Installing the cqlsh security packages¶

Adding the required modules¶

The steps required for adding the necessary modules depends on the type of install:

Debian-based installs:

$ sudo apt-get install python-pure-sasl

RHEL installs:

# yum install python-pure-sasl

Binary installs:

To install from the binary tarball, you first install the PyKerberos module and then the pure-sasl module. DataStax recommends using APT or Yum because installing the dependencies can be difficult/time consuming. To install the modules:

1. Ensure all dependencies are properly installed for:

   • Debian-based systems:

     $ apt-cache show python-kerberos
     

     Look at the Depends field.

   • RHEL-based systems:

     $ yum deplist python-kerberos
     

2. Update your system to meet any dependancies.

3. Download the PyKerberos tarball:

   $ curl -OL <username>:<password>@http://downloads.datastax.com/enterprise/kerberos-1.1.2+DSE1.tar.gz
   

4. Extract the tarball:

   $ tar -xzf kerberos-1.1.2+DSE1.tar.gz
   

5. From the install directory:

   $ python setup.py install
   

6. Download the pure-sasl module tarball:

   $ curl -OL http://pypi.python.org/packages/source/p/pure-sasl/pure-sasl-0.1.3.tar.gz
   

7. Extract the tarball:

   $ tar -xzf pure-sasl-0.1.3.tar.gz
   

5. From the install directory:

   $ sudo python setup.py install
   

Running cqlsh¶

To run cqlsh, you need to create a .cqlshrc file in your home directory. Sample files are available in the following directories:

• Packaged installs: /usr/share/doc/dse-libcassandra
• Binary installs: <install_location>/resources/cassandra/conf

Kerberos example

[connection]
hostname = 192.168.1.2
port = 9160
factory = cqlshlib.kerberos.kerberos_transport_factory

[kerberos]
hostname = cassandra01.example.com ## Fully Qualified Domain Name
service = dse
principal = bill/cassandra-admin@example.com ## Optional.
qops = auth-conf ## Optional. If not specified the default (auth) is used.
[kerberos-hostnames] ## Optional section, overrides default hostname in [kerberos] section.
192.168.1.3 = cassandra01.example.com
192.168.1.4 = cassandra02.example.com

On the client side, the qops option is a comma-delimited list of the QOP values allowed by the client for the connection. The client (cqlsh) value list must contain one of the same QOP values specified on the server. To clarify, the client can have multiple QOP values, while the server can have only a single QOP value (specified in the dse.yaml).

The Kerberos hostname and service are mandatory settings and must be provided either in the configuration file or as environment variables. The environment variables (KRB_HOST, KRB_SERVICE, and KRB_PRINCIPAL) override any options set in this file.

SSL example

[connection]
hostname = 127.0.0.1
port = 9160
factory = cqlshlib.ssl.ssl_transport_factory

[ssl]
certfile = ~/keys/cassandra.cert
validate = true ## Optional, true by default.

[certfiles] ## Optional section, overrides the default certfile in the [ssl] section.
192.168.1.3 = ~/keys/cassandra01.cert
192.168.1.4 = ~/keys/cassandra02.cert

When validate is enabled, the host in the certificate is compared to the host of the machine that it is connected to. The SSL certificate must be provided either in the configuration file or as an environment variable. The environment variables (SSL_CERTFILE and SSL_VALIDATE) override any options set in this file.

Kerberos and SSL

For information about using Kerberos with SSL, see Using Kerberos and SSL at the same time.

The settings for using both Kerberos and SSL are a combination of the Kerberos and SSL sections in the above examples, except the factory setting:

factory = cqlshlib.kerberos_ssl.kerberos_ssl_transport_factory

The supported environmental variables are KRB_HOST, KRB_SERVICE, KRB_PRINCIPAL, SSL_CERTFILE, and SSL_VALIDATE variables.