Kerberizing Cassandra
Share This Page
When it comes to access control, enterprises seek for uncompromised mechanism in place to protect the data and services over the network. Cryptographies based on both symmetrical and asymmetrical key algorithms are widely used for secured access and authorization. The well-known Kerberos protocol uses symmetric encryptions and can be used for a client to prove itself to a server across an insecure network. Further privacy and data integrity is ensured after both client and server prove their identity. Having Kerberos as a centralized authenticator, it is appropriate for enterprises to implement single sign-on (SSO) without difficulty across all their applications.
In this blog, we will discuss how to enable Kerberos authentication for a distributed NoSQL database system. We will implement for DataStax Cassandra, one of the leading database platform for big data on a cluster of nodes. DataStax Cassandra already provides authentication based on internally controlled role name/passwords, authorization based on object permission management, Authentication and authorization based on JMX username/passwords and SSL encryption. We intend to explain the implementation of the Kerberos integration and the blog is divided as four sections.
- Installing Kerberos server
- Configuring Kerberos server
- Connection to Cassandra
- Connection to Cassandra cqlsh
Installing Kerberos Server
Kerberos server is the key to the network security and is advised to have an alternative server to recover just in case of any failure. To set up Kerberos server, installation is done as below.
$ sudo apt-get install krb5-admin-server
$ sudo apt-get install krb5-kdc
$ sudo krb5_newrealm
While installing set kerberos realm with kdc and kadmin server. We go with Kerberos.com as kerberos realm and kserver.com as kdc and kadmin server.
Configuring Kerberos Server:
After installing Kerberos, we need to edit default Kerberos files, to change the realms name. In order to change, open krb5.conf in an editor,
$ sudo vi /etc/krb5.conf
Check the configuration for kerberos realm. In [domain_realm] part and add realm name.
.kerberos.com = KERBEROS.COM
kerberos.com = KERBEROS.COM
Now restart the Kerberos server so that changes will be reflected and be effective.
$ sudo service krb5-admin-server restart
$ sudo service krb5-kdc restart
At this stage, the Kerberos server is ready. After this we need to set, Kerberos client, so that the Cassandra nodes be secured.
Cassandra Connection
In this session, we will be connecting each Cassandra node to server by creating principal and editing few files in clients as well as in server.
kdc server:
Here we will create policy to attach with principals. To create basic policy, admin..
$ sudo kadmin.local
Kadmin: add_policy -minlength 8 -minclasses 3 admin
Kadmin: quit
Policy with name admin has been created and is ready to be attached. Now, add a server principal name (SPN)
$ sudo kadmin.local
kadmin: addprinc -policy admin root/admin
kadmin: quit
In order to give full permission to admin policy, open kadm5.acl in vi editor,
$ sudo vi /etc/krb5kdc/kadm5.acl
Uncomment */admin * line and save so that admin policy will get full permission. In /etc/hosts add your internal ip with realm name for example:
x.x.x.x KERBEROS.com
Restart the krb5-admin-server
$ sudo service krb5-admin-server restart
We need to add service principal and HTTP principal for each client in KDC using addprinc command. To do so, login to add principal
$ sudo kadmin -p root/admin
Kadmin: addprinc -policy admin –randkey cassandra/fqdn
Kadmin: addprinc -policy admin –randkey HTTP/fqdn
(*fqdn– Fully Qualified Domain Name / name of each node.)
To find client fqdn,
$ hostname --fqdn
To ensure both principal added successfully, check the server principal name in the KDC by listprincs command.
Kadmin: listprincs
kerberos client:
Install krb5-user in each client
$ sudo apt-get install krb5-user.
Set the realm in the same way as we did for Kerberos server with same server, i.e. KERBEROS.COM as kerberos realm and kserver.com as kdc and kadmin server. Most likely both krb5.conf should be same.
KDC server:
A keytab is a file containing pairs of Kerberos principals and encrypted keys from the Kerberos password. Using this we get authenticated to various remote systems using Kerberos without entering a password. If kerberos password has been changed, keytab should be generated newly.
To produce keytab for principal name.
$ sudo kadmin.local
Ktadd –k dse.keytab cassandra/fqdn
Ktadd –k dse.keytab HTTP/fqdn
dse.keytab - name of the keytab.
This command will create keytab in current folder. We can also target a folder to generate keytab. Now copy the keytab to each node using scp command.
Kerberos client:
Open /etc/hosts and add realm name and ip as in server.
x.x.x.x kerberos.com
Move the keytab to specific location and change user and permission of the keytab,
$ sudo chown cassandra:cassandra dse.keytab
$ sudo chmod 600 dse.keytab
Open cassandra.yaml, /etc/dse/cassandra/cassandra.yaml in vi editor, Change the authenticator as below.
authenticator: com.datastax.bdp.cassandra.auth.KerberosAuthenticator
Open dse.yaml, /etc/dse/dse.yaml in vi editor and modify as below
kerberos_options:
keytab: /etc/dse/dse.keytab
service_principal: cassandra/fqdn@KERBEROS.COM
http_principal: HTTP/fqdn@KERBEROS.COM
qop: auth
Fqdn as in server
By this Kerberos authentication has been set for Cassandra.
Connection to Cassandra cqlsh:
Cqlsh is the client for executing Cassandra Query Language based on python. In this session, we are going to authenticate cqlsh with kerberos by configuring cassandra.yaml.
In Server:
We need a user principal to authenticate to server from client. To create the user principal, jane do the following.
$ sudo kadmin.local
Kadmin: addprinc jane
It looks like jane@KERBEROS.COM
In Client:
Now temporarily disable kerberos authenticator and dse authorizer in cassandra.yaml. And add the following.
authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer
Now, restart the dse service and start the cqlsh,
$ sudo service dse restart
Login to cqlsh to add jane as superuser.
$ cqlsh hostname -u cassandnra -p cassandra (default user name and password)
Create a superuser, jane, to authenticate the kerberos servere by,
cqlsh> create user 'jane@KERBEROS.COM' SUPERUSER;
Now renable kerberos authenticator and change the authorizer in cassandra.yaml
authenticator: com.datastax.bdp.cassandra.auth.KerberosAuthenticator
authorizer: AllowAllAuthorizer
To run cqlsh kerberos authentication, add the python dependencies in the clients.
$ sudo apt-get install python-pip
$ sudo pip install pure-sasl
$ sudo apt-get install python-kerberos
Create cqlshrc file in .cassandra directory.
$ vi /home/user/.cassandra/cqlshrc and add these configuration,
[connection]
hostname = host-ip
port = 9042
[kerberos]
hostname = host-ip
service = Cassandra
Now introduce yourself to kerberos server by,
$ kinit jane
And enter the password and get authenticated.
The kinit command obtains or renews a Kerberos ticket-granting ticket. Use below command and verify the ticket.
$ klist
Start cqlsh.
$ cqlsh
By this the cqlsh kerberos authentication has been successful, every cql command has now been encrypted and secured.
Author Credits: Siddharth Kumar S, Senior Associate – Big data, 8KMiles Software Services and you can reach him here