Revision as of 15:28, November 24, 2016 by KrisMcG (talk | contribs) (Cassandra authentication)
Jump to: navigation, search

Cassandra authentication

Web Services supports Cassandra authentication. Authentication validates incoming user connections to the Cassandra database. Implementing Cassandra authentication requires you to do some configuration in Cassandra and in Web Services.

Configure Cassandra

The user login accounts and their passwords required for authentication are managed inside the cassandra.yaml file. In this procedure, we are going to:

  • Change the authenticator option to PasswordAuthenticator. By default, the authenticator option is set to AllowAllAuthenticator.
  • Increase the replication factor for the system_auth keyspace. The default replication factor is 1, which specifies only one node. Increasing this factor authentication errors if a single node fails.
  • Create a superuser account. This step is optional, but highly recommended.
  • Setup user accounts and grant permissions to Cassandra database objects.


Procedure

  1. Modify the cassandra.yaml file:
    1. Change the authenticator option in the cassandra.yaml to PasswordAuthenticator: 
      authenticator: PasswordAuthenticator
    2. Increase the replication factor for the system_auth keyspace to N (number of nodes).
  2. Restart the Cassandra client: 
    <client startup string> -u cassandra -p cassandra

    The default superuser name and password used restart the client is stored in Cassandra.

  3. Start the cqlsh script using the superuser name and password: 
    ./cqlsh -u cassandra -p cassandra
  4. Optional, but recommended. Configure a new superuser account:
    1. Create another superuser.

      Do not name the superuser cassandra.

    2. Log in as that new superuser.
    3. Change the Cassandra user password.

      Ensure that the password is long and complex. Once the password is set, you will not require the password again.

    4. Remove the cassandra user's superuser status.
  5. Repeat the procedure to set up user accounts and then grant permissions to access the database objects.

Web Services configuration

To support Cassandra authentication, open the application.yaml file and provide the appropriate credentials. For example: 

cassandraCluster:
  thrift_port: 9160
  jmx_port: 7199
  keyspace: sipfs
  ...
  userName: <super user name>
  password: <super user password>
  ...
Important
To save backward compatable behavior when the username or password is not provided, GWS will try to connect to Cassandra in anonymous way.

Implementation

In CassandraClusterHA class inside the initCluster method, extend the ConnectionPoolConfigurationImpl object instance as follows: 

ConnectionPoolConfigurationImpl connectionPoolConfiguration = new ConnectionPoolConfigurationImpl("myConnection")
	.setPort(cassandraClusterSettings.getThriftPort())
	.setMaxConnsPerHost(cassandraClusterSettings.getMaxConnectionsPerHost())
	.setMaxConns(cassandraClusterSettings.getMaxConnections())
	.setMaxPendingConnectionsPerHost(cassandraClusterSettings.getMaxPendingConnectionsPerHost())
	.setMaxBlockedThreadsPerHost(cassandraClusterSettings.getMaxBlockedThreadsPerHost());
			
if (StringUtils.isNotBlank(cassandraClusterSettings.getUserName()) &&
	StringUtils.isNotBlank(cassandraClusterSettings.getPassword()))
{
	connectionPoolConfiguration.setAuthenticationCredentials(
		new SimpleAuthenticationCredentials(cassandraClusterSettings.getUserName(), cassandraClusterSettings.getPassword()));
}
Comments or questions about this documentation? Contact us for support!