instaclustr / cassandra-kerberos Goto Github PK
View Code? Open in Web Editor NEWGSS-API authenticator plugin for Apache Cassandra
Home Page: https://instaclustr.com
License: Apache License 2.0
GSS-API authenticator plugin for Apache Cassandra
Home Page: https://instaclustr.com
License: Apache License 2.0
I am trying out your cassandra-kerberos authenticator against Cassandra 3.11.4-1.
I am using RedHat's IDM (aka FreeIPA), and I do have the IDM server and client set up correctly.
I can create and obtain a ticket for the user I'm trying to connect with:
# kinit [email protected]
Password for [email protected]:
[root@jlermdev228 cloud_install]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
03/02/2019 16:06:24 03/03/2019 16:06:20 krbtgt/[email protected]
renew until 03/09/2019 16:06:20
I have a Cassandra 3.11 cluster with three nodes as follows
Owns (effective) Host ID Rack
UN 10.176.113.228 193.66 KiB 256 60.4% b111f147-02c2-4942-8b17-82f92fa720af rack1
UN 10.176.113.229 345.28 KiB 256 65.9% 4c666f99-653c-4263-bfe2-0c6ee6b12156 rack1
UN 10.176.113.230 360.59 KiB 256 73.7% 5bfab6fc-bc40-4bbb-bcd2-db556d8c4e18 rack1
I set up all servers with SSL.
Built the cassandra kerberos jar and placed it under /usr/share/cassandra/lib/cassandra-3-11-kerberos-1.0.0.jar.
I created a user '[email protected]' via cqlsh before switching the authenticator in cassandra.yaml:
CREATE ROLE '[email protected]' WITH SUPERUSER = true AND LOGIN = true AND PASSWORD = 'password42';
I created this file:
# cat /etc/cassandra/conf/cassandra-krb5.properties
service_principal=cassandra/[email protected]
keytab=/etc/cassandra/jlermdev228.keytab
qop=auth
And created the keytab for the cassandra service on node jlermdev228:
# ls -l /etc/cassandra/jlermdev228.keytab
-r-------- 1 cassandra cassandra 186 Mar 2 16:02 /etc/cassandra/jlermdev228.keytab
I created a cqlshrc:
# cat ~/.cassandra/cqlshrc
[connection]
hostname = jlermdev228.jlerm.com
port = 9042
factory = cqlshlib.kerberos.kerberos_transport_factory
[kerberos]
hostname = jlermdev228.jlerm.com
;;service = cassandra/[email protected]
service = cassandra
principal = [email protected]
qops = auth-conf
[kerberos_options]
service_principal=cassandra/[email protected]
keytab=/etc/cassandra/jlermdev228.keytab
[ssl]
certfile = /opt/cloud_install/CA_CLUSTER.pem
validate = false
I get the ticket for user [email protected] as pointed out above.
Then I restart cassandra.
However, when I try to connect, it still prompts for a password:
# cqlsh 10.176.113.228 -u [email protected] --ssl
Password:
I type the password, but get this error:
Connection error: ('Unable to connect to any servers', {'10.176.113.228': AuthenticationFailed('Failed to authenticate to 10.176.113.228: Error from server: code=0100 [Bad credentials] message="The SASL server could not evaluate the response sent by the client. The server may not be configured correctly, or the response may be invalid."',)})
I tried different variations in the cqlshrc file, with no luck.
Any ideas or help you can provide?
Thanks,
Julius
Ideally release artefacts should be built automatically by CircleCI (see #4)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.