A GSSAPI authentication provider for Apache Cassandra.
This authenticator plugin is intended to work with the Cassandra Java Driver Kerberos Authenticator plugin for the Cassandra Java driver.
Note: This build is tested with Cassandra 3.11.x. For Cassandra 3.0.x support, switch to the cassandra-3.0.x branch
Build
To build a fully-packaged JAR, just run mvn clean package
Install
Environment set-up
-
Ensure that the following pre-requisite systems are configured:
- A unique DNS record is created for each node (use
hostname -fon each node to verify that the DNS FQDN is configured) - A reverse DNS record is created for each node, matching the
broadcast_rpc_address - A Kerberos 5 KDC server is available
- Kerberos client libraries are installed on each Cassandra node
- An NTP client is installed & configured on each Cassandra node. Ideally the Cassandra nodes sync with the same time source as the KDC in order to minimise potential time-sync issues.
- If using Oracle Java, ensure that the Java Cryptographic Extensions Unlimited Strength Jurisdiction Policy Files are installed (not necessary when using OpenJDK or other JRE implementations)
- A unique DNS record is created for each node (use
-
Ensure that the value of rpc_address (and optionally broadcast_rpc_address, if using) in the
cassandra.yamlconfig file is not set tolocalhost. Reverse-DNS records must be created to match thebroadcast_rpc_address. This enables clients to resolve the Kerberos service principal's hostname from the IP address. -
Configure the
/etc/krb5.confKerberos config file on each node (see here for further details)Below is an example
krb5.conffor anEXAMPLE.COMKerberos realm:[logging] default = FILE:/var/log/krb5libs.log [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false [realms] EXAMPLE.COM = { kdc = kdc.example.com admin_server = kdc.example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM -
For each cassandra node, create a new Kerberos service principal (see here for further details)
kadmin -q "addprinc -randkey cassandra/node1.mycluster.example.com@EXAMPLE.COM" kadmin -q "addprinc -randkey cassandra/node2.mycluster.example.com@EXAMPLE.COM" kadmin -q "addprinc -randkey cassandra/node3.mycluster.example.com@EXAMPLE.COM"
Note that the service name portion of the principal (
cassandra, in this example) must be the same for each node in the cluster, and must also match the SASL protocol name specified when configuring the the Cassandra Java driver Kerberos authenticator.The hostname portion of the principal (e.g.
node1.mycluster.example.com) must match the DNS entry for each Cassandra node. -
Create a keytab for each newly created service principal (see here for further details)
kadmin -q "ktadd -k /node1.keytab cassandra/node1.mycluster.example.com@EXAMPLE.COM" kadmin -q "ktadd -k /node2.keytab cassandra/node2.mycluster.example.com@EXAMPLE.COM" kadmin -q "ktadd -k /node3.keytab cassandra/node3.mycluster.example.com@EXAMPLE.COM"
-
Copy the corresponding keytab file to the Cassandra configuration directory on each node, and set the appropriate access controls
scp kdc.example.com:/node1.keytab /etc/cassandra/node1.keytab chown cassandra:cassandra /etc/cassandra/node1.keytab chmod 400 /etc/cassandra/node1.keytab
Install & configure the Kerberos authenticator
-
Copy the
cassandra-krb5.propertiesfile to the Cassandra configuration directory on each node (e.g./etc/cassandra). Setservice_principalandkeytabto correspond to the service principals and keytabs created in the previous steps.service_principal=cassandra/node1.mycluster.example.com@EXAMPLE.COM keytab=node1.keytab qop=auth
-
Copy the authenicator jar to the Cassandra
libdirectory (e.g./usr/share/cassandra/lib/) -
Set the authenticator option in the
cassandra.yamlconfig file.authenticator: com.instaclustr.cassandra.auth.KerberosAuthenticator
Please see https://www.instaclustr.com/support/documentation/announcements/instaclustr-open-source-project-status/ for Instaclustr support status of this project
