Kerberos Authentication
DSE 5.0 introduced a DSE Unified Authenticator. The DSE Authenticator can be used for Kerberos authentication by creating a GssApi provider and configuring the cluster to use the GssApi provider as the auth_provider. DSEs earlier than 5.0 are configured similarly but use KerberosAuthenticator on the DSE cluster.
Background
- Given
- a running dse cluster with kerberos authentication enabled
- And
- the following example:
require 'dse' begin provider = Dse::Auth::Providers::GssApi.new(ENV['SERVICE'], true, ENV['PRINCIPAL'], ENV['TICKET_CACHE']) cluster = Dse.cluster(auth_provider: provider) puts 'authentication successful' rescue Cassandra::Errors::AuthenticationError, Cassandra::Errors::NoHostsAvailable => e puts "#{e.class.name}: #{e.message}" puts 'authentication failed' else cluster.close end
Authenticating with valid credentials
- And
- it is executed with a valid kerberos configuration in the environment
- Then
- its output should contain:
authentication successful
Authenticating with an invalid service provider
- When
- it is executed with an invalid service provider in the environment
- Then
- its output should match:
Server .* not found in Kerberos database.* authentication failed
Authenticating with an invalid principal
- When
- it is executed with an invalid principal in the environment
- Then
- its output should match:
(Can't find client principal baduser@DATASTAX.COM in cache collection|Unable to obtain password from user) authentication failed
Authenticating with an unauthorized principal
- When
- it is executed with an unauthorized principal in the environment
- Then
- its output should match:
(dseuser@DATASTAX.COM is not permitted to log in|User dseuser@DATASTAX.COM doesn't exist - create it with CREATE USER query first) authentication failed
Authenticating with a non-existent cache
- When
- it is executed with an invalid cache in the environment
- Then
- its output should match:
(No credentials cache found|Unable to obtain password from user) authentication failed