Table of Contents |
---|
...
Status
Current state: DoneUnder Discussion
Discussion thread: hereDev List
JIRA: CASSANDRA-16456
Released: 4.x
...
Modify cqlsh.py code to be able to dynamically load a class extending AuthProvider for use as the authentication mechanism when making a connection. Extension details (class and module) should be specified via cqlshrc (current mechanism for configuration).
Timeline
todo11/30 - Complete work and submit
Mailing list / Slack channels
...
To make these work with the new system we would extend the cqlshrc file to have a configuration as the following:
|
|
|
|
|
|
Cqlsh, when invoked with this configuration, would create an instance of the given class name from the given module.
...
An individual wanting to use a SaslAuthProvider in CQLSH, initialized in client code like this:
|
would merely need to provide the following cqlshrc, to use a similar Auth Provider instance in cqlsh.
|
|
Of course, there needs to be also server side of this implementation (or any other implementation, for that matter) but this is outside of the scope of this ticket and server-side custom authenticators are already possible to implement by implementing respective interfaces.
Adding additional cqlshrc properties to allow instantiation of plugin authenticator
...
The new heading for the cqlshrc would appear to be the following:
|
|
|
|
|
|
module and path would correspond to the arguments that are part of the built-in importlib functionality of Python. classname would correspond to the class name loaded.
To allow flexibility, all additional properties in AuthProviderExtendedProperties section would be sent to the constructor of the class as simple named properties. This would allow a custom plugin to easily handle additional properties unique to its context (KDC, LDAP server, etc).
To support CLI operation, these could be overloaded at the command line using the options --AuthProvider and --AuthProviderExtended
These are accessible with standard period/context notation using <section Name>.<Property>. For example to override the authprovider class name...
...
$ cqlsh --AuthProvider.classname=SaslAuthProvider
Dynamic loading of Custom AuthProvider class in cqlsh utility
Cqlsh would use the AuthProvider auth_provider section to instantiate the AuthProvider class, through the use of importlib and getattr functions. The constructed AuthProvider auth_provider instance would then be passed as the auth_provider property of the Cluster constructor when cqlsh created the connection.
...
To configure cqlsh to work I would add the following section to my cqlshrc file...
|
|
|
|
After doing so, when connecting via cqlsh it would immediately use SAML to authenticate me against the cluster.
...