cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Bromhead <...@instaclustr.com>
Subject Re: Authentication with Java driver
Date Wed, 08 Feb 2017 03:01:39 GMT
On Tue, 7 Feb 2017 at 17:52 Yuji Ito <yuji@imagine-orb.com> wrote:

Thanks Andrew, Ben,

My application creates a lot of instances connecting to Cassandra with
basically the same set of credentials.

Do you mean lots of instances of the process or lots of instances of the
cluster/session object?


After an instance connects to Cassandra with the credentials, can any
instance connect to Cassandra without credentials?

As long as you don't share the session or cluster objects. Each new
cluster/session will need to reauthenticate.


== example ==
A first = new A("database", "user", "password");  // proper credentials
r = first.get();
...
A other = new A("database", "user", "pass"); // wrong password
r = other.get();
== example ==

I want to refuse the `other` instance with improper credentials.


This looks like you are creating new cluster/session objects (filling in
the blanks for your pseudocode here). So "other" will not authenticate to
Cassandra.

This brings up a wider point of why you are doing this? Generally most
applications will create a single longed lived session object that lasts
the life of the application process.

I would not rely on Cassandra auth to authenticate downstream actors, not
because it's bad, just its generally inefficient to create lots of session
objects. The session object maintains a connection pool, pipelines
requests, is thread safe and generally pretty solid.




Yuji


On Wed, Feb 8, 2017 at 4:11 AM, Ben Bromhead <ben@instaclustr.com> wrote:

What are you specifically trying to achieve? Are you trying to authenticate
multiple Cassandra users from a single application instance? Or will your
have lot's of application instances connecting to Cassandra using the same
set of credentials? Or a combination of both? Multiple application
instances with different credentials?

On Tue, 7 Feb 2017 at 06:19 Andrew Tolbert <andrew.tolbert@datastax.com>
wrote:

Hello,

The API seems kind of not correct because credentials should be
usually set with a session but actually they are set with a cluster.


With the datastax driver, Session is what manages connection pools to each
node.  Cluster manages configuration and a separate connection ('control
connection') to subscribe to state changes (schema changes, node topology
changes, node up/down events).


So, if there are 1000 clients, then with this API it has to create
1000 cluster instances ?


I'm unsure how common it is for per-user authentication to be done when
connecting to the database.  I think an application would normally
authenticate with one set of credentials instead of multiple.  The protocol
Cassandra uses does authentication at the connection level instead of at
the request level, so that is currently a limitation to support something
like reusing Sessions for authenticating multiple users.

Thanks,
Andy


On Tue, Feb 7, 2017 at 7:19 AM Hiroyuki Yamada <mogwaing@gmail.com> wrote:

Hi,

The API seems kind of not correct because credentials should be
usually set with a session but actually they are set with a cluster.

So, if there are 1000 clients, then with this API it has to create
1000 cluster instances ?
1000 clients seems usual if there are many nodes (say 20) and each
node has some concurrency (say 50),
but 1000 cluster instances seems too many.

Is this an expected way to do this ? or
Is there any way to authenticate per session ?

Thanks,
Hiro

On Tue, Feb 7, 2017 at 11:38 AM, Yuji Ito <yuji@imagine-orb.com> wrote:
> Hi all,
>
> I want to know how to authenticate Cassandra users for multiple instances
> with Java driver.
> For instance, each thread creates a instance to access Cassandra with
> authentication.
>
> As the implementation example, only the first constructor builds a cluster
> and a session.
> Other constructors use them.
> This example is implemented according to the datastax document: "Basically
> you will want to share the same cluster and session instances across your
> application".
>
http://www.datastax.com/dev/blog/4-simple-rules-when-using-the-datastax-drivers-for-cassandra
>
> However, other constructors don't authenticate the user and the password.
> That's because they don't need to build a cluster and a session.
>
> So, should I create a cluster and a session per instance for the
> authentication?
> If yes, can I create a lot of instances(clusters and sessions) to access
C*
> concurrently?
>
> == example ==
> public class A {
>   private static Cluster cluster = null;
>   private static Map<String, Session> sessions = null;
>   private Session session;
>
>   public A (String keyspace, String user, String password) {
>     if (cluster == null) {
>         builder = Cluster.builder();
>         ...
>         builder = builder.withCredentials(user, password);
>         cluster = builder.build();
>     }
>     session = sessions.get(keyspace);
>     if (session == null) {
>         session = cluster.connection(keyspace);
>         sessions.put(keyspace, session)
>     }
>     ...
>   }
>   ...
>   public ResultSet update(...) {
>   ...
>   public ResultSet get(...) {
>   ...
> }
> == example ==
>
> Thanks,
> Yuji

-- 
Ben Bromhead
CTO | Instaclustr <https://www.instaclustr.com/>
+1 650 284 9692 <(650)%20284-9692>
Managed Cassandra / Spark on AWS, Azure and Softlayer


-- 
Ben Bromhead
CTO | Instaclustr <https://www.instaclustr.com/>
+1 650 284 9692
Managed Cassandra / Spark on AWS, Azure and Softlayer

Mime
View raw message