanisms
Suitable for GSSAPI or other SASL mechanisms
Example usage:
from dse.cluster import Cluster
from dse.auth import SaslAuthProvider
sasl_kwargs = {'service': 'something',
'mechanism': 'GSSAPI',
'qops': 'auth'.split(',')}
auth_provider = SaslAuthProvider(**sasl_kwargs)
cluster = Cluster(auth_provider=auth_provider)
Methods
new_authenticator
(host)Implementations of this class should return a new instance
of Authenticator
or one of its subclasses.
class SaslAuthenticator
A pass-through Authenticator
using the third party package
‘pure-sasl’ for authentication
Methods
initial_response
()Returns an message to send to the server to initiate the SASL handshake.
None
may be returned to send an empty message.
evaluate_challenge
(challenge)Called when the server sends a challenge message. Generally, this method
should return None
when authentication is complete from a
client perspective. Otherwise, a string should be returned.
Attributes
DSEPlainTextAuthProvider
alias of dse.auth.PlainTextAuthProvider
class DSEGSSAPIAuthProvider
Auth provider for GSS API authentication. Works with legacy KerberosAuthenticator or DseAuthenticator if kerberos scheme is enabled.
- Parameters
-
-
service – name of the service
-
qops – iterable of “Quality of Protection” allowed; see
puresasl.QOP
-
resolve_host_name – boolean flag indicating whether the authenticator should reverse-lookup an FQDN when creating a new authenticator. Default is
True
, which will resolve, or return the numeric address if there is no PTR record. SettingFalse
creates the authenticator with the numeric address known by Cassandra -
properties – additional keyword properties to pass for the
puresasl.mechanisms.GSSAPIMechanism
class. Presently, ‘principal’ (user) is the only one referenced in thepure-sasl
implementation
-
Methods
new_authenticator
(host)Implementations of this class should return a new instance
of Authenticator
or one of its subclasses.
class TransitionalModePlainTextAuthProvider
An AuthProvider
that works with DSE TransitionalModePlainTextAuthenticator.
Example usage:
from dse.cluster import Cluster
from dse.auth import TransitionalModePlainTextAuthProvider
auth_provider = TransitionalModePlainTextAuthProvider()
cluster = Cluster(auth_provider=auth_provider)
TransitionalModePlainTextAuthProvider will be removed in dse-driver 3.0. The transitional mode will be handled internally without the need of any auth provider.
class TransitionalModePlainTextAuthenticator
Authenticator that accounts for DSE authentication is configured with transitional mode.