def setUpClass(self):
"""
This will setup the necessary infrastructure to run unified authentication tests.
"""
if not DSE_VERSION or DSE_VERSION < Version('5.1'):
return
self.cluster = None
ccm_cluster = get_cluster()
# Stop cluster if running and configure it with the correct options
ccm_cluster.stop()
if isinstance(ccm_cluster, DseCluster):
# Setup dse options in dse.yaml
config_options = {
'authentication_options': {
'enabled': 'true',
'default_scheme': 'internal',
'scheme_permissions': 'true',
'transitional_mode': 'normal'
},
'authorization_options': {
'enabled': 'true'
}
}
# Setup dse authenticator in cassandra.yaml
ccm_cluster.set_configuration_options({
'authenticator':
'com.datastax.bdp.cassandra.auth.DseAuthenticator',
'authorizer':
'com.datastax.bdp.cassandra.auth.DseAuthorizer'
})
ccm_cluster.set_dse_configuration_options(config_options)
ccm_cluster.start(wait_for_binary_proto=True,
wait_other_notice=True)
else:
log.error("Cluster is not dse cluster test will fail")
# Create users and test keyspace
self.user_role = 'user1'
self.server_role = 'server'
self.root_cluster = Cluster(
auth_provider=DSEPlainTextAuthProvider('cassandra', 'cassandra'))
self.root_session = self.root_cluster.connect()
stmts = [
"CREATE USER {0} WITH PASSWORD '{1}'".format(
self.server_role, self.server_role),
"CREATE USER {0} WITH PASSWORD '{1}'".format(
self.user_role, self.user_role),
"CREATE KEYSPACE testproxy WITH replication = {'class': 'SimpleStrategy', 'replication_factor': 1}",
"CREATE TABLE testproxy.testproxy (id int PRIMARY KEY, value text)",
"GRANT ALL PERMISSIONS ON KEYSPACE testproxy to {0}".format(
self.user_role)
]
wait_role_manager_setup_then_execute(self.root_session, stmts)
def test_proxy_execute_allowed(self):
"""
Test that a proxy execute is allowed with proper permissions.
@since 3.20
@jira_ticket PYTHON-662
@test_category dse auth
@expected_result connect and query should be allowed
"""
auth_provider = DSEPlainTextAuthProvider(self.server_role,
self.server_role)
self.grant_proxy_execute()
self.connect_and_query(auth_provider, execute_as=self.user_role)
def test_proxy_execute_forbidden(self):
"""
Test that a proxy execute is forbidden by default for a user.
@since 3.20
@jira_ticket PYTHON-662
@test_category dse auth
@expected_result connect and query should not be allowed
"""
auth_provider = DSEPlainTextAuthProvider(self.server_role,
self.server_role)
with self.assertRaises(Unauthorized):
self.connect_and_query(auth_provider, execute_as=self.user_role)
def get_auth_provider(config_file, env, username=None, password=None, options=None):
def print_debug(message):
if options and hasattr(options, "debug") and options.debug:
sys.stderr.write(message)
if username:
print_debug("Using DSEPlainTextAuthProvider\n")
return DSEPlainTextAuthProvider(username=username, password=password)
"""
Kerberos auth provider can be configured in the cqlshrc file [kerberos] section
or with environment variables:
Config option Environment Variable Description
------------- -------------------- -----------
service KRB_SERVICE Service to authenticate with
qops QOPS Comma separated list of QOP values (default: auth)
"""
configs = configparser.SafeConfigParser() if sys.version_info < (3, 2) else configparser.ConfigParser()
configs.read(config_file)
def get_option(section, option, env_variable, default=None):
value = env.get(env_variable)
if value is None:
try:
value = configs.get(section, option)
except configparser.Error:
value = default
return value
krb_service = get_option('kerberos', 'service', 'KRB_SERVICE', 'dse')
krb_qop_value = get_option('kerberos', 'qops', 'QOPS', 'auth')
try:
provider = DSEGSSAPIAuthProvider(service=krb_service, qops=krb_qop_value.split(','))
print_debug("Using DSEGSSAPIAuthProvider(service=%s, qops=%s)\n" % (krb_service, krb_qop_value))
print_debug(" This will only be used if the server requests kerberos authentication\n")
return provider
except ImportError as e:
print_debug("Attempted to use DSEGSSAPIAuthProvider(service=%s, qops=%s)\n" % (krb_service, krb_qop_value))
print_debug(" Attempt failed because: %s\n" % str(e))
return None