Cassandra authentication and authorization configuration

2011-11-04

Tags: cassandra , 程式語言

Cassandra可以針對登入與授權進行設定,預設是不啟用此功能。也就是說在預設的狀況下,主機如果是放在Internet上,任何人只要知道你家Cassandra主機的IP與Port,就可以連進來逛大街...囧rz

以下的Memo是1.0版本的設定方式,技術細節可以參考 這份文件。 目前1.0版的認証(authentication)功能正常,但是授權(authorization)功能異常,啟用授權功能後會導致存取資料時出現無存取權限的異常。

=================================================================================
Linux平台的設定方式

1.因為1.0版裡面沒有 org.apache.cassandra.auth.SimpleAuthority、org.apache.cassandra.auth.SimpleAuthenticator、org.apache.cassandra.utils.Hex,所以先到 github上,把這些原始檔抓回來進行編譯,打包成 apache-cassandra-auth.jar 並放至 cassandra_folder/lib 目錄中

2.修改 cassandra_folder/conf/cassandra-env.sh,在最後一行加入下列設定 

JVM_OPTS="$JVM_OPTS -Dpasswd.properties=/cassandra_folder/conf/passwd.properties -Daccess.properties=/cassandra_folder/conf/access.properties"

3.修改 cassandra_folder/conf/cassandra.yaml 設定 
# authentication backend, implementing IAuthenticator; used to identify users
authenticator: org.apache.cassandra.auth.SimpleAuthenticator

# authorization backend, implementing IAuthority; used to limit access/provide permissions
#因為1.0版的SimpleAuthority功能異常,目前只能用AllowAllAuthority。所以只要能登入,就擁有所有權限
#authority: org.apache.cassandra.auth.SimpleAuthority
authority: org.apache.cassandra.auth.AllowAllAuthority

4.自行建立 cassandra_folder/conf/passwd.properties 設定檔,加入下列設定 

# This is a sample password file for SimpleAuthenticator. The format of
# this file is username=password. If -Dpasswd.mode=MD5 then the password
# is represented as an md5 digest, otherwise it is cleartext (keep this
# in mind when setting file mode and ownership).
admin=adminpwd
user1=user1pwd
user2=user2pwd

5.自行建立 cassandra_folder/conf/access.properties 設定檔,加入下列設定( 註:因為1.0版的SimpleAuthority功能會異常,所以我設定成AllowAllAuthority,而非SimpleAuthority。因此這個設定檔其實是不會生效的) 

# The magical '<modify-keyspaces>' property lists users who can modify the
# list of keyspaces: all users will be able to view the list of keyspaces.
<modify-keyspaces>=admin

# Access to Keyspace1 (add/remove column families, etc).
#system、testks是Keyspace的名稱,<rw>指read&write,<ro>指read only
system.<rw>=admin
testks.<rw>=admin
testks.<ro>=user1,user2

6.啟動Cassandra,並利用Cassandra-CLI進行連線登入動作,如果出現類似下列的訊息,就代表設定成功了。 
[default@unknown] connect 127.0.0.1/9160 admin 'adminpwd';
Connected to: "Test Cluster" on 127.0.0.1/9160
如果登入失敗則會出現類似下列的訊息 
[default@unknown] connect 127.0.0.1/9160 admin 'wrongpwd';
Exception during authentication to the cassandra node, Verify the keyspace exists, and that you are using the correct credentials.

=================================================================================
Windows平台的設定方式

懶病發作,等以後有空時再來補...XD

=================================================================================
如果需要利用Hector API登入需要進行登入認証與授權的Cassandra系統,可參考下列的程式碼範例 
CassandraHostConfigurator cassandraHostConfigurator = new CassandraHostConfigurator("127.0.0.1:9160");

 //use authentication and authorization
 Map<String,String> loginUser = new HashMap<String, String>();
 loginUser.put("username", "admin");
 loginUser.put("password", "adminpwd");
 Cluster cluster = HFactory.createCluster("TestCluster",cassandraHostConfigurator,loginUser);
 
 //do something else...etc