Scylla Documentation Logo Documentation
  • Server
    • Scylla Open Source
    • Scylla Enterprise
    • Scylla Alternator
  • Cloud
    • Scylla Cloud
    • Scylla Cloud Docs
  • Tools
    • Scylla Manager
    • Scylla Monitoring Stack
    • Scylla Operator
  • Drivers
    • CQL Drivers
    • DynamoDB Drivers
Download
Menu

Caution

You're viewing documentation for a previous version of Scylla Java Driver. Switch to the latest stable version.

Scylla Java Driver Manual Core driver Authentication

Authentication¶

Quick overview¶

  • advanced.auth-provider in the configuration.

  • disabled by default. Also available: plain-text credentials, GSSAPI (DSE only), or write your own.

  • can also be defined programmatically: CqlSession.builder().withAuthCredentials or CqlSession.builder().withAuthProvider.


Cassandra’s binary protocol supports SASL-based authentication. To use it, you must provide an auth provider that will authenticate with the server every time a new connection gets established.

This can be done in two ways:

In the configuration¶

Define an auth-provider section in the configuration:

datastax-java-driver {
  advanced.auth-provider {
    class = ...
  }
}

The auth provider must be configured before opening a session, it cannot be changed at runtime.

Plain text¶

PlainTextAuthProvider supports simple username/password authentication (intended to work with the server-side PasswordAuthenticator). The credentials can be changed at runtime, they will be used for new connection attempts once the configuration gets reloaded.

datastax-java-driver {
  advanced.auth-provider {
    class = PlainTextAuthProvider
    username = cassandra
    password = cassandra
  }
}

When connecting to DSE, an optional authorization-id can also be specified. It will be used for proxy authentication (logging in as another user or role). If you try to use this feature with an authenticator that doesn’t support it, the authorization id will be ignored.

datastax-java-driver {
  advanced.auth-provider {
    class = PlainTextAuthProvider
    username = user
    password = pass
    authorization-id = otherUserOrRole
  }
}

Note that, for backward compatibility with previous driver versions, you can also use the class name DsePlainTextAuthProvider to enable this provider.

GSSAPI (DSE only)¶

DseGssApiAuthProvider supports GSSAPI authentication against a DSE cluster secured with Kerberos:

datastax-java-driver {
  advanced.auth-provider {
      class = DseGssApiAuthProvider
      login-configuration {
          principal = "user principal here ex cassandra@DATASTAX.COM"
          useKeyTab = "true"
          refreshKrb5Config = "true"
          keyTab = "Path to keytab file here"
      }
   }
 }

See the comments in reference.conf for more details.

Custom¶

You can also write your own provider; it must implement AuthProvider and declare a public constructor with a DriverContext argument.

datastax-java-driver {
  advanced.auth-provider {
    class = com.mycompany.MyCustomAuthProvider
    ... // any custom options your provider might use
  }
}

Programmatically¶

You can also pass an authenticator instance while building the session:

CqlSession session =
    CqlSession.builder()
        .withAuthProvider(new MyCustomAuthProvider())
        .build();

For convenience, there are shortcuts that take the credentials directly. This is equivalent to using PlainTextAuthProvider in the configuration:

CqlSession session =
    CqlSession.builder()
        .withAuthCredentials("user", "pass")
        .build();

// With proxy authentication (DSE only)
CqlSession session =
    CqlSession.builder()
        .withAuthCredentials("user", "pass", "otherUserOrRole")
        .build();

One downside of withAuthCredentials is that the credentials are stored in clear text in memory; this means they are vulnerable to an attacker who is able to perform memory dumps. If this is not acceptable for you, consider writing your own AuthProvider implementation; PlainTextAuthProviderBase is a good starting point.

Similarly, ProgrammaticDseGssApiAuthProvider lets you configure GSSAPI programmatically:

import com.datastax.dse.driver.api.core.auth.DseGssApiAuthProviderBase.GssApiOptions;

javax.security.auth.Subject subject = ...; // do your Kerberos configuration here

GssApiOptions options = GssApiOptions.builder().withSubject(subject).build();
CqlSession session = CqlSession.builder()
    .withAuthProvider(new ProgrammaticDseGssApiAuthProvider(options))
    .build();

For more complex needs (e.g. if building the options once and reusing them doesn’t work for you), you can subclass DseGssApiAuthProviderBase.

Proxy authentication¶

DSE allows a user to connect as another user or role:

-- Allow bob to connect as alice:
GRANT PROXY.LOGIN ON ROLE 'alice' TO 'bob'

Once connected, all authorization checks will be performed against the proxy role (alice in this example).

To use proxy authentication with the driver, you need to provide the authorization-id, in other words the name of the role you want to connect as.

Example for plain text authentication:

datastax-java-driver {
  advanced.auth-provider {
      class = PlainTextAuthProvider
      username = bob
      password = bob's password
      authorization-id = alice
   }
 }

With the GSSAPI (Kerberos) provider:

datastax-java-driver {
  advanced.auth-provider {
      class = DseGssApiAuthProvider
      authorization-id = alice
      login-configuration {
          principal = "user principal here ex bob@DATASTAX.COM"
          useKeyTab = "true"
          refreshKrb5Config = "true"
          keyTab = "Path to keytab file here"
      }
   }
 }

Proxy execution¶

Proxy execution is similar to proxy authentication, but it applies to a single query, not the whole session.

-- Allow bob to execute queries as alice:
GRANT PROXY.EXECUTE ON ROLE 'alice' TO 'bob'

For this scenario, you would not add the authorization-id = alice to your configuration. Instead, use ProxyAuthentication.executeAs to wrap your query with the correct authorization for the execution:

import com.datastax.dse.driver.api.core.auth.ProxyAuthentication;

SimpleStatement statement = SimpleStatement.newInstance("some query");
// executeAs returns a new instance, you need to re-assign
statement = ProxyAuthentication.executeAs("alice", statement);
session.execute(statement);
PREVIOUS
Asynchronous programming
NEXT
Bill of Materials (BOM)
  • 4.7.2.x
    • 4.13.0.x
    • 4.12.0.x
    • 4.11.1.x
    • 4.10.0.x
    • 4.7.2.x
    • 3.11.2.x
    • 3.11.0.x
    • 3.10.2.x
    • 3.7.2.x
  • Java Driver for Scylla and Apache Cassandra®
  • API Documentation
  • Manual
    • API conventions
    • Case sensitivity
    • Core driver
      • Address resolution
      • Asynchronous programming
      • Authentication
      • Bill of Materials (BOM)
      • Compression
      • Configuration
        • Reference configuration
      • Control connection
      • Custom codecs
      • Detachable types
      • Query idempotence
      • Integration
      • Load balancing
      • Logging
      • Metadata
        • Node metadata
        • Schema metadata
        • Token metadata
      • Metrics
      • Native protocol
      • Paging
      • Performance
      • Connection pooling
      • Query timestamps
      • Reactive Style Programming
      • Reconnection
      • Request tracker
      • Retries
      • Using the shaded JAR
      • Speculative query execution
      • SSL
      • Statements
        • Batch statements
        • Per-query keyspace
        • Prepared statements
        • Simple statements
      • Temporal types
      • Request throttling
      • Query tracing
      • Tuples
      • User-defined types
    • Developer docs
      • Administrative tasks
      • Common infrastructure
        • Concurrency
        • Driver context
        • Event bus
      • Native protocol layer
      • Netty pipeline
      • Request execution
    • Mapper
      • Integration
      • DAOs
        • Custom result types
        • Delete methods
        • GetEntity methods
        • Insert methods
        • Null saving strategy
        • Query methods
        • Query provider methods
        • Select methods
        • SetEntity methods
        • Statement attributes
        • Update methods
      • Entities
      • Mapper interface
    • OSGi
    • Query builder
      • Conditions
      • DELETE
      • Idempotence in the query builder
      • INSERT
      • Relations
      • Schema builder
        • Aggregate
        • Function
        • Index
        • Keyspace
        • Materialized View
        • Table
        • Type
      • SELECT
      • Terms
      • TRUNCATE
      • UPDATE
  • Upgrade guide
  • Frequently asked questions
  • Changelog
  • Create an issue
  • Edit this page

On this page

  • Authentication
    • Quick overview
    • In the configuration
      • Plain text
      • GSSAPI (DSE only)
      • Custom
    • Programmatically
    • Proxy authentication
    • Proxy execution
Logo
Docs Contact Us About Us
Mail List Icon Slack Icon
© 2022, ScyllaDB. All rights reserved.
Last updated on 25 May 2022.
Powered by Sphinx 4.3.2 & ScyllaDB Theme 1.2.2