incubator-cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeremy Hanna <jeremy.hanna1...@gmail.com>
Subject Re: Authentication and Authorization with Cassandra 1.2.2.
Date Tue, 26 Feb 2013 22:18:12 GMT
does this help?  Links at the bottom show the cql statements to add/modify users:
http://www.datastax.com/docs/1.2/security/native_authentication

On Feb 26, 2013, at 4:06 PM, C.F.Scheidecker Antunes <cf.antunes@gmail.com> wrote:

> Hello all,
> 
> Cassandra has changed and now has a default authentication and authorization mechanism.
> 
> The classes org.apache.cassandra.auth.PasswordAuthenticator (authenticator) and
> org.apache.cassandra.auth.CassandraAuthorizer (authorization) provide that.
> 
> They both write to a keyspace called system_auth and there are 2 column families
> that are used for it, namely credentials and permissions.
> 
> The permissions table is defined in CassandraAuthorizer as follows:
> 
> "CREATE TABLE system_auth.permissions (username text,
>                 resource text,
>                                 permissions set<text>,
>                                 PRIMARY KEY(username, resource)
>                                 ) WITH gc_grace_seconds=(90 * 24 * 60 * 60)" // 3 months
> 
> The credentials table is created in PasswordAuthenticator as follows:
> 
> "CREATE TABLE system_auth.credentials (username text,
>                                        salted_hash text, // salt + hash + number of rounds
>                                        options map<text,text>, // for future extensions
>                                        PRIMARY KEY(username)
>                                        ) WITH gc_grace_seconds=(90 * 24 * 60 * 60)" //
3 months
> 
> 
> The password is hashed as BCrypt.hashpw(password, BCrypt.gensalt(GENSALT_LOG2_ROUNDS));
where
> 
> GENSALT_LOG2_ROUNDS is set to 10.
> 
> 
> Out of the box, the keyspace system_auth is there but the CFs are not defined when one
issues a describe system_auth inside
> cassandra-cli application.
> 
> The configuration file says:
> 
> PasswordAuthenticator relies on username/password pairs to authenticate
> users. It keeps usernames and hashed passwords in system_auth.credentials table.
> Please increase system_auth keyspace replication factor if you use this authenticator.
> 
> On the configuration file /etc/cassandra/cassandra.yaml I have set:
> 
> authenticator: org.apache.cassandra.auth.PasswordAuthenticator
> authorizer: org.apache.cassandra.auth.CassandraAuthorizer
> 
> Therefore I have 3 questions.
> 
> 1) How can I increase the replication factor if the keyspace system_auth is already there?
Can I do this?
> Currently the replication factor is 1:
> [cassandra@system_auth] describe;
> Keyspace: system_auth:
>   Replication Strategy: org.apache.cassandra.locator.SimpleStrategy
>   Durable Writes: true
>     Options: [replication_factor:1]
>   Column Families:
> 
> 2) Shall I create the CFs credentials and permissions via cassandra-cli as well?
> If I issue a select command from cqlsh I can see:
> 
> cqlsh:system_auth> SELECT * FROM credentials;
> 
>  username  | options | salted_hash
> -----------+---------+--------------------------------------------------------------
>  cassandra |    null |
> 
> Eventhough there is no credentials CF defined on the schema yet.
> 
> 3) What is the process of adding more users? Shall I do via cassandra-cli and or cqlsh?
How shall I specify the read and write privileges as well
> as the keyspaces for which it has writes?
> Something like this:
> OpsCenter.<rw>=carlos
> system.<rw>=carlos
> system_traces.<rw>=carlos
> nando.<rw>=carlos
> 


Mime
View raw message