kerberizing-cassandra

Kerberizing Cassandra

When it comes to access control, enterprises seek for uncompromised mechanism in place to protect the data and services over the network. Cryptographies based on both symmetrical and asymmetrical key algorithms are widely used for secured access and authorization. The well-known Kerberos protocol uses symmetric encryptions and can be used for a client to prove itself to a server across an insecure network. Further privacy and data integrity is ensured after both client and server prove their identity. Having Kerberos as a centralized authenticator, it is appropriate for enterprises to implement single sign-on (SSO) without difficulty across all their applications.

In this blog, we will discuss how to enable Kerberos authentication for a distributed NoSQL database system. We will implement for DataStax Cassandra, one of the leading database platform for big data on a cluster of nodes. DataStax Cassandra already provides authentication based on internally controlled role name/passwords, authorization based on object permission management, Authentication and authorization based on JMX username/passwords and SSL encryption. We intend to explain the implementation of the Kerberos integration and the blog is divided as four sections.

  • Installing Kerberos server
  • Configuring Kerberos server
  • Connection to Cassandra
  • Connection to Cassandra cqlsh

Installing Kerberos Server

Kerberos server is the key to the network security and is advised to have an alternative server to recover just in case of any failure. To set up Kerberos server, installation is done as below.

$ sudo apt-get install krb5-admin-server
$ sudo apt-get install krb5-kdc
$ sudo krb5_newrealm

While installing set kerberos realm with kdc and kadmin server. We go with Kerberos.com as kerberos realm and kserver.com as kdc and kadmin server.
Configuring Kerberos Server:
After installing Kerberos, we need to edit default Kerberos files, to change the realms name. In order to change, open krb5.conf in an editor,

$ sudo vi /etc/krb5.conf

Check the configuration for kerberos realm. In [domain_realm] part and add realm name.

.kerberos.com = KERBEROS.COM
kerberos.com = KERBEROS.COM

Now restart the Kerberos server so that changes will be reflected and be effective.

$ sudo service krb5-admin-server restart
$ sudo service krb5-kdc restart

At this stage, the Kerberos server is ready. After this we need to set, Kerberos client, so that the Cassandra nodes be secured.
Cassandra Connection
In this session, we will be connecting each Cassandra node to server by creating principal and editing few files in clients as well as in server.
kdc server:
Here we will create policy to attach with principals. To create basic policy, admin..

$ sudo kadmin.local
Kadmin: add_policy -minlength 8 -minclasses 3 admin
Kadmin: quit

Policy with name admin has been created and is ready to be attached. Now, add a server principal name (SPN)

$ sudo kadmin.local
kadmin: addprinc -policy admin root/admin
kadmin: quit

In order to give full permission to admin policy, open kadm5.acl in vi editor,

$ sudo vi /etc/krb5kdc/kadm5.acl

Uncomment */admin * line and save so that admin policy will get full permission. In /etc/hosts add your internal ip with realm name for example:

x.x.x.x KERBEROS.com

Restart the krb5-admin-server

$ sudo service krb5-admin-server restart

We need to add service principal and HTTP principal for each client in KDC using addprinc command. To do so, login to add principal

$ sudo kadmin -p root/admin
Kadmin: addprinc -policy admin –randkey cassandra/fqdn
Kadmin: addprinc -policy admin –randkey HTTP/fqdn
(*fqdn– Fully Qualified Domain Name / name of each node.)

To find client fqdn,

$ hostname --fqdn

To ensure both principal added successfully, check the server principal name in the KDC by listprincs command.

Kadmin: listprincs

kerberos client:
Install krb5-user in each client

$ sudo apt-get install krb5-user.

Set the realm in the same way as we did for Kerberos server with same server, i.e. KERBEROS.COM as kerberos realm and kserver.com as kdc and kadmin server. Most likely both krb5.conf should be same.

KDC server:
A keytab is a file containing pairs of Kerberos principals and encrypted keys from the Kerberos password. Using this we get authenticated to various remote systems using Kerberos without entering a password. If kerberos password has been changed, keytab should be generated newly.
To produce keytab for principal name.

$ sudo kadmin.local
Ktadd –k dse.keytab cassandra/fqdn
Ktadd –k dse.keytab HTTP/fqdn
dse.keytab - name of the keytab.

This command will create keytab in current folder. We can also target a folder to generate keytab. Now copy the keytab to each node using scp command.
Kerberos client:
Open /etc/hosts and add realm name and ip as in server.

x.x.x.x kerberos.com

Move the keytab to specific location and change user and permission of the keytab,

$ sudo chown cassandra:cassandra dse.keytab
$ sudo chmod 600 dse.keytab

Open cassandra.yaml, /etc/dse/cassandra/cassandra.yaml in vi editor, Change the authenticator as below.

authenticator: com.datastax.bdp.cassandra.auth.KerberosAuthenticator

Open dse.yaml, /etc/dse/dse.yaml in vi editor and modify as below
kerberos_options:

keytab: /etc/dse/dse.keytab
service_principal: cassandra/fqdn@KERBEROS.COM
http_principal: HTTP/fqdn@KERBEROS.COM
qop: auth
Fqdn as in server

By this Kerberos authentication has been set for Cassandra.
Connection to Cassandra cqlsh:
Cqlsh is the client for executing Cassandra Query Language based on python. In this session, we are going to authenticate cqlsh with kerberos by configuring cassandra.yaml.
In Server:
We need a user principal to authenticate to server from client. To create the user principal, jane do the following.

$ sudo kadmin.local
Kadmin: addprinc jane

It looks like jane@KERBEROS.COM
In Client:
Now temporarily disable kerberos authenticator and dse authorizer in cassandra.yaml. And add the following.

authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer

Now, restart the dse service and start the cqlsh,

$ sudo service dse restart

Login to cqlsh to add jane as superuser.

$ cqlsh hostname -u cassandnra -p cassandra (default user name and password)

Create a superuser, jane, to authenticate the kerberos servere by,

cqlsh> create user 'jane@KERBEROS.COM' SUPERUSER;

Now renable kerberos authenticator and change the authorizer in cassandra.yaml

authenticator: com.datastax.bdp.cassandra.auth.KerberosAuthenticator
authorizer: AllowAllAuthorizer

To run cqlsh kerberos authentication, add the python dependencies in the clients.

$ sudo apt-get install python-pip
$ sudo pip install pure-sasl
$ sudo apt-get install python-kerberos

Create cqlshrc file in .cassandra directory.

$ vi /home/user/.cassandra/cqlshrc and add these configuration,
[connection]
hostname = host-ip
port = 9042
[kerberos]
hostname = host-ip
service = Cassandra

Now introduce yourself to kerberos server by,

$ kinit jane

And enter the password and get authenticated.
The kinit command obtains or renews a Kerberos ticket-granting ticket. Use below command and verify the ticket.

$ klist

Start cqlsh.

$ cqlsh

By this the cqlsh kerberos authentication has been successful, every cql command has now been encrypted and secured.

 

Author Credits: Siddharth Kumar S, Senior Associate – Big data, 8KMiles Software Services and you can reach him here