实战-Cassandra之账号权限管理
Posted yuxiaohao
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了实战-Cassandra之账号权限管理相关的知识,希望对你有一定的参考价值。
密码认证器
默认的认证器是 org.apache.cassandra.auth.AllowAllAuthenticator。如果想要求客户端提供凭证,Cassandra提供另一种选择 org.apache.cassandra.auth.PasswordAuthenticatot
配置认证器
默认登录cqlsh不需要密码,修改cassandra.yaml 修改
# authenticator: AllowAllAuthenticator
authenticator: PasswordAuthenticator
Cassandra2.2或以后的版本,会看到使用 PasswordAuthenticator必须使用CassandraRoleManager,是Cassandra授权功能的一部分。
增加用户
修改之后登录提示需要账号密码,默认账号密码都是 cassandra
[cassandra@node2 bin]$ ./cqlsh node2 Connection error: (‘Unable to connect to any servers‘, {‘192.168.56.12‘: AuthenticationFailed(‘Remote end requires authentication.‘,)}) [cassandra@node2 bin]$ ./cqlsh node2 -u cassandra -p cassandra Connected to Cluster01 at node2:9042. [cqlsh 5.0.1 | Cassandra 3.11.5 | CQL spec 3.4.4 | Native protocol v4] Use HELP for help. cassandra@cqlsh>
修改cassandra账号的密码:
cassandra@cqlsh> alter user cassandra with password ‘cass@123‘; cassandra@cqlsh> quit [cassandra@node2 bin]$ ./cqlsh node2 -u cassandra -p cassandra Connection error: (‘Unable to connect to any servers‘, {‘192.168.56.12‘: AuthenticationFailed(‘Failed to authenticate to 192.168.56.12: Error from server: code=0100 [Bad credentials] message="Provided username cassandra and/or password are incorrect"‘,)}) [cassandra@node2 bin]$ ./cqlsh node2 -u cassandra -p cass@123 Connected to Cluster01 at node2:9042. [cqlsh 5.0.1 | Cassandra 3.11.5 | CQL spec 3.4.4 | Native protocol v4] Use HELP for help. cassandra@cqlsh>
创建账号:
[cassandra@node2 bin]$ ./cqlsh node2 -u cassandra -p cass@123 Connected to Cluster01 at node2:9042. [cqlsh 5.0.1 | Cassandra 3.11.5 | CQL spec 3.4.4 | Native protocol v4] Use HELP for help. cassandra@cqlsh> cassandra@cqlsh> list users; name | super -----------+------- cassandra | True (1 rows) cassandra@cqlsh> create user cass with password ‘cass@111‘; cassandra@cqlsh> cassandra@cqlsh> list users; name | super -----------+------- cass | False cassandra | True (2 rows) cassandra@cqlsh>
配置自动登录,为了避免每次登录cqlsh都需要输入账号密码,可以在家目录中创建文件 .cqlshrc
[cassandra@node2 ~]$ ls -al total 24 drwx------. 3 cassandra cassandra 117 Feb 11 04:59 . drwxr-xr-x. 3 root root 23 Feb 4 03:24 .. -rw-------. 1 cassandra cassandra 8074 Feb 11 01:17 .bash_history -rw-r--r--. 1 cassandra cassandra 18 Aug 8 2019 .bash_logout -rw-r--r--. 1 cassandra cassandra 193 Aug 8 2019 .bash_profile -rw-r--r--. 1 cassandra cassandra 231 Aug 8 2019 .bashrc drwxrwxr-x. 2 cassandra cassandra 51 Feb 11 04:59 .cassandra -rw-rw-r--. 1 cassandra cassandra 58 Feb 11 04:57 .cqlshrc [cassandra@node2 ~]$ cat .cqlshrc [authentication] username = cassandra password = cass@123 [cassandra@node2 ~]$ cd /data/cass/bin [cassandra@node2 bin]$ ./cqlsh Connection error: (‘Unable to connect to any servers‘, {‘127.0.0.1‘: error(111, "Tried connecting to [(‘127.0.0.1‘, 9042)]. Last error: Connection refused")}) [cassandra@node2 bin]$ ./cqlsh node2 Connected to Cluster01 at node2:9042. [cqlsh 5.0.1 | Cassandra 3.11.5 | CQL spec 3.4.4 | Native protocol v4] Use HELP for help. cassandra@cqlsh>quit [cassandra@node2 bin]$ cd [cassandra@node2 ~]$ ls -al total 20 drwx------. 3 cassandra cassandra 101 Feb 11 04:59 . drwxr-xr-x. 3 root root 23 Feb 4 03:24 .. -rw-------. 1 cassandra cassandra 8074 Feb 11 01:17 .bash_history -rw-r--r--. 1 cassandra cassandra 18 Aug 8 2019 .bash_logout -rw-r--r--. 1 cassandra cassandra 193 Aug 8 2019 .bash_profile -rw-r--r--. 1 cassandra cassandra 231 Aug 8 2019 .bashrc drwxrwxr-x. 2 cassandra cassandra 66 Feb 11 04:59 .cassandra [cassandra@node2 ~]$ cd .cassandra/ [cassandra@node2 .cassandra]$ ll total 16 -rw-------. 1 cassandra cassandra 3978 Feb 11 04:59 cqlsh_history -rw-rw-r--. 1 cassandra cassandra 58 Feb 11 04:57 cqlshrc -rw-rw-r--. 1 cassandra cassandra 5833 Feb 10 22:00 nodetool.history [cassandra@node2 .cassandra]$ cat cqlshrc [authentication] username = cassandra password = cass@123
切换账号无需退出重新登录,执行时可以不加密码,在命令行输入。用户家目录下面 .cassandra/cqlsh_history 文件中会记录所有命令行上输入的内容
[cassandra@node2 bin]$ ./cqlsh node3 Connected to Cluster01 at node3:9042. [cqlsh 5.0.1 | Cassandra 3.11.5 | CQL spec 3.4.4 | Native protocol v4] Use HELP for help. cassandra@cqlsh> cassandra@cqlsh> list users; name | super -----------+------- cass | False cassandra | True (2 rows) cassandra@cqlsh> login cass ‘cass@111‘; cass@cqlsh>
修改账号密码,删除账号
cassandra@cqlsh> alter user cass with password ‘cass@222‘; cassandra@cqlsh> login cass ‘cass@222‘; cass@cqlsh> login cassandra ‘cass@123‘; cassandra@cqlsh> drop user cass; cassandra@cqlsh> list users; name | super -----------+------- cassandra | True (1 rows)
使用CassandraAuthorizer
通过授权器,授权用户访问集群中的键和表。 默认授权器 org.apache.cassandra.auth.AllowAllAuthorizer。
关闭集群,配置脚本 bin/stop-server
echo "Cassandra is shutting down" user=`whoami` pgrep -u $user -f cassandra | xargs kill -9 if ps -ef|grep cassandra|grep -v grep|grep java; then echo "Cassandra shutdown failed" else echo "Cassandra closed" fi
修改cassandra.yaml
# authorizer: AllowAllAuthorizer
authorizer: CassandraAuthorizer
普通用户登录查看keyspace和table没有权限
[cassandra@node2 bin]$ ./cqlsh node2 Connected to Cluster01 at node2:9042. [cqlsh 5.0.1 | Cassandra 3.11.5 | CQL spec 3.4.4 | Native protocol v4] Use HELP for help. cassandra@cqlsh> desc keyspaces; system_schema system system_distributed test01 system_auth keyspace1 system_traces cassandra@cqlsh> list users; name | super -----------+------- cass | False cassandra | True (2 rows) cassandra@cqlsh> login cass; Password: cass@cqlsh> desc keyspaces; system_schema system system_distributed test01 system_auth keyspace1 system_traces SyntaxException: line 1:0 no viable alternative at input ‘ues‘ ([ues]...) cass@cqlsh> use test01; cass@cqlsh:test01> desc tables; test01 cass@cqlsh:test01> select * from test01; Unauthorized: Error from server: code=2100 [Unauthorized] message="User cass has no SELECT permission on <table test01.test01> or any of its parents" cass@cqlsh:test01>
通过grant命令给用户赋予权限
cassandra@cqlsh> grant select on test01.test01 to cass; cassandra@cqlsh> login cass; Password: cass@cqlsh> use test01; cass@cqlsh:test01> select * from test01; key | C0 | C1 | C2 | C3 | C4 -----+----+----+----+----+---- (0 rows)
基于角色的访问控制
Cassandra提供一种基于角色的访问控制(role-based access control, RBAC)功能。创建角色,给角色赋予权限,给用户赋予角色的权限。
cassandra@cqlsh:test01> list roles; role | super | login | options -----------+-------+-------+--------- cass | False | True | {} cassandra | True | True | {} (2 rows) cassandra@cqlsh:test01> create role dev; cassandra@cqlsh:test01> grant all on keyspace test to dev; InvalidRequest: Error from server: code=2200 [Invalid query] message="Resource <keyspace test> doesn‘t exist" cassandra@cqlsh:test01> grant all on keyspace test01 to dev; cassandra@cqlsh:test01> cassandra@cqlsh:test01> drop user cass; cassandra@cqlsh:test01> create user cass with password ‘cass@111‘; cassandra@cqlsh:test01> login cass Password: cass@cqlsh:test01> select * from test01.test01; Unauthorized: Error from server: code=2100 [Unauthorized] message="User cass has no SELECT permission on <table test01.test01> or any of its parents" cass@cqlsh:test01> login cassandra Password: cassandra@cqlsh:test01> grant dev to cass; cassandra@cqlsh:test01> login cass Password: cass@cqlsh:test01> select * from test01.test01; key | C0 | C1 | C2 | C3 | C4 -----+----+----+----+----+---- (0 rows)
Cassandra中角色是可加的,这表示,如果授权一个用户的任意一个角色有某个特定的权限,那么这个用户就会授权这个权限。
在后台Cassandra把用户和角色存储在system_auth 键空间。如果为集群配置的授权,那么只有管理员用户可以访问这个键空间,所以使用管理员用户登录cqlsh来检查这个键空间内容;
cassandra@cqlsh:system> use system_auth; cassandra@cqlsh:system_auth> desc tables; resource_role_permissons_index role_permissions role_members roles cassandra@cqlsh:system_auth> cassandra@cqlsh:system_auth> select * from role_members; role | member ------+-------- dev | cass (1 rows) cassandra@cqlsh:system_auth> select * from role_permissions; role | resource | permissions ------+-------------+-------------------------------------------------------------- dev | data/test01 | {‘ALTER‘, ‘AUTHORIZE‘, ‘CREATE‘, ‘DROP‘, ‘MODIFY‘, ‘SELECT‘} (1 rows) cassandra@cqlsh:system_auth> select * from resource_role_permissons_index; resource | role -----------+----------- roles/dev | cassandra (1 rows) cassandra@cqlsh:system_auth> select * from roles; role | can_login | is_superuser | member_of | salted_hash -----------+-----------+--------------+-----------+-------------------------------------------------------------- cassandra | True | True | null | $2a$10$6q2SqzrdcARz6qGcLj7DreKWAnQjJT653r4acBAJlHWzQW/e/4SQm cass | True | False | {‘dev‘} | $2a$10$Z/KpRFIkmhQ6uEn45eDa4eyymaj/sty6LN1MDBfZdrxZwHnMI8ow2 dev | False | False | null | null (3 rows)
实际上并没有一个单独的数据库级用户的概念,Cassandra使用角色概念来耿总用户以及角色。
改变system_auth 副本因子
需要指出重要的一点,system_auth键空间默认配置为使用SimpleStrategy,副本因子为1.
这说明默认情况下,我们配置的任何用户,角色和权限不会再集群上分布存储,除非我们重新配置system_auth键空间 的复制策略,使之与我们的集群拓扑一致。
加密
从3.0版本开始,Cassandra通过客户端与服务器(节点)间的加密以及节点间的加密来保护数据的安全。Cassandra3.0以后,只有DataStax企业版的Cassandra才支持数据文件(静态数据)加密。
数据文件加密路线图
有很多Cassandra JIRA请求都说针对提供加密特性的3.x版本系列。
提示的加密: https://issues.apache.org/jira/browse/CASSANDRA-11040
提交日志的加密: https://issues.apache.org/jira/browse/CASSANDRA-6018
以上是关于实战-Cassandra之账号权限管理的主要内容,如果未能解决你的问题,请参考以下文章