Using cqlsh with Kerberos or user authentication

Configuration steps to use cqlsh with DataStax Unified Authentication.

dse.yaml

The location of the dse.yaml file depends on the type of installation:

Package installations
Installer-Services installations

/etc/dse/dse.yaml

Tarball installations
Installer-No Services installations

installation_location/resources/dse/conf/dse.yaml

cqlshrc.sample.kerberos

The default location of the cqlshrc.sample.kerberos file depends on the type of installation:

Package installations
Installer-Services installations

/etc/dse/cassandra/cqlshrc.sample.kerberos

Tarball installations
Installer-No Services installations

installation_location/resources/cassandra/conf/cqlshrc.sample.kerberos

cqlshrc.sample.ssl

The default location of the cqlshrc.sample.ssl files depends on the type of installation:

Package installations
Installer-Services installations

/etc/dse/cassandra/cqlshrc.sample.ssl

Tarball installations
Installer-No Services installations

installation_location/resources/cassandra/conf/cqlshrc.sample.ssl

To use cqlsh with DataStax Unified Authentication, you can configure credentials in a file to avoid having to pass them for every login. You can use the sample files as a starting point, and use the --debug option to identify and resolve authentication problems.

Example files

DataStax Enterprise provides sample files and examples to help configure authentication:

Make changes as appropriate for your environment.

Kerberos example

DataStax Enterprise provides a sample cqlshrc.sample.kerberos file as a starting point.

Required settings for Kerberos authentication:

[connection]
hostname = 192.168.1.2
port = 9042

[kerberos]
service = dse ;; If not set, the default is dse
qops = auth ;; Optional, see the paragraph below
The [connection] hostname and [kerberos] service settings must match the values in the dse.yaml configuration file, or be set as environment variables.
  • In the kerberos_options section of the dse.yaml file, set service_principal. The service_principal must be consistent everywhere: in the dse.yaml file, present in the keytab, and in the cqlshrc file (where service_principal is separated into service/hostname).
  • The environment variables (KRB_HOST, KRB_SERVICE, and KRB_PRINCIPAL) override the options that are set in dse.yaml.

    The environment variables KRB_SERVICE and QOPS override the options in the .cqlshrc file. The loading order for settings is: environment variable, .cqlshrc setting, default.

The default (auth) is used when qops is not specified. On the client side, the qops option is a comma-delimited list of the QOP values allowed by the client for the connection.
  • The client (cqlsh) value list must contain at least one of the QOP values that are specified on the server.
  • The client can have multiple QOP values, while the server can only have a single QOP value that is specified in the dse.yaml file.

SSL example

DataStax Enterprise provides a sample cqlshrc.sample.ssl file as a starting point.

[authentication]
username = fred
password = !!bang!!$

[connection]
hostname = 127.0.0.1
port = 9042
 
[ssl]
certfile = ~/keys/cassandra.cert
validate = false ;; Optional, true by default. See the paragraph below.

[certfiles] ;; Optional section, overrides the default certfile in the [ssl] section.
10.209.182.160 = /etc/dse/cassandra/conf/dsenode0.cer 
10.68.65.199 = /etc/dse/cassandra/conf/dsenode1.cer
Note: When generating the certificate, be sure to set the CN to the hostname of the node.
When validate is enabled, you must create a pem key which is used in the cqlshrc file. For example:
keytool -importkeystore -srckeystore .keystore -destkeystore user.p12 -deststoretype PKCS12
openssl pkcs12 -in user.p12 -out user.pem -nodes

This pem key is required because the host in the certificate is compared to the host of the machine that it is connected to. The SSL certificate must be provided either in the configuration file or as an environment variable. The environment variables (SSL_CERTFILE and SSL_VALIDATE) override any options set in this file.

Kerberos and SSL

For information about using Kerberos with SSL, see Using CQL shell (cqlsh) with SSL.

The settings for using both Kerberos and SSL are a combination of the Kerberos and SSL sections in these examples.

The supported environmental variables are KRB_SERVICE, SSL_CERTFILE, and SSL_VALIDATE variables.

Debugging cqlsh authentication

Use the --debug option to troubleshoot authentication problems with cqlsh. Pass the --debug option to cqlsh to populate the debug log message with the type of authentication that cqlsh is attempting.