public class ProgrammaticDseGssApiAuthProvider extends DseGssApiAuthProviderBase
AuthProvider
that provides GSSAPI authenticator instances for clients to connect to DSE
clusters secured with DseAuthenticator
, in a programmatic way.
To use this provider the corresponding GssApiOptions must be passed into the provider directly, for example:
DseGssApiAuthProviderBase.GssApiOptions.Builder builder = DseGssApiAuthProviderBase.GssApiOptions.builder(); Map<String, String> loginConfig = ImmutableMap.of( "principal", "user principal here ex cassandra@DATASTAX.COM", "useKeyTab", "true", "refreshKrb5Config", "true", "keyTab", "Path to keytab file here"); builder.withLoginConfiguration(loginConfig); CqlSession session = CqlSession.builder() .withAuthProvider(new ProgrammaticDseGssApiAuthProvider(builder.build())) .build();or alternatively
DseGssApiAuthProviderBase.GssApiOptions.Builder builder = DseGssApiAuthProviderBase.GssApiOptions.builder().withSubject(subject); CqlSession session = CqlSession.builder() .withAuthProvider(new ProgrammaticDseGssApiAuthProvider(builder.build())) .build();
java.security.auth.login.config
system
property or by adding a login.config.url.n
entry in the java.security
properties file. Alternatively a login-configuration, or subject can be provided to the provider
via the GssApiOptions (see above).
See the following documents for further details:
kinit
to obtain a ticket and populate the cache before connecting. JAAS config:
DseClient { com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true renewTGT=true; };
DseClient { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/path/to/file.keytab" principal="user@MYDOMAIN.COM"; };
".
Important: the SASL protocol name should match the username of the Kerberos
service principal used by the DSE server. This information is specified in the dse.yaml file by
the service_principal
option under the kerberos_options
section, and may vary from one DSE installation to another – especially if you installed
DSE with an automated package installer.
For example, if your dse.yaml file contains the following:
kerberos_options:
...
service_principal: cassandra/my.host.com@MY.REALM.COM
The correct SASL protocol name to use when authenticating against this DSE server is "cassandra
".
Should you need to change the SASL protocol name specify it in the GssApiOptions, use the method below:
DseGssApiAuthProviderBase.GssApiOptions.Builder builder = DseGssApiAuthProviderBase.GssApiOptions.builder(); builder.withSaslProtocol("alternate"); DseGssApiAuthProviderBase.GssApiOptions options = builder.build();
Should internal sasl properties need to be set such as qop. This can also be accomplished by setting it in the GssApiOptions:
DseGssApiAuthProviderBase.GssApiOptions.Builder builder = DseGssApiAuthProviderBase.GssApiOptions.builder(); builder.addSaslProperty("javax.security.sasl.qop", "auth-conf"); DseGssApiAuthProviderBase.GssApiOptions options = builder.build();
DseGssApiAuthProviderBase.GssApiAuthenticator, DseGssApiAuthProviderBase.GssApiOptions
DEFAULT_SASL_SERVICE_NAME, SASL_SERVICE_NAME_PROPERTY
Constructor and Description |
---|
ProgrammaticDseGssApiAuthProvider(DseGssApiAuthProviderBase.GssApiOptions options) |
Modifier and Type | Method and Description |
---|---|
protected DseGssApiAuthProviderBase.GssApiOptions |
getOptions(EndPoint endPoint,
String serverAuthenticator) |
close, newAuthenticator, onMissingChallenge
public ProgrammaticDseGssApiAuthProvider(DseGssApiAuthProviderBase.GssApiOptions options)
@NonNull protected DseGssApiAuthProviderBase.GssApiOptions getOptions(@NonNull EndPoint endPoint, @NonNull String serverAuthenticator)
getOptions
in class DseGssApiAuthProviderBase
Copyright © 2017–2021. All rights reserved.