incubator-cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "C.F.Scheidecker Antunes" <cf.antu...@gmail.com>
Subject Authentication and Authorization with Cassandra 1.2.2.
Date Tue, 26 Feb 2013 22:06:23 GMT
Hello all,

Cassandra has changed and now has a default authentication and
authorization mechanism.

The classes org.apache.cassandra.auth.PasswordAuthenticator (authenticator)
and
org.apache.cassandra.auth.CassandraAuthorizer (authorization) provide that.

They both write to a keyspace called system_auth and there are 2 column
families
that are used for it, namely credentials and permissions.

The permissions table is defined in CassandraAuthorizer as follows:

"CREATE TABLE system_auth.permissions (username text,
                resource text,
                                permissions set<text>,
                                PRIMARY KEY(username, resource)
                                ) WITH gc_grace_seconds=(90 * 24 * 60 *
60)" // 3 months

The credentials table is created in PasswordAuthenticator as follows:

"CREATE TABLE system_auth.credentials (username text,
                                       salted_hash text, // salt + hash +
number of rounds
                                       options map<text,text>, // for
future extensions
                                       PRIMARY KEY(username)
                                       ) WITH gc_grace_seconds=(90 * 24 *
60 * 60)" // 3 months


The password is hashed as BCrypt.hashpw(password,
BCrypt.gensalt(GENSALT_LOG2_ROUNDS)); where

GENSALT_LOG2_ROUNDS is set to 10.


Out of the box, the keyspace system_auth is there but the CFs are not
defined when one issues a describe system_auth inside
cassandra-cli application.

The configuration file says:

PasswordAuthenticator relies on username/password pairs to authenticate
users. It keeps usernames and hashed passwords in system_auth.credentials
table.
Please increase system_auth keyspace replication factor if you use this
authenticator.

On the configuration file /etc/cassandra/cassandra.yaml I have set:

authenticator: org.apache.cassandra.auth.PasswordAuthenticator
authorizer: org.apache.cassandra.auth.CassandraAuthorizer

Therefore I have 3 questions.

1) How can I increase the replication factor if the keyspace system_auth is
already there? Can I do this?
Currently the replication factor is 1:
[cassandra@system_auth] describe;
Keyspace: system_auth:
  Replication Strategy: org.apache.cassandra.locator.SimpleStrategy
  Durable Writes: true
    Options: [replication_factor:1]
  Column Families:

2) Shall I create the CFs credentials and permissions via cassandra-cli as
well?
If I issue a select command from cqlsh I can see:

cqlsh:system_auth> SELECT * FROM credentials;

 username  | options | salted_hash
-----------+---------+--------------------------------------------------------------
 cassandra |    null |

Eventhough there is no credentials CF defined on the schema yet.

3) What is the process of adding more users? Shall I do via cassandra-cli
and or cqlsh? How shall I specify the read and write privileges as well
as the keyspaces for which it has writes?
Something like this:
OpsCenter.<rw>=carlos
system.<rw>=carlos
system_traces.<rw>=carlos
nando.<rw>=carlos

Mime
View raw message