Versions Compared

Old Version 2

changes.mady.by.user Brian Houser

Saved on

compared with

New Version Current

changes.mady.by.user Stefan Miklosovic

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents


...

Status

Current state: DoneUnder Discussion

Discussion threadDev List

...

To make these work with the new system we would extend the cqlshrc file to have a configuration as the following:

[
AuthProvider
auth_provider]

classname=<class name>
module=<path to module>
[AuthProviderExtendedProperties] extendedparam1

classname=<MyProvider>
other =
<property
value
someother
to be fed into a dict during initialization> ... 
= somevalue


Cqlsh, when invoked with this configuration, would create an instance of the given class name from the given module.

...

An individual wanting to use a SaslAuthProvider in CQLSH, initialized in client code like this:

        sasl_kwargs = {'service': 'something',
                      'mechanism': 'GSSAPI',
                      'qops': 'auth'}
        auth_provider = SaslAuthProvider(**sasl_kwargs)


would merely need to provide the following cqlshrc, to use a similar Auth Provider instance in cqlsh.

[AuthProvider]

classname=SaslAuthProvider
module=cassandra.auth
[AuthProviderExtendedProperties] 
service = something
mechanism = GSSAPI
qops = auth


Of course, there needs to be also server side of this implementation (or any other implementation, for that matter) but this is outside of the scope of this ticket and server-side custom authenticators are already possible to implement by implementing respective interfaces.

Adding additional cqlshrc properties to allow instantiation of plugin authenticator

...

The new heading for the cqlshrc would appear to be the following:

[
AuthProvider
auth_provider]

classname = <class name>
module = <path to module>
path = <path to python lib>
[AuthProviderExtendedProperties] param1

other =
<custom
value
someother
property
=
sent to AuthProvider's constructor> 
somevalue


module and path would correspond to the arguments that are part of the built-in importlib functionality of Python. classname would correspond to the class name loaded.

To allow flexibility, all additional properties in AuthProviderExtendedProperties section would be sent to the constructor of the class as simple named properties.  This would allow a custom plugin to easily handle additional properties unique to its context (KDC, LDAP server, etc).To support CLI operation, these could be overloaded at the command line using the options --AuthProvider  and  --AuthProviderExtended

These are accessible with standard period/context notation using <section Name>.<Property>.  For example to override the authprovider class name...

...

$ cqlsh --AuthProvider.classname=SaslAuthProvider


Dynamic loading of Custom AuthProvider class in cqlsh utility

Cqlsh would use the AuthProvider auth_provider section to instantiate the AuthProvider class, through the use of importlib and getattr functions.  The constructed AuthProvider auth_provider instance would then be passed as the auth_provider property of the Cluster constructor when cqlsh created the connection.

...

To configure cqlsh to work I would add the following section to my cqlshrc file...

[
AuthProvider
auth_provider]

classname=SAMLAuthProvider
module=com.example.cassandra.driver.auth
path=~/samlplugin
[AuthProviderExtendedProperties]

saml_file_path=~/saml.conf

After doing so, when connecting via cqlsh it would immediately use SAML to authenticate me against the cluster.

...