com.datastax.driver.dse.auth

Class DseGSSAPIAuthProvider

java.lang.Object

com.datastax.driver.dse.auth.DseGSSAPIAuthProvider

All Implemented Interfaces:

AuthProvider

Direct Known Subclasses:

DseAuthProvider

public class DseGSSAPIAuthProvider
extends Object
implements AuthProvider

AuthProvider that provides GSSAPI authenticator instances for clients to connect to DSE clusters secured with DseAuthenticator.

To create a cluster using this auth provider, declare the following:

 Cluster cluster = Cluster.builder()
                          .addContactPoint(hostname)
                          .withAuthProvider(DseGSSAPIAuthProvider.builder().build())
                          .build();
 

Kerberos Authentication

Keytab and ticket cache settings are specified using a standard JAAS configuration file. The location of the file can be set using the java.security.auth.login.config system property or by adding a login.config.url.n entry in the java.security properties file.

Alternatively a Configuration object can be provided using DseGSSAPIAuthProvider(Configuration) to set the JAAS configuration programmatically.

See the following documents for further details:

1. JAAS Login Configuration File;
2. JAAS Authentication Tutorial for more on JAAS in general.

Authentication using ticket cache

Run kinit to obtain a ticket and populate the cache before connecting. JAAS config:

 DseClient {
   com.sun.security.auth.module.Krb5LoginModule required
     useTicketCache=true
     renewTGT=true;
 };
 

Authentication using a keytab file

To enable authentication using a keytab file, specify its location on disk. If your keytab contains more than one principal key, you should also specify which one to select.

 DseClient {
     com.sun.security.auth.module.Krb5LoginModule required
       useKeyTab=true
       keyTab="/path/to/file.keytab"
       principal="user@MYDOMAIN.COM";
 };
 

Specifying SASL protocol name

The SASL protocol name used by this auth provider defaults to " "dse"".

Important: the SASL protocol name should match the username of the Kerberos service principal used by the DSE server. This information is specified in the dse.yaml file by the service_principal option under the kerberos_options section, and may vary from one DSE installation to another – especially if you installed DSE with an automated package installer.

For example, if your dse.yaml file contains the following:

 kerberos_options:
     ...
     service_principal: cassandra/my.host.com@MY.REALM.COM
 

The correct SASL protocol name to use when authenticating against this DSE server is "cassandra".

Should you need to change the SASL protocol name, use one of the methods below:

1. Specify the protocol name via one of the following constructors: DseGSSAPIAuthProvider(String) or DseGSSAPIAuthProvider(Configuration, String);
2. Specify the protocol name with the dse.sasl.protocol system property when starting your application, e.g. -Ddse.sasl.protocol=cassandra.

If a non-null SASL protocol name is provided to the aforementioned constructors, that name takes precedence over the contents of the dse.sasl.protocol system property.

See Also:

Authenticating a DSE cluster with Kerberos

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	DseGSSAPIAuthProvider.Builder

Nested classes/interfaces inherited from interface com.datastax.driver.core.AuthProvider

AuthProvider.NoAuthProvider, AuthProvider.TransitionalModePlainTextAuthenticator

Field Summary

Fields

Modifier and Type	Field and Description
static Map<String,String>	DEFAULT_SASL_PROPERTIES The default SASL properties:
static String	DEFAULT_SASL_PROTOCOL_NAME The default SASL protocol name used by this auth provider.
static String	SASL_PROTOCOL_NAME_PROPERTY The name of the system property to use to specify the SASL protocol name.

Fields inherited from interface com.datastax.driver.core.AuthProvider

NONE

Constructor Summary

Constructors

Constructor and Description
DseGSSAPIAuthProvider() Deprecated. Use DseGSSAPIAuthProvider.Builder to create DseGSSAPIAuthProvider instead.
DseGSSAPIAuthProvider(Configuration loginConfiguration) Deprecated. Use DseGSSAPIAuthProvider.Builder to create DseGSSAPIAuthProvider instead.
DseGSSAPIAuthProvider(Configuration loginConfiguration, String saslProtocol) Deprecated. Use DseGSSAPIAuthProvider.Builder to create DseGSSAPIAuthProvider instead.
DseGSSAPIAuthProvider(String saslProtocol) Deprecated. Use DseGSSAPIAuthProvider.Builder to create DseGSSAPIAuthProvider instead.

Method Summary

Modifier and Type	Method and Description
static DseGSSAPIAuthProvider.Builder	builder()
Authenticator	newAuthenticator(InetSocketAddress host, String authenticator) The Authenticator to use when connecting to host

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DEFAULT_SASL_PROTOCOL_NAME

public static final String DEFAULT_SASL_PROTOCOL_NAME

The default SASL protocol name used by this auth provider.

See Also:

Constant Field Values

SASL_PROTOCOL_NAME_PROPERTY

public static final String SASL_PROTOCOL_NAME_PROPERTY

The name of the system property to use to specify the SASL protocol name.

See Also:

Constant Field Values

DEFAULT_SASL_PROPERTIES

public static final Map<String,String> DEFAULT_SASL_PROPERTIES

The default SASL properties:

 javax.security.sasl.server.authentication = true
 javax.security.sasl.qop = auth
 

Constructor Detail

DseGSSAPIAuthProvider

@Deprecated
public DseGSSAPIAuthProvider()

Deprecated. Use DseGSSAPIAuthProvider.Builder to create DseGSSAPIAuthProvider instead.

Creates an instance of DseGSSAPIAuthProvider with default login configuration options and default SASL protocol name ("dse").

DseGSSAPIAuthProvider

@Deprecated
public DseGSSAPIAuthProvider(Configuration loginConfiguration)

Deprecated. Use DseGSSAPIAuthProvider.Builder to create DseGSSAPIAuthProvider instead.

Creates an instance of DseGSSAPIAuthProvider with the given login configuration and default SASL protocol name ("dse").

Parameters:

loginConfiguration - The login configuration to use to create a LoginContext.

DseGSSAPIAuthProvider

@Deprecated
public DseGSSAPIAuthProvider(String saslProtocol)

Deprecated. Use DseGSSAPIAuthProvider.Builder to create DseGSSAPIAuthProvider instead.

Creates an instance of DseGSSAPIAuthProvider with default login configuration and the given SASL protocol name.

Parameters:

saslProtocol - The SASL protocol name to use; should match the username of the Kerberos service principal used by the DSE server.

DseGSSAPIAuthProvider

@Deprecated
public DseGSSAPIAuthProvider(Configuration loginConfiguration,
                                         String saslProtocol)

Deprecated. Use DseGSSAPIAuthProvider.Builder to create DseGSSAPIAuthProvider instead.

Creates an instance of DseGSSAPIAuthProvider with the given login configuration and the given SASL protocol name.

Parameters:

loginConfiguration - The login configuration to use to create a LoginContext.

saslProtocol - The SASL protocol name to use; should match the username of the Kerberos service principal used by the DSE server.

Method Detail

builder

public static DseGSSAPIAuthProvider.Builder builder()

newAuthenticator

public Authenticator newAuthenticator(InetSocketAddress host,
                                      String authenticator)
                               throws AuthenticationException

Description copied from interface: AuthProvider

The Authenticator to use when connecting to host

Specified by:

newAuthenticator in interface AuthProvider

Parameters:

host - the Cassandra host to connect to.

authenticator - the configured authenticator on the host.

Returns:

The authentication implementation to use.

Throws:

AuthenticationException