访问cassandra没有硬编码的用户名密码

Question

I have an existing Datastax Cassandra setup that is working. We just added authentication to the system and now we can log in with our AD accounts. This is very nice and certainly works. However applications need to use a hard-coded username/password in order to connect.

In SQL Server we were able to setup a user to run the service as and then it would connect and work through AD. However in Cassandra it is not the same.

If I don't want to include usernames and especially passwords in my app.config files what are my options?

Answer 1

You can use authentication via LDAP with DSE (Datastax Enterprise), so the authentication stage is done with LDAP instead of the internal authentication in DSE which you're using at the moment. Note that my comments here apply to DSE5.0 onwards but you can use LDAP auth with earlier versions of DSE from 4.6 onwards.

The documentation (link below) covers this. The basic steps are as follows:

1. Configure your authenticator in the cassandra.yaml to use the DSE authenticator

   authenticator: com.datastax.bdp.cassandra.auth.DseAuthenticator

2. Create an internal role in cassandra to map to the LDAP group(s) in your LDAP server using the CREATE ROLE command

3. Ensure all the users you need to use map to the relevant LDAP group (part of your LDAP config)

4. Configure your dse.yaml to have the correct settings for your LDAP server

5. Restart the DSE process for the settings to take effect

The following documentation gives some good examples and background information:

https://docs.datastax.com/en/latest-dse/datastax_enterprise/unifiedAuth/unifiedAuthConfig.html

https://docs.datastax.com/en/latest-dse/datastax_enterprise/sec/authLdapConfig.html

Note: when configuring the dse.yaml note the comment in the docs regarding user_search_filter :

When using Active Directory set the filter to (sAMAccountName={0})