com.datastax.dse.driver.api.core.auth

Class ProgrammaticDseGssApiAuthProvider

java.lang.Object

com.datastax.dse.driver.api.core.auth.DseGssApiAuthProviderBase

com.datastax.dse.driver.api.core.auth.ProgrammaticDseGssApiAuthProvider

All Implemented Interfaces:

AuthProvider, AutoCloseable

public class ProgrammaticDseGssApiAuthProvider
extends DseGssApiAuthProviderBase

AuthProvider that provides GSSAPI authenticator instances for clients to connect to DSE clusters secured with DseAuthenticator, in a programmatic way.

To use this provider the corresponding GssApiOptions must be passed into the provider directly, for example:

     DseGssApiAuthProviderBase.GssApiOptions.Builder builder =
         DseGssApiAuthProviderBase.GssApiOptions.builder();
     Map<String, String> loginConfig =
         ImmutableMap.of(
             "principal",
             "user principal here ex cassandra@DATASTAX.COM",
             "useKeyTab",
             "true",
             "refreshKrb5Config",
             "true",
             "keyTab",
             "Path to keytab file here");

     builder.withLoginConfiguration(loginConfig);

     CqlSession session =
         CqlSession.builder()
             .withAuthProvider(new ProgrammaticDseGssApiAuthProvider(builder.build()))
             .build();
 

or alternatively

     DseGssApiAuthProviderBase.GssApiOptions.Builder builder =
         DseGssApiAuthProviderBase.GssApiOptions.builder().withSubject(subject);
     CqlSession session =
         CqlSession.builder()
             .withAuthProvider(new ProgrammaticDseGssApiAuthProvider(builder.build()))
             .build();
 

Kerberos Authentication

Keytab and ticket cache settings are specified using a standard JAAS configuration file. The location of the file can be set using the java.security.auth.login.config system property or by adding a login.config.url.n entry in the java.security properties file. Alternatively a login-configuration, or subject can be provided to the provider via the GssApiOptions (see above).

See the following documents for further details:

1. JAAS Login Configuration File;
2. Krb5LoginModule options;
3. JAAS Authentication Tutorial for more on JAAS in general.

Authentication using ticket cache

Run kinit to obtain a ticket and populate the cache before connecting. JAAS config:

 DseClient {
   com.sun.security.auth.module.Krb5LoginModule required
     useTicketCache=true
     renewTGT=true;
 };
 

Authentication using a keytab file

To enable authentication using a keytab file, specify its location on disk. If your keytab contains more than one principal key, you should also specify which one to select. This information can also be specified in the driver config, under the login-configuration section.

 DseClient {
     com.sun.security.auth.module.Krb5LoginModule required
       useKeyTab=true
       keyTab="/path/to/file.keytab"
       principal="user@MYDOMAIN.COM";
 };
 

Specifying SASL protocol name

The SASL protocol name used by this auth provider defaults to " ".

Important: the SASL protocol name should match the username of the Kerberos service principal used by the DSE server. This information is specified in the dse.yaml file by the service_principal option under the kerberos_options section, and may vary from one DSE installation to another – especially if you installed DSE with an automated package installer.

For example, if your dse.yaml file contains the following:

 kerberos_options:
     ...
     service_principal: cassandra/my.host.com@MY.REALM.COM
 

The correct SASL protocol name to use when authenticating against this DSE server is "cassandra".

Should you need to change the SASL protocol name specify it in the GssApiOptions, use the method below:

     DseGssApiAuthProviderBase.GssApiOptions.Builder builder =
         DseGssApiAuthProviderBase.GssApiOptions.builder();
     builder.withSaslProtocol("alternate");
     DseGssApiAuthProviderBase.GssApiOptions options = builder.build();
 

Should internal sasl properties need to be set such as qop. This can also be accomplished by setting it in the GssApiOptions:

   DseGssApiAuthProviderBase.GssApiOptions.Builder builder =
         DseGssApiAuthProviderBase.GssApiOptions.builder();
     builder.addSaslProperty("javax.security.sasl.qop", "auth-conf");
     DseGssApiAuthProviderBase.GssApiOptions options = builder.build();
 

See Also:

Authenticating a DSE cluster with Kerberos

Nested Class Summary

Nested classes/interfaces inherited from class com.datastax.dse.driver.api.core.auth.DseGssApiAuthProviderBase

DseGssApiAuthProviderBase.GssApiAuthenticator, DseGssApiAuthProviderBase.GssApiOptions

Field Summary

Fields inherited from class com.datastax.dse.driver.api.core.auth.DseGssApiAuthProviderBase

DEFAULT_SASL_SERVICE_NAME, SASL_SERVICE_NAME_PROPERTY

Constructor Summary

Constructors

Constructor and Description
ProgrammaticDseGssApiAuthProvider(DseGssApiAuthProviderBase.GssApiOptions options)

Method Summary

Modifier and Type	Method and Description
protected DseGssApiAuthProviderBase.GssApiOptions	getOptions(EndPoint endPoint, String serverAuthenticator)

Methods inherited from class com.datastax.dse.driver.api.core.auth.DseGssApiAuthProviderBase

close, newAuthenticator, onMissingChallenge

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

ProgrammaticDseGssApiAuthProvider

public ProgrammaticDseGssApiAuthProvider(DseGssApiAuthProviderBase.GssApiOptions options)

Method Detail

getOptions

@NonNull
protected DseGssApiAuthProviderBase.GssApiOptions getOptions(@NonNull
                                                                      EndPoint endPoint,
                                                                      @NonNull
                                                                      String serverAuthenticator)

Specified by:

getOptions in class DseGssApiAuthProviderBase