instaclustr / cassandra-kerberos Goto Github PK

I am trying out your cassandra-kerberos authenticator against Cassandra 3.11.4-1.

I am using RedHat's IDM (aka FreeIPA), and I do have the IDM server and client set up correctly.
I can create and obtain a ticket for the user I'm trying to connect with:

# kinit [email protected]
Password for [email protected]:
[root@jlermdev228 cloud_install]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]

Valid starting Expires Service principal
03/02/2019 16:06:24 03/03/2019 16:06:20 krbtgt/[email protected]
renew until 03/09/2019 16:06:20

I have a Cassandra 3.11 cluster with three nodes as follows

Owns (effective) Host ID Rack
UN 10.176.113.228 193.66 KiB 256 60.4% b111f147-02c2-4942-8b17-82f92fa720af rack1
UN 10.176.113.229 345.28 KiB 256 65.9% 4c666f99-653c-4263-bfe2-0c6ee6b12156 rack1
UN 10.176.113.230 360.59 KiB 256 73.7% 5bfab6fc-bc40-4bbb-bcd2-db556d8c4e18 rack1

I set up all servers with SSL.
Built the cassandra kerberos jar and placed it under /usr/share/cassandra/lib/cassandra-3-11-kerberos-1.0.0.jar.
I created a user '[email protected]' via cqlsh before switching the authenticator in cassandra.yaml:

CREATE ROLE '[email protected]' WITH SUPERUSER = true AND LOGIN = true AND PASSWORD = 'password42';

I created this file:

# cat /etc/cassandra/conf/cassandra-krb5.properties
service_principal=cassandra/[email protected]
keytab=/etc/cassandra/jlermdev228.keytab
qop=auth

And created the keytab for the cassandra service on node jlermdev228:

# ls -l /etc/cassandra/jlermdev228.keytab
-r-------- 1 cassandra cassandra 186 Mar 2 16:02 /etc/cassandra/jlermdev228.keytab

I created a cqlshrc:

# cat ~/.cassandra/cqlshrc
[connection]
hostname = jlermdev228.jlerm.com
port = 9042
factory = cqlshlib.kerberos.kerberos_transport_factory

[kerberos]
hostname = jlermdev228.jlerm.com
;;service = cassandra/[email protected]
service = cassandra
principal = [email protected]
qops = auth-conf

[kerberos_options]
service_principal=cassandra/[email protected]
keytab=/etc/cassandra/jlermdev228.keytab

[ssl]
certfile = /opt/cloud_install/CA_CLUSTER.pem
validate = false

I get the ticket for user [email protected] as pointed out above.

Then I restart cassandra.
However, when I try to connect, it still prompts for a password:

# cqlsh 10.176.113.228 -u [email protected] --ssl
Password:

I type the password, but get this error:

Connection error: ('Unable to connect to any servers', {'10.176.113.228': AuthenticationFailed('Failed to authenticate to 10.176.113.228: Error from server: code=0100 [Bad credentials] message="The SASL server could not evaluate the response sent by the client. The server may not be configured correctly, or the response may be invalid."',)})

I tried different variations in the cqlshrc file, with no luck.

Any ideas or help you can provide?

Thanks,

Julius

Ideally release artefacts should be built automatically by CircleCI (see #4)