Test Kerberos authentication with cqlsh
Confirm that Kerberos authentication is working correctly by configuring and using cqlsh
Use the cqlsh tool to authenticate to DataStax Enterprise using a Kerberos principal. To use Kerberos authentication with cqlsh, create a cqlshrc file and configure the options for your Kerberos realm.
Procedure
-
On the KDC server, add the user principals in kadmin using
the addprinc command.
$ kadmin addprinc jane
In Kerberos, there's a difference between a service principal and a user principal. Typically, user principals have the form
username@Kerberos realm name
, while service principals have the formservicename/hostname@Kerberos realm name
. For example, a user principal isjane@EXAMPLE.COM
, while a service principal iscassandra/node1.example.com@EXAMPLE.COM
.Do not confuse the default
cassandra
database superuser with thecassandra
Unix user that corresponds with thecassandra
Kerberos service principals (for examplecassandra/node1.example.com@EXAMPLE.COM
) used in this tutorial. -
On the DataStax Enterprise node where you will run cqlsh,
add the user principals to the
system_auth.users
table.-
Temporarily disable Kerberos authentication in
cassandra.yaml and restart the
node.
In cassandra.yaml:
# authenticator: com.datastax.bdp.cassandra.auth.KerberosAuthenticator authenticator: PasswordAuthenticator authorizer: CassandraAuthorizer
Restart the node:
$ sudo service dse restart
-
Create a new superuser with the same name as the user principal.
$ cqlsh cqlsh> create user 'jane@EXAMPLE.COM' SUPERUSER;
The Cassandra username must match the full user principal name, including the Kerberos realm. -
Re-enable the Kerberos authenticator in
cassandra.yaml.
authenticator: com.datastax.bdp.cassandra.auth.KerberosAuthenticator
-
Restart the node.
$ sudo service dse restart
-
Temporarily disable Kerberos authentication in
cassandra.yaml and restart the
node.
-
On the DataStax Enterprise node where you will run cqlsh,
install the Python dependencies for cqlsh Kerberos
authentication.
RedHat and CentOS
$ sudo yum install python-pip $ sudo pip install pure-sasl $ sudo yum install python27-kerberos
Note: You must use thepython27-kerberos
package from the DataStax RPM repository. Thepython-kerberos
package from the main RPM repositories will not work with cqlsh.Debian and Ubuntu
$ sudo apt-get install python-pip $ sudo pip install pure-sasl $ sudo apt-get install python-kerberos
-
Create a cqlshrc file based on the sample file included
with DataStax Enterprise.
Package installs
$ mkdir ~/.cassandra $ cp /usr/share/doc/dse-libcassandra-4.8.3/cqlshrc.sample.kerberos ~/.cassandra/cqlshrc
Tarball installs
$ mkdir ~/.cassandra $ cp DSE_HOME/resources/cassandra/conf/cqlshrc.sample.kerberos ~/.cassandra/cqlshrc
-
Edit cqlshrc and set the options according to your cluster
and Kerberos realm.
Set the
hostname
option in the[connection]
section to the hostname of the node. In the[kerberos]
section set thehostname
option to the hostname of the node and set theprincipal
option to the name of the user principal you created.[connection] hostname = node1.example.com port = 9042 [kerberos] hostname = node1.example.com service = cassandra ; optional principal = jane@EXAMPLE.COM
-
Get a Kerberos ticket for your user principal.
$ kinit jane Password for jane@EXAMPLE.COM: $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: jane@EXAMPLE.COM Valid starting Expires Service principal 12/14/2015 19:18:36 12/15/2015 05:18:36 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 12/21/2015 19:18:34
-
Start cqlsh.
$ cqlsh Connected to Test Cluster at node1.example.com:9042. [cqlsh 5.0.1 | Cassandra 2.1.11.969 | DSE 4.8.3 | CQL spec 3.2.1 | Native protocol v3] Use HELP for help. cqlsh>