Dramatically Improving Support for Role Providers in DataStax Enterprise Unified Authentication

Would you like to manage the roles of some of your users through LDAP and some through DSE's internal role management?  With this new feature, now you can! The release of the latest version of DataStax Enterprise (DSE) (6.8.9) brings a much-anticipated enhancement to the Unified Authentication connectivity suite. With this release, the DSE authorizer is able to leverage multiple role managers. This increases application flexibility and brings a design improvement in the DSE architecture.

Before this enhancement, the LDAP system would become a single point of failure if DSE was configured to use it as the role provider. This was the case even when an internal user was logging in. This is because the DSE Authorizer could only leverage a single role manager. To avoid LDAP SPOF while authenticating with both LDAP based and internal roles, only the internal role manager could be used. In this case, users always had to provide the role schema, even if an LDAP system was available for the LDAP roles.

DSE's Unified Authentication is now one integrated, advanced user authentication and authorization feature provided by DSE. It has 3 major components that work together seamlessly behind the scene. These components are: 

1. DSE Authenticator: Provides authentication using internal password authentication, LDAP pass-through authentication, and Kerberos authentication.
2. DSE Role Manager: Assigns roles by mapping user names to role names or looks up the group membership in LDAP and maps the group names to role names.
3. DSE Authorizer: Provides access to control for database objects.

The enhancement to Unified Authentication allows for the DSE Authorizer to optionally configure a role manager per authentication mechanism. This enhancement not only allows DSE to utilize multiple role providers in general but to configure how a user should be authorized based on how they were authenticated. This allows for application availability when using external systems such as LDAP as well as more granular configurations for internal and external users. The DSE Authenticator has been able to utilize multiple authenticators for many versions and this enhancement allows users to design more robust authorization paradigms for their applications.

Consider the configuration (in dse.yaml) before this enhancement for our use case. First, the DSE Authenticator is configured to use the internal mechanism for the default authentication mechanism but also configuring for LDAP authentication.

authentication_options:
    enabled: true
    default_scheme: internal
    other_schemes:
        - ldap

Next, the DSE Role Manager is updated to supply the Authorizer with a role schema from the LDAP server.

role_management_options:
    mode: ldap

This poses an immediate problem because if the LDAP server is experiencing any issues, the DSE application is not able to fetch the authorization rules at all. With the latest enhancement, the DSE Authorizer can be configured to utilize multiple role managers that are designated to the corresponding authentication mechanisms.

role_management_options:
    mode_by_authentication:
        internal: internal
        ldap: ldap

Now if the LDAP server fails, both DSE authentication and authorization can fall back to DSE internal mechanisms. This avoids a SPOF because the external group is the only group reliant on LDAP’s availability, which is more desirable. One can see why defining a role manager per authentication mechanism becomes a much more robust configuration solution.

It is important to call out that this enhancement is optional for a few reasons. First and foremost, this enhancement is introduced in a minor version which, by DataStax policy, should honor an application’s current configuration unless a change is desired. And secondly, not all Enterprises have the same security and uptime requirements. It may be acceptable for an application to be unavailable if the authentication gateway is not available.

By providing support for multiple role providers, specifically designating what role providers to use based on the authentication, users can now manage more robust access control for their DSE applications while leaving application availability intact. Let’s take a look at an example where we have:

• A corporate LDAP system for authentication and authorization of internal (application users) and external or non-application users.
• Requirements for application security will be some level of authentication and authorization for application developers and users (internal users).
• Requirements for some level of authentication and authorization for DBA operators (external users).
• A corporate LDAP system for authentication and authorization and one or more of the following:
  • Requirements to authenticate/authorize application users and non-application users<
  • Requirements to authenticate/authorize users both internal and external to LDAP organizations
  • Requirements to authenticate/authorize internal and/or external DBA operators
  <c< li=""> </c<>

Both internal and external groups need authentication and authorization and could use the LDAP server for all checks.

Download DSE today and update your security designs with the enhancement to the Unified Authentication feature to introduce even more up-time for your DSE application. This feature has also been backported to DSE 5.1.21, 6.0.15, and 6.7.13.