cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Coe, Robin" <robin....@bluecoat.com>
Subject RE: Re: Cassandra access control
Date Wed, 25 Nov 2009 17:05:51 GMT
If all you want to perform is a simple bind to an LDAP service, then why use either?  JPam
uses JAAS under the covers and jldap is a full API for managing a depot.  Neither solution
looks particularly optimized.

If ldap integration is a must-have, then why not just use JNDI?  Create a singleton factory
that sets up the environment, including a connection pool, to create an initial context. 
Then, use that to create a per-Thrift connection  binding context, with credentials passed
in from the client?

However, I still think the simplest, fastest solution is to use a Cassandra-managed user realm,
similar to RDBMS systems.  That keeps the connection opening phase within the Cassandra engine
and isn't susceptible to the service being unavailable.  As well, if Cassandra manages the
user realm on a per-keyspace basis, then authentication and authorization can be performed
simultaneously and the keyspace argument can be dropped from the Thrift API calls.

Configuring Cassandra to handle LDAP binding will require configuring the connection url,
protocol, search scope, base DN, keystore file, etc.  And of course, if Cassandra has LDAP
integration, it should probably offer other authentication service support, like RADIUS and
TACACS+, etc.  It's a can of worms, to be sure.

While on the topic of authentication, I still like the idea of opening a connection with credentials,
as opposed to requiring a separate transaction to login.  That's an unnecessary round trip.
 I don't see why an overloaded method to connect is a bad thing, especially when the anonymous
connection will eventually be deprecated.  At least, I assume it will be deprecated by the
time Cassandra has a fully fleshed out authentication realm? 

Robin.

-----Original Message-----
From: news [mailto:news@ger.gmane.org] On Behalf Of Ted Zlatanov
Sent: November 24, 2009 5:24 PM
To: cassandra-user@incubator.apache.org
Subject: Re: Cassandra access control

Looks like I could use:

PAM auth: http://jpam.sourceforge.net/

LDAP/AD auth: http://www.openldap.org/jldap/

The first is definitely OK (Apache license), but I'm not sure about the
second one (OpenLDAP public license).  Looks BSDish to me.  It claims to
support Windows auth and is officially provided by the OpenLDAP project.
Has anyone used it?

Thanks
Ted

Mime
View raw message