com.datastax.dse.driver.api.core.auth.ProgrammaticDseGssApiAuthProvider Maven / Gradle / Ivy
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.datastax.dse.driver.api.core.auth;
import com.datastax.oss.driver.api.core.auth.AuthProvider;
import com.datastax.oss.driver.api.core.metadata.EndPoint;
import edu.umd.cs.findbugs.annotations.NonNull;
/**
* {@link AuthProvider} that provides GSSAPI authenticator instances for clients to connect to DSE
* clusters secured with {@code DseAuthenticator}, in a programmatic way.
*
* To use this provider the corresponding GssApiOptions must be passed into the provider
* directly, for example:
*
*
* DseGssApiAuthProviderBase.GssApiOptions.Builder builder =
* DseGssApiAuthProviderBase.GssApiOptions.builder();
* Map<String, String> loginConfig =
* ImmutableMap.of(
* "principal",
* "user principal here ex [email protected]",
* "useKeyTab",
* "true",
* "refreshKrb5Config",
* "true",
* "keyTab",
* "Path to keytab file here");
*
* builder.withLoginConfiguration(loginConfig);
*
* CqlSession session =
* CqlSession.builder()
* .withAuthProvider(new ProgrammaticDseGssApiAuthProvider(builder.build()))
* .build();
*
*
* or alternatively
*
*
* DseGssApiAuthProviderBase.GssApiOptions.Builder builder =
* DseGssApiAuthProviderBase.GssApiOptions.builder().withSubject(subject);
* CqlSession session =
* CqlSession.builder()
* .withAuthProvider(new ProgrammaticDseGssApiAuthProvider(builder.build()))
* .build();
*
*
* Kerberos Authentication
*
* Keytab and ticket cache settings are specified using a standard JAAS configuration file. The
* location of the file can be set using the java.security.auth.login.config
system
* property or by adding a login.config.url.n
entry in the java.security
* properties file. Alternatively a login-configuration, or subject can be provided to the provider
* via the GssApiOptions (see above).
*
* See the following documents for further details:
*
*
* - JAAS
* Login Configuration File;
*
- Krb5LoginModule
* options;
*
- JAAS
* Authentication Tutorial for more on JAAS in general.
*
*
* Authentication using ticket cache
*
* Run kinit
to obtain a ticket and populate the cache before connecting. JAAS config:
*
*
* DseClient {
* com.sun.security.auth.module.Krb5LoginModule required
* useTicketCache=true
* renewTGT=true;
* };
*
*
* Authentication using a keytab file
*
* To enable authentication using a keytab file, specify its location on disk. If your keytab
* contains more than one principal key, you should also specify which one to select. This
* information can also be specified in the driver config, under the login-configuration section.
*
*
* DseClient {
* com.sun.security.auth.module.Krb5LoginModule required
* useKeyTab=true
* keyTab="/path/to/file.keytab"
* principal="[email protected]";
* };
*
*
* Specifying SASL protocol name
*
* The SASL protocol name used by this auth provider defaults to "
* {@value #DEFAULT_SASL_SERVICE_NAME}
".
*
* Important: the SASL protocol name should match the username of the Kerberos
* service principal used by the DSE server. This information is specified in the dse.yaml file by
* the {@code service_principal} option under the kerberos_options
* section, and may vary from one DSE installation to another – especially if you installed
* DSE with an automated package installer.
*
*
For example, if your dse.yaml file contains the following:
*
*
{@code
* kerberos_options:
* ...
* service_principal: cassandra/[email protected]
* }
*
* The correct SASL protocol name to use when authenticating against this DSE server is "{@code
* cassandra}".
*
* Should you need to change the SASL protocol name specify it in the GssApiOptions, use the
* method below:
*
*
* DseGssApiAuthProviderBase.GssApiOptions.Builder builder =
* DseGssApiAuthProviderBase.GssApiOptions.builder();
* builder.withSaslProtocol("alternate");
* DseGssApiAuthProviderBase.GssApiOptions options = builder.build();
*
*
* Should internal sasl properties need to be set such as qop. This can also be accomplished by
* setting it in the GssApiOptions:
*
*
* DseGssApiAuthProviderBase.GssApiOptions.Builder builder =
* DseGssApiAuthProviderBase.GssApiOptions.builder();
* builder.addSaslProperty("javax.security.sasl.qop", "auth-conf");
* DseGssApiAuthProviderBase.GssApiOptions options = builder.build();
*
*
* @see Authenticating
* a DSE cluster with Kerberos
*/
public class ProgrammaticDseGssApiAuthProvider extends DseGssApiAuthProviderBase {
private final GssApiOptions options;
public ProgrammaticDseGssApiAuthProvider(GssApiOptions options) {
super("Programmatic-Kerberos");
this.options = options;
}
@NonNull
@Override
protected GssApiOptions getOptions(
@NonNull EndPoint endPoint, @NonNull String serverAuthenticator) {
return options;
}
}