密碼認證器
默認的認證器是 org.apache.cassandra.auth.AllowAllAuthenticator。如果想要求客戶端提供憑證,Cassandra提供另一種選擇 org.apache.cassandra.auth.PasswordAuthenticatot
配置認證器
默認登錄cqlsh不需要密碼,修改cassandra.yaml 修改
# authenticator: AllowAllAuthenticator
authenticator: PasswordAuthenticator
Cassandra2.2或以后的版本,會看到使用 PasswordAuthenticator必須使用CassandraRoleManager,是Cassandra授權功能的一部分。
增加用戶
修改之后登錄提示需要賬號密碼,默認賬號密碼都是 cassandra
[cassandra@node2 bin]$ ./cqlsh node2 Connection error: ('Unable to connect to any servers', {'192.168.56.12': AuthenticationFailed('Remote end requires authentication.',)}) [cassandra@node2 bin]$ ./cqlsh node2 -u cassandra -p cassandra Connected to Cluster01 at node2:9042. [cqlsh 5.0.1 | Cassandra 3.11.5 | CQL spec 3.4.4 | Native protocol v4] Use HELP for help. cassandra@cqlsh>
修改cassandra賬號的密碼:
cassandra@cqlsh> alter user cassandra with password 'cass@123'; cassandra@cqlsh> quit [cassandra@node2 bin]$ ./cqlsh node2 -u cassandra -p cassandra Connection error: ('Unable to connect to any servers', {'192.168.56.12': AuthenticationFailed('Failed to authenticate to 192.168.56.12: Error from server: code=0100 [Bad credentials] message="Provided username cassandra and/or password are incorrect"',)}) [cassandra@node2 bin]$ ./cqlsh node2 -u cassandra -p cass@123 Connected to Cluster01 at node2:9042. [cqlsh 5.0.1 | Cassandra 3.11.5 | CQL spec 3.4.4 | Native protocol v4] Use HELP for help. cassandra@cqlsh>
創建賬號:
[cassandra@node2 bin]$ ./cqlsh node2 -u cassandra -p cass@123 Connected to Cluster01 at node2:9042. [cqlsh 5.0.1 | Cassandra 3.11.5 | CQL spec 3.4.4 | Native protocol v4] Use HELP for help. cassandra@cqlsh> cassandra@cqlsh> list users; name | super -----------+------- cassandra | True (1 rows) cassandra@cqlsh> create user cass with password 'cass@111'; cassandra@cqlsh> cassandra@cqlsh> list users; name | super -----------+------- cass | False cassandra | True (2 rows) cassandra@cqlsh>
配置自動登錄,為了避免每次登錄cqlsh都需要輸入賬號密碼,可以在家目錄中創建文件 .cqlshrc
[cassandra@node2 ~]$ ls -al total 24 drwx------. 3 cassandra cassandra 117 Feb 11 04:59 . drwxr-xr-x. 3 root root 23 Feb 4 03:24 .. -rw-------. 1 cassandra cassandra 8074 Feb 11 01:17 .bash_history -rw-r--r--. 1 cassandra cassandra 18 Aug 8 2019 .bash_logout -rw-r--r--. 1 cassandra cassandra 193 Aug 8 2019 .bash_profile -rw-r--r--. 1 cassandra cassandra 231 Aug 8 2019 .bashrc drwxrwxr-x. 2 cassandra cassandra 51 Feb 11 04:59 .cassandra -rw-rw-r--. 1 cassandra cassandra 58 Feb 11 04:57 .cqlshrc [cassandra@node2 ~]$ cat .cqlshrc [authentication] username = cassandra password = cass@123 [cassandra@node2 ~]$ cd /data/cass/bin [cassandra@node2 bin]$ ./cqlsh Connection error: ('Unable to connect to any servers', {'127.0.0.1': error(111, "Tried connecting to [('127.0.0.1', 9042)]. Last error: Connection refused")}) [cassandra@node2 bin]$ ./cqlsh node2 Connected to Cluster01 at node2:9042. [cqlsh 5.0.1 | Cassandra 3.11.5 | CQL spec 3.4.4 | Native protocol v4] Use HELP for help. cassandra@cqlsh>quit [cassandra@node2 bin]$ cd [cassandra@node2 ~]$ ls -al total 20 drwx------. 3 cassandra cassandra 101 Feb 11 04:59 . drwxr-xr-x. 3 root root 23 Feb 4 03:24 .. -rw-------. 1 cassandra cassandra 8074 Feb 11 01:17 .bash_history -rw-r--r--. 1 cassandra cassandra 18 Aug 8 2019 .bash_logout -rw-r--r--. 1 cassandra cassandra 193 Aug 8 2019 .bash_profile -rw-r--r--. 1 cassandra cassandra 231 Aug 8 2019 .bashrc drwxrwxr-x. 2 cassandra cassandra 66 Feb 11 04:59 .cassandra [cassandra@node2 ~]$ cd .cassandra/ [cassandra@node2 .cassandra]$ ll total 16 -rw-------. 1 cassandra cassandra 3978 Feb 11 04:59 cqlsh_history -rw-rw-r--. 1 cassandra cassandra 58 Feb 11 04:57 cqlshrc -rw-rw-r--. 1 cassandra cassandra 5833 Feb 10 22:00 nodetool.history [cassandra@node2 .cassandra]$ cat cqlshrc [authentication] username = cassandra password = cass@123
切換賬號無需退出重新登錄,執行時可以不加密碼,在命令行輸入。用戶家目錄下面 .cassandra/cqlsh_history 文件中會記錄所有命令行上輸入的內容
[cassandra@node2 bin]$ ./cqlsh node3 Connected to Cluster01 at node3:9042. [cqlsh 5.0.1 | Cassandra 3.11.5 | CQL spec 3.4.4 | Native protocol v4] Use HELP for help. cassandra@cqlsh> cassandra@cqlsh> list users; name | super -----------+------- cass | False cassandra | True (2 rows) cassandra@cqlsh> login cass 'cass@111'; cass@cqlsh>
修改賬號密碼,刪除賬號
cassandra@cqlsh> alter user cass with password 'cass@222'; cassandra@cqlsh> login cass 'cass@222'; cass@cqlsh> login cassandra 'cass@123'; cassandra@cqlsh> drop user cass; cassandra@cqlsh> list users; name | super -----------+------- cassandra | True (1 rows)
使用CassandraAuthorizer
通過授權器,授權用戶訪問集群中的鍵和表。 默認授權器 org.apache.cassandra.auth.AllowAllAuthorizer。
關閉集群,配置腳本 bin/stop-server
echo "Cassandra is shutting down" user=`whoami` pgrep -u $user -f cassandra | xargs kill -9 if ps -ef|grep cassandra|grep -v grep|grep java; then echo "Cassandra shutdown failed" else echo "Cassandra closed" fi
修改cassandra.yaml
# authorizer: AllowAllAuthorizer
authorizer: CassandraAuthorizer
普通用戶登錄查看keyspace和table沒有權限
[cassandra@node2 bin]$ ./cqlsh node2 Connected to Cluster01 at node2:9042. [cqlsh 5.0.1 | Cassandra 3.11.5 | CQL spec 3.4.4 | Native protocol v4] Use HELP for help. cassandra@cqlsh> desc keyspaces; system_schema system system_distributed test01 system_auth keyspace1 system_traces cassandra@cqlsh> list users; name | super -----------+------- cass | False cassandra | True (2 rows) cassandra@cqlsh> login cass; Password: cass@cqlsh> desc keyspaces; system_schema system system_distributed test01 system_auth keyspace1 system_traces SyntaxException: line 1:0 no viable alternative at input 'ues' ([ues]...) cass@cqlsh> use test01; cass@cqlsh:test01> desc tables; test01 cass@cqlsh:test01> select * from test01; Unauthorized: Error from server: code=2100 [Unauthorized] message="User cass has no SELECT permission on <table test01.test01> or any of its parents" cass@cqlsh:test01>
通過grant命令給用戶賦予權限
cassandra@cqlsh> grant select on test01.test01 to cass; cassandra@cqlsh> login cass; Password: cass@cqlsh> use test01; cass@cqlsh:test01> select * from test01; key | C0 | C1 | C2 | C3 | C4 -----+----+----+----+----+---- (0 rows)
基於角色的訪問控制
Cassandra提供一種基於角色的訪問控制(role-based access control, RBAC)功能。創建角色,給角色賦予權限,給用戶賦予角色的權限。
cassandra@cqlsh:test01> list roles; role | super | login | options -----------+-------+-------+--------- cass | False | True | {} cassandra | True | True | {} (2 rows) cassandra@cqlsh:test01> create role dev; cassandra@cqlsh:test01> grant all on keyspace test to dev; InvalidRequest: Error from server: code=2200 [Invalid query] message="Resource <keyspace test> doesn't exist" cassandra@cqlsh:test01> grant all on keyspace test01 to dev; cassandra@cqlsh:test01> cassandra@cqlsh:test01> drop user cass; cassandra@cqlsh:test01> create user cass with password 'cass@111'; cassandra@cqlsh:test01> login cass Password: cass@cqlsh:test01> select * from test01.test01; Unauthorized: Error from server: code=2100 [Unauthorized] message="User cass has no SELECT permission on <table test01.test01> or any of its parents" cass@cqlsh:test01> login cassandra Password: cassandra@cqlsh:test01> grant dev to cass; cassandra@cqlsh:test01> login cass Password: cass@cqlsh:test01> select * from test01.test01; key | C0 | C1 | C2 | C3 | C4 -----+----+----+----+----+---- (0 rows)
Cassandra中角色是可加的,這表示,如果授權一個用戶的任意一個角色有某個特定的權限,那么這個用戶就會授權這個權限。
在后台Cassandra把用戶和角色存儲在system_auth 鍵空間。如果為集群配置的授權,那么只有管理員用戶可以訪問這個鍵空間,所以使用管理員用戶登錄cqlsh來檢查這個鍵空間內容;
cassandra@cqlsh:system> use system_auth; cassandra@cqlsh:system_auth> desc tables; resource_role_permissons_index role_permissions role_members roles cassandra@cqlsh:system_auth> cassandra@cqlsh:system_auth> select * from role_members; role | member ------+-------- dev | cass (1 rows) cassandra@cqlsh:system_auth> select * from role_permissions; role | resource | permissions ------+-------------+-------------------------------------------------------------- dev | data/test01 | {'ALTER', 'AUTHORIZE', 'CREATE', 'DROP', 'MODIFY', 'SELECT'} (1 rows) cassandra@cqlsh:system_auth> select * from resource_role_permissons_index; resource | role -----------+----------- roles/dev | cassandra (1 rows) cassandra@cqlsh:system_auth> select * from roles; role | can_login | is_superuser | member_of | salted_hash -----------+-----------+--------------+-----------+-------------------------------------------------------------- cassandra | True | True | null | $2a$10$6q2SqzrdcARz6qGcLj7DreKWAnQjJT653r4acBAJlHWzQW/e/4SQm cass | True | False | {'dev'} | $2a$10$Z/KpRFIkmhQ6uEn45eDa4eyymaj/sty6LN1MDBfZdrxZwHnMI8ow2 dev | False | False | null | null (3 rows)
實際上並沒有一個單獨的數據庫級用戶的概念,Cassandra使用角色概念來耿總用戶以及角色。
改變system_auth 副本因子
需要指出重要的一點,system_auth鍵空間默認配置為使用SimpleStrategy,副本因子為1.
這說明默認情況下,我們配置的任何用戶,角色和權限不會再集群上分布存儲,除非我們重新配置system_auth鍵空間 的復制策略,使之與我們的集群拓撲一致。
加密
從3.0版本開始,Cassandra通過客戶端與服務器(節點)間的加密以及節點間的加密來保護數據的安全。Cassandra3.0以后,只有DataStax企業版的Cassandra才支持數據文件(靜態數據)加密。
數據文件加密路線圖
有很多Cassandra JIRA請求都說針對提供加密特性的3.x版本系列。
提示的加密: https://issues.apache.org/jira/browse/CASSANDRA-11040
提交日志的加密: https://issues.apache.org/jira/browse/CASSANDRA-6018
SSTable的加密: https://issues.apache.org/jira/browse/CASSANDRA-9633/7922