intra-mart Accel Platform / Cassandra Administrator Guide

Version 8 2014-04-01

«  6. Cassandra Cluster Build   ::   Contents   ::   8. Cassandra Operations  »

7. Cassandra Connection Authentication Setting

In this section the authentication setting which uses user name and password for connection to Cassandra will be described.

Warning

  • In case the setting for connection authentication is made, it is necessary to set the authentication information when intra-mart Accel Platform is set up.
    Please refer to [Setup Guide - Apache Cassandra (in case IMBox is used)] for details.
  • In case cluster structure which is made up of multiple Cassandra units is built, it is necessary to do the setting to every node.

7.1. Obtaining and Expanding Authentication Library

A set of authentication library for Cassandra should be obtained.
Authentication library can be downloaded from the URL below.
Please expand the obtained file to arbitrary path.

7.2. Placement of Libraries and Configuration Files

This file includes a set of authentication libraries that are expanded.

  1. ./lib/cassandra_simple_auth-1.0.0.jar

    This library file includes the implementation classes of connection authentication and access control.

  2. ./conf/passwd.properties

    This configuration file states the user names and passwords that are required for connection authentication.

  3. ./conf/access.properties

    This configuration file states the control setting of access authority for each connection user.
Each of these files should be copied to the corresponding directory by the relative path in %CASSANDRA_HOME%.
./lib/cassandra_simple_auth-1.0.0.jar → Copy to <%CASSANDRA_HOME%/lib/>
./conf/passwd.properties → Copy to <%CASSANDRA_HOME%/conf/>
./conf/access.properties → Copy to <%CASSANDRA_HOME%/conf/>

7.3. Changing the Authentication Class to be used

Open <%CASSANDRA_HOME%/conf/cassandra.yaml> file by the editor.
In the standard setting of Cassandra, connection authentication and access control class are set.
# authentication backend, implementing IAuthenticator; used to identify users
authenticator: org.apache.cassandra.auth.AllowAllAuthenticator

# authorization backend, implementing IAuthority; used to limit access/provide permissions
authority: org.apache.cassandra.auth.AllowAllAuthority
In the standard setting, as the name “Allow All” indicates, all the connections are permitted without doing connection authentication or access control.
This should be modified as follows allowing the class in the downloaded authentication library to be specified.
# authentication backend, implementing IAuthenticator; used to identify users
# authenticator: org.apache.cassandra.auth.AllowAllAuthenticator
authenticator: org.apache.cassandra.auth.SimpleAuthenticator

# authorization backend, implementing IAuthority; used to limit access/provide permissions
# authority: org.apache.cassandra.auth.AllowAllAuthority
authority: org.apache.cassandra.auth.SimpleAuthority
This has replaced the implementation of connection authentication and access control class.

Warning

  • SimpleAuthority, which is in the authentication library offered by our company, provides customization that allows batch setting of access rights to all column families within the key space by access.properties against the sample implementation provided by Cassandra.

7.4. Adding Authentication Setting

In the implementation class that has took effect in the previous section, it is necessary to specify the authentication configuration file path of access.properties and passwd.properties as startup parameters.
Setting method of startup parameters for each OS to be used will be described below.

7.4.1. for Windows

Open <%CASSANDRA_HOME%/bin/cassandra.bat> file by the editor.
Please see the sample below, and add access.properties property and passwd.properties property.
before addition
...
-XX:+UseCMSInitiatingOccupancyOnly^
-Dcom.sun.management.jmxremote.port=7199^
...
after addition
...
-XX:+UseCMSInitiatingOccupancyOnly^
-Daccess.properties=%CASSANDRA_HOME%/conf/access.properties^
-Dpasswd.properties=%CASSANDRA_HOME%/conf/passwd.properties^
-Dcom.sun.management.jmxremote.port=7199^
...

7.4.2. for Linux

Open </usr/local/cassandra/conf/cassandra-env.sh> file by the editor.
Please see the sample below, and add access.properties property and passwd.properties property.
before addition
...
# Prefer binding to IPv4 network intefaces (when net.ipv6.bindv6only=1). See
# http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6342561 (short version:
# comment out this entry to enable IPv6 support).
JVM_OPTS="$JVM_OPTS -Djava.net.preferIPv4Stack=true"

# jmx: metrics and administration interface
...
after addition
...
# Prefer binding to IPv4 network intefaces (when net.ipv6.bindv6only=1). See
# http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6342561 (short version:
# comment out this entry to enable IPv6 support).
JVM_OPTS="$JVM_OPTS -Djava.net.preferIPv4Stack=true"

# set authentication parameter properties path.
JVM_OPTS="$JVM_OPTS -Daccess.properties=$CASSANDRA_HOME/conf/access.properties"
JVM_OPTS="$JVM_OPTS -Dpasswd.properties=$CASSANDRA_HOME/conf/passwd.properties"

# jmx: metrics and administration interface
...

Warning

  • In case you build the cluster and enable authentication setting on multiple Cassandra units, same settings should be made to all the nodes in the cluster.
  • Since the enable/disable of the authentication setting is to be applied to each cluster, all the keyspaces within the same cluster will be the subject for authentication setting.
  • In case authentication setting is enabled, connection user name and password may be changed for each keyspace.

7.5. Configuration File Descriptions

In this section the setting values in the configuration file are described.

7.5.1. Connection Authentication Setting (passwd.properties)

In the standard passwd.properties, the admin which assumes an administrator and the user which assumes a refer-only user are set.
Stated below are the setting values with comment lines omitted.
admin=admin_pwd
user=user_pwd
Format of the setting value should be [%connection user name%=%password%].

7.5.2. Access Authority Setting (access.properties)

Format of the setting value should be [%access authority%=%connection user name%].
There are following 3 types of access authorities defined.

  1. Keyspace Editing Authority

    <modify-keyspaces> : This authority allows the creation/deletion of keyspace.

    Warning

    • modify-keyspaces is not available in Apache Cassandra 1.1.12.

  2. Keyspace Access Authority

    keyspace name.<rw> : This authority allows the view and change of column family in the keyspace.
    keyspace name.<ro> : This authority allows the view only of column family in the keyspace.

  3. Column Family in Keyspace Access Authority

    keyspace name.column family name.<rw> : This authority allows the view and change of data in a specific column family in the keyspace.
    keyspace name.column family name.<ro> : This authority allows the view only of data in a specific column family in the keyspace.
    By specifying * in the column family name, ALL column families can be specified.
    Since new column families may possibly be added in the future function enhancement, connection users stated in cassandra-cnofig.xml should own the change authority for all column families.
In the standard access.properties, following authorities are set to the users specified by passwd.properties.
admin
  • Keyspace Editing Authority
  • default Keyspace Read&Write Authority
  • default Keyspace All Column Families Read&Write Authority
user
  • default Keyspace ReadOnly Authority
  • default Keyspace All Column Families ReadOnly Authority
Shown below are the setting values with some comment lines omitted.
# The magical '<modify-keyspaces>' property lists users who can modify the
# list of keyspaces: all users will be able to view the list of keyspaces.
<modify-keyspaces>=admin

# Access to Keyspace 'default'
default.<rw>=admin
default.<ro>=user

# Access to all ColumnFamily
default.*.<rw>=admin
default.*.<ro>=user

Warning

  • In case |common_base_product_2014_spring| or prior version is used

    • Connection user that is set to cassandra-config.xml is required to retain all change authorities.
    • In case you have changed the keyspace name by editing cassandra-config.xml or in case you operate with multiple keyspaces, setting values of access authorities to keyspaces and column families in the keyspaces should be changed.

  • In case |common_base_product_2014_spring| or later version is used

    • Authentication user name of Cassandra Connection Information which is set during tenant environment setup is required to retain all change authorities.
    • In case you have changed the keyspace name by editing Cassandra Connection Information or in case you operate with multiple keyspaces, setting values of access authorities to keyspaces and column families in the keyspaces should be changed.

7.6. How Connection Authentication is Confirmed

Here it is confirmed that authentication is required when the connection to Cassandra is made.
It is assumed that the authentication setting is made in the standard configuration file.

  1. Start Cassandra.

  2. Confirm Cassandra has been started, and start cassandra-cli.

    • In case of Windows, double-click <%CASSANDRA_HOME%/bin/cassandra-cli.bat>.

    • In case of Linux, use the command below.

      /usr/local/cassandra/bin/cassandra-cli

  3. When the console has shown up, please enter the command below.

    connect localhost/9160;
    Since the authentication information has not been specified, the message below will be generated and the connection should fail.
    Login failure. Did you specify 'keyspace', 'username' and 'password'?
    In case connection is made to Cassandra in local environment, the message above will also be displayed when cassandra-cli is started.

  4. Please enter the command below, and finish cassandra-cli for now.

    quit;

  5. Then, please specify the authentication information and start cassandra-cli.

    • In case of Windows, please launch the command prompt and execute the command below.

      %CASSANDRA_HOME%/bin/cassandra-cli -u admin -pw admin_pwd

    • In case of Linux, execute the command below and start it.

      /usr/local/cassandra/bin/cassandra-cli -u admin -pw admin_pwd

      Note

      -u is a parameter to specify connection user name.
      -pw is a parameter to specify the password.

  6. When the console has shown up, please enter the command below.

    connect localhost/9160;
    The message below is displayed, and you can confirm that the connection has been successfully established.
    Connected to: "IMBox Cluster" on localhost/9160

Warning

On intra-mart Accel Platform 2014 Spring(Granada) or later version, keyspace should be created in advance before using the connection authentication.
With regard to the creation and addition of keyspace, please refer to [Keyspace Creation] and [Keyspace Creation Method (with Authentication Setting)] of [Cassandra Operations].

«  6. Cassandra Cluster Build   ::   Contents   ::   8. Cassandra Operations  »

Copyright © 2012 NTT DATA INTRAMART CORPORATION