Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/instaclustr/cassandra-kerberos

GSS-API authenticator plugin for Apache Cassandra
https://github.com/instaclustr/cassandra-kerberos

auth authentication cassandra cassandra-kerberos driver gssapi-authentication kerberos keytab netapp-public plugin principal security service

Last synced: about 1 month ago
JSON representation

GSS-API authenticator plugin for Apache Cassandra

Host: GitHub
URL: https://github.com/instaclustr/cassandra-kerberos
Owner: instaclustr
License: apache-2.0
Created: 2018-09-24T04:24:44.000Z (about 6 years ago)
Default Branch: master
Last Pushed: 2023-07-06T23:51:48.000Z (over 1 year ago)
Last Synced: 2024-09-30T04:05:53.453Z (about 1 month ago)
Topics: auth, authentication, cassandra, cassandra-kerberos, driver, gssapi-authentication, kerberos, keytab, netapp-public, plugin, principal, security, service
Language: Java
Homepage: https://instaclustr.com
Size: 110 KB
Stars: 5
Watchers: 6
Forks: 2
Open Issues: 7
Metadata Files:
- Readme: README.adoc
- License: LICENSE

Awesome Lists containing this project

README

== Cassandra Kerberos Authenticator

_A GSSAPI authentication provider for Apache Cassandra_

image:https://circleci.com/gh/instaclustr/cassandra-kerberos.svg?style=svg["Instaclustr",link="https://circleci.com/gh/instaclustr/cassandra-kerberos"]

This authenticator plugin is intended to work with the
https://github.com/instaclustr/cassandra-java-driver-kerberos[Cassandra Java Driver Kerberos Authenticator]
plugin for the https://github.com/datastax/java-driver[Cassandra Java driver].

Supported versions:

* 2.2
* 3.0
* 3.11
* 4.0
* 4.1

NOTE: CQLSH integration works only with Cassandra 4.1 and above.

WARNING: if you install / configure this authenticator, with open source Cassandra of version less than 4.1, you will not be able to connect through CQL shell anymore as this functionality is not
implemented in CQL shell yet. This authenticator is meant to be used only in connection with Java applications
for which you need to setup your driver to use https://github.com/instaclustr/cassandra-java-driver-kerberos[Kerberos Java driver], also from Instaclustr.

=== Build

To build the project, just run `mvn clean install`.

The project is organised into modules, each module per major Cassandra version.
You will find in `target` of each module for respective Cassandra version:

* JAR
* DEB package
* RPM package

=== Environment set-up

1. Ensure that the following pre-requisite systems are configured:

- A unique DNS record is created for each node (use `hostname -f` on each node to verify that the DNS FQDN is configured)
- A reverse DNS record is created for each node, matching the `broadcast_rpc_address`
- A Kerberos 5 KDC server is available
- Kerberos client libraries are installed on each Cassandra node
- An NTP client is installed & configured on each Cassandra node. Ideally the Cassandra nodes sync
with the same time source as the KDC in order to minimise potential time-sync issues.
- If using Oracle Java, ensure that the https://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html[Java Cryptographic Extensions Unlimited Strength Jurisdiction Policy Files]
are installed (not necessary when using OpenJDK or other JRE implementations)

2. Ensure that the value of http://cassandra.apache.org/doc/latest/configuration/cassandra_config_file.html#rpc-address[rpc_address]
(and optionally http://cassandra.apache.org/doc/latest/configuration/cassandra_config_file.html#broadcast-rpc-address[broadcast_rpc_address], if using)
in the `cassandra.yaml` config file is not set to `localhost`. Reverse-DNS records must be created to match the `broadcast_rpc_address`.
This enables clients to resolve the Kerberos service principal's hostname from the IP address.

3. Configure the `/etc/krb5.conf` Kerberos config file on each node (see http://web.mit.edu/kerberos/www/krb5-latest/doc/admin/conf_files/krb5_conf.html[here] for further details). Below is an example `krb5.conf` for an `EXAMPLE.COM` Kerberos realm:

[logging]
default = FILE:/var/log/krb5libs.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
EXAMPLE.COM = {
kdc = kdc.example.com
admin_server = kdc.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

4. For each cassandra node, create a new Kerberos service principal (see http://web.mit.edu/kerberos/www/krb5-latest/doc/admin/admin_commands/kadmin_local.html#add-principal[here] for further details)
Note that the service name portion of the principal (`cassandra`, in this example) must be the same for
each node in the cluster, and must *also* match the SASL protocol name specified when configuring
the https://github.com/instaclustr/cassandra-java-driver-kerberos[Cassandra Java driver Kerberos authenticator].
The hostname portion of the principal (e.g. `node1.mycluster.example.com`) must match the DNS entry for each Cassandra node.

kadmin -q "addprinc -randkey cassandra/[email protected]"
kadmin -q "addprinc -randkey cassandra/[email protected]"
kadmin -q "addprinc -randkey cassandra/[email protected]"

5. Create a keytab for each newly created service principal (see http://web.mit.edu/kerberos/www/krb5-latest/doc/admin/admin_commands/kadmin_local.html#ktadd[here] for further details)

kadmin -q "ktadd -k /node1.keytab cassandra/[email protected]"
kadmin -q "ktadd -k /node2.keytab cassandra/[email protected]"
kadmin -q "ktadd -k /node3.keytab cassandra/[email protected]"

6. Copy the corresponding keytab file to the Cassandra configuration directory on each node, and set the appropriate access controls

scp kdc.example.com:/node1.keytab /etc/cassandra/node1.keytab
chown cassandra:cassandra /etc/cassandra/node1.keytab
chmod 400 /etc/cassandra/node1.keytab

=== Install & configure the Kerberos authenticator

1. Copy the `cassandra-krb5.properties` file to the Cassandra configuration directory on each node (e.g. `/etc/cassandra/conf` or `/etc/cassandra`, based on OS).
Set `service_principal` and `keytab` to correspond to the service principals and keytabs created in the previous steps.

service_principal=cassandra/[email protected]
keytab=node1.keytab
qop=auth

2. Copy the authenicator jar to the Cassandra `lib` directory (e.g. `/usr/share/cassandra/lib/`)

3. Set the http://cassandra.apache.org/doc/latest/configuration/cassandra_config_file.html#authenticator[authenticator]
option in the `cassandra.yaml` config file.

authenticator: com.instaclustr.cassandra.auth.KerberosAuthenticator

You may control where to fetch the configuration file from by system property set upon Cassandra startup, for example `-Dcassandra.krb5.config=/path/to/conf.properties`

In case you are using packages, JAR and conf file is installed into the right place automatically.

=== CQLSH

To set up CQLSH, you need to insert and modify accordingly your `cqlshrc` file. To successfully log in, you need to
have a valid ticket. How to obtain it is outside this document, but you should see the output similar to this:

----
[auth_provider]
module=cassandra.auth
classname=SaslAuthProvider
service=cassandra
keytab=/etc/cassandra/cassandra.keytab
mechanism=GSSAPI
qop=auth
----

After successful login, you should have a ticket granted:

----
[root@node1 ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: [email protected]

Valid starting Expires Service principal
04/01/2022 15:57:59 04/02/2022 15:39:42 cassandra/[email protected]
04/01/2022 15:39:42 04/02/2022 15:39:42 krbtgt/[email protected]
----

If you are logged in as root in shell, it will try to log you in Cassandra as root as well, so you need to have
the corresponding role in Cassandra before you authenticate. Create your roles beforehand in order to log in after you switch to KerberosAuthenticator in `cassandra.yaml`.

In case you are
Please see https://www.instaclustr.com/support/documentation/announcements/instaclustr-open-source-project-status/[status] for Instaclustr support status of this project