Providing credentials with DSE tools
Through authentication, the database establishes the identity of the person or system that is attempting an operation. Authentication works with any combination of DSE authentication, LDAP pass-through authentication, and Kerberos authentication.
Authentication is supported for use with dse commands, dse client-tool, and the dsetool utility.
-
To use dsetool with SSL encryption, see Setting up SSL for nodetool, dsetool, and dse advrep.
-
To configure external client access to DataStax Enterprise commands, see Authorizing remote procedure calls for CQL execution.
Providing credentials
You can provide authentication credentials in several ways:
- Command line
-
Provide login credentials on the command line:
$ dse [<connection_options>] <subcommand>dse client-tool [<connection_options>] <subcommand>dsetool [<connection_options>] <subcommand>where the connection_options include:
-
-f <config_file>- the path to a configuration file that stores credentials. If not specified, then use ~/.dserc if it exists.The configuration file can contain DataStax Enterprise and JMX login credentials. For example:
username=<username> password=<password> jmx_username=<jmx_username> jmx_password=<jmx_password>The credentials in the configuration file are stored in clear text. DataStax recommends restricting access to this file only to the specific user.
-
dse
-u <username>is the user name to authenticate for database access. -
dsetool
-l <username>is the user name to authenticate for database access. -
-p <password>is the password to authenticate for database access. If you do not provide a password on the command line, you are prompted to enter one. -
-a <jmx_username>is the user name for authenticating when local JMX authentication is enabled. -
-b <jmx_password>is the password for authenticating when local JMX authentication is enabled. If you do not provide a password on the command line, you are prompted to enter one. -
<subcommand>is any dse, dse client-tool, or dsetool subcommand.
-
-
DataStax provided utilities typically have the following command line options for credentials:
dse -u <user_name> [ -p <password>] <command>Where the command line options for each supported tool are:
-
dse -u <user_name> [-p <password>] advrep <command> <subcommand> -
dse -u <username> [-p <password>] fs -
dse -u <username> [-p <password>] spark [<options>] -
dse spark-class
dse -u <username> [-p <password>] spark-class <options> -
dse -u <username> [-p <password>] spark-submit <options> -
dse -u <username> [-p <password>] spark-jobserver <options> -
dse -u <username> [-p <password>] spark-history-server <options> -
dse -u <username> [-p <password>] spark-sql-thriftserver <options> -
dse -u <username> [-p <password>] pyspark <options> -
dse -u <username> [-p <password>] spark-sql <options> -
dse -u <username> [-p <password>] sparkR <options> -
dse client-tool connection options
dse -u <username> [-p <password>] client-tool <subcommand> <options> -
dse -u <username> [-p <password>] gremlin-console
-
- ~/.dserc file
-
Create a file named .dserc in your home directory. The ~/.dserc file contains the cassandra user name and password:
username=<username> password=<password>When you launch a password-protected tool and authentication is not provided on the command line, the credentials in the ~/.dserc file are used. The ~/.dserc is ignored when a configuration file is specified with
-f. - Environment variables for dse client-tool, dse gremlin-console, and Spark commands
-
To increase security and prevent authentication credentials from appearing in log files, DataStax recommends using environment variables instead of passing credentials on the command line or in the .dserc file. Add the environment variables to your Bash .profile or .bash_profile files.
Use environment variables DSE_USERNAME and DSE_PASSWORD to specify a user name and password:
export DSE_USERNAME=<username> export DSE_PASSWORD=<password>
Use environment variable DSE_TOKEN to specify a delegation token when Kerberos is used:
export DSE_TOKEN=<delegation_token>
