DataStax Enterprise 3.0 Documentation

Installing the cqlsh security packages

To use cqlsh with a Kerberized cluster, you must install the PyKerberos and python-pure-sasl packages. The PyKerberos package is a high-level wrapper for Kerberos (GSSAPI) operations. The python-pure-sasl package is a pure Python client-side SASL (Simple Authentication and Security Layer) implementation.

Adding the required modules

The steps required for adding the necessary modules depends on the type of install:

Debian-based installs:

$ sudo apt-get install python-pure-sasl

RHEL installs:

# yum install python-pure-sasl

Binary installs:

To install from the binary tarball, you first install the PyKerberos module and then the pure-sasl module. DataStax recommends using APT or Yum because installing the dependencies can be difficult/time consuming. To install the modules:

  1. Ensure all dependencies are properly installed for:

    • Debian-based systems:

      $ apt-cache show python-kerberos
      

      Look at the Depends field.

    • RHEL-based systems:

      $ yum deplist python-kerberos
      
  2. Update your system to meet any dependancies.

  3. Download the PyKerberos tarball:

    $ curl -OL <username>:<password>@http://downloads.datastax.com/enterprise/kerberos-1.1.2+DSE1.tar.gz
    
  4. Extract the tarball:

    $ tar -xzf kerberos-1.1.2+DSE1.tar.gz
    
  5. From the directory where you untarred PyKerberos:

    $ python setup.py build
    
  6. From the install directory:

    $ python setup.py install
    
  7. Download the pure-sasl module tarball:

    $ curl -OL http://pypi.python.org/packages/source/p/pure-sasl/pure-sasl-0.1.3.tar.gz
    
  8. Extract the tarball:

    $ tar -xzf pure-sasl-0.1.3.tar.gz
    
  9. From the install directory:

    $ sudo python setup.py install
    

Running cqlsh

To run cqlsh, you need to create a .cqlshrc file in your home directory. Sample files are available in the following directories:

  • Packaged installs: /usr/share/doc/dse-libcassandra
  • Binary installs: <install_location>/resources/cassandra/conf

Kerberos example

[connection]
hostname = 192.168.1.2
port = 9160
factory = cqlshlib.kerberos.kerberos_transport_factory

[kerberos]
hostname = cassandra01.example.com
service = cassandra
principal = bill/cassandra-admin@example.com ;; Optional.
qops = auth-conf ;; Optional, see the following paragraph.
[kerberos-hostnames] ;; Optional section, overrides default hostname in [kerberos] section.
192.168.1.3 = cassandra01.example.com
192.168.1.4 = cassandra02.example.com

If qops is not specified the default (auth) is used. On the client side, the qops option is a comma-delimited list of the QOP values allowed by the client for the connection. The client (cqlsh) value list must contain at least one of the QOP values specified on the server. To clarify, the client can have multiple QOP values, while the server can have only a single QOP value (specified in the dse.yaml).

The Kerberos hostname and service are mandatory settings and must be provided either in the configuration file or as environment variables. The environment variables (KRB_HOST, KRB_SERVICE, and KRB_PRINCIPAL) override any options set in this file. For more information about these settings, see Securing DataStax Enterprise nodes. The hostname and service must match the values set in the dse.yaml.

SSL example

[connection]
hostname = 127.0.0.1
port = 9160
factory = cqlshlib.ssl.ssl_transport_factory

[ssl]
certfile = ~/keys/cassandra.cert
validate = true ;; Optional, true by default.

[certfiles] ;; Optional section, overrides the default certfile in the [ssl] section.
192.168.1.3 = ~/keys/cassandra01.cert
192.168.1.4 = ~/keys/cassandra02.cert

When validate is enabled, the host in the certificate is compared to the host of the machine that it is connected to. The SSL certificate must be provided either in the configuration file or as an environment variable. The environment variables (SSL_CERTFILE and SSL_VALIDATE) override any options set in this file.

Kerberos and SSL

For information about using Kerberos with SSL, see Using Kerberos and SSL at the same time.

The settings for using both Kerberos and SSL are a combination of the Kerberos and SSL sections in the above examples, except the factory setting:

factory = cqlshlib.kerberos_ssl.kerberos_ssl_transport_factory

The supported environmental variables are KRB_HOST, KRB_SERVICE, KRB_PRINCIPAL, SSL_CERTFILE, and SSL_VALIDATE variables.