示例#1
0
    def test_proxy_login_with_kerberos_forbidden(self):
        """
        Test that the proxy login fail when proxy role is not granted
        """
        # Set up users for proxy login test
        self._setup_for_proxy(False)
        query = "select * from testkrbproxy.testproxy"

        # Try normal login with Charlie
        self.refresh_kerberos_tickets(self.bob_keytab, "*****@*****.**",
                                      self.krb_conf)
        auth_provider = DSEGSSAPIAuthProvider(
            service='dse',
            qops=["auth"],
            principal="*****@*****.**",
            authorization_id='*****@*****.**')
        self.assertRaises(NoHostAvailable,
                          self.connect_and_query,
                          auth_provider,
                          query=query)

        self.refresh_kerberos_tickets(self.bob_keytab, "*****@*****.**",
                                      self.krb_conf)
        auth_provider = DSEGSSAPIAuthProvider(service='dse',
                                              qops=["auth"],
                                              principal="*****@*****.**")
        self.assertRaises(Unauthorized,
                          self.connect_and_query,
                          auth_provider,
                          query=query)

        self._remove_proxy_setup()
示例#2
0
    def test_connect_with_explicit_principal(self):
        """
        This tests will attempt to authenticate using valid and invalid user principals
        @since 3.20
        @jira_ticket PYTHON-574
        @test_category dse auth
        @expected_result Client principals should be used by the underlying mechanism

        """

        # Connect with valid principal
        self.refresh_kerberos_tickets(self.cassandra_keytab,
                                      "*****@*****.**", self.krb_conf)
        auth_provider = DSEGSSAPIAuthProvider(
            service='dse', qops=["auth"], principal="*****@*****.**")
        self.connect_and_query(auth_provider)
        connections = [
            c for holders in self.cluster.get_connection_holders()
            for c in holders.get_connections()
        ]

        # Check to make sure our server_authenticator class is being set appropriate
        for connection in connections:
            self.assertTrue('DseAuthenticator' in connection.authenticator.
                            server_authenticator_class)

        # Use invalid principal
        auth_provider = DSEGSSAPIAuthProvider(
            service='dse', qops=["auth"], principal="*****@*****.**")
        self.assertRaises(NoHostAvailable, self.connect_and_query,
                          auth_provider)
示例#3
0
    def _setup_for_proxy(self, grant=True):
        os.environ['KRB5_CONFIG'] = self.krb_conf
        self.refresh_kerberos_tickets(self.cassandra_keytab,
                                      "*****@*****.**", self.krb_conf)
        auth_provider = DSEGSSAPIAuthProvider(
            service='dse', qops=["auth"], principal='*****@*****.**')
        cluster = Cluster(auth_provider=auth_provider)
        session = cluster.connect()

        stmts = [
            "CREATE ROLE IF NOT EXISTS '{0}' WITH LOGIN = TRUE;".format(
                '*****@*****.**'),
            "CREATE ROLE IF NOT EXISTS '{0}' WITH LOGIN = TRUE;".format(
                '*****@*****.**'),
            "GRANT EXECUTE ON ALL AUTHENTICATION SCHEMES to '*****@*****.**'",
            "CREATE ROLE IF NOT EXISTS '{0}' WITH LOGIN = TRUE;".format(
                '*****@*****.**'),
            "GRANT EXECUTE ON ALL AUTHENTICATION SCHEMES to '*****@*****.**'",
            # Create a keyspace and allow only charlie to query it.
            "CREATE KEYSPACE testkrbproxy WITH replication = {'class': 'SimpleStrategy', 'replication_factor': 1}",
            "CREATE TABLE testkrbproxy.testproxy (id int PRIMARY KEY, value text)",
            "GRANT ALL PERMISSIONS ON KEYSPACE testkrbproxy to '{0}'".format(
                '*****@*****.**'),
        ]

        if grant:
            stmts.append("GRANT PROXY.LOGIN ON ROLE '{0}' to '{1}'".format(
                '*****@*****.**', '*****@*****.**'))

        wait_role_manager_setup_then_execute(session, stmts)

        cluster.shutdown()
示例#4
0
    def test_should_not_athenticate_without_ticket(self):
        """
        This tests will attempt to authenticate with a user that is valid but has no ticket
        @since 3.20
        @jira_ticket PYTHON-457
        @test_category dse auth
        @expected_result NoHostAvailable exception should be thrown

        """
        auth_provider = DSEGSSAPIAuthProvider(service='dse', qops=["auth"])
        self.assertRaises(NoHostAvailable, self.connect_and_query,
                          auth_provider)
示例#5
0
    def test_proxy_login_with_kerberos(self):
        """
        Test that the proxy login works with kerberos.
        """
        # Set up users for proxy login test
        self._setup_for_proxy()

        query = "select * from testkrbproxy.testproxy"

        # Try normal login with Charlie
        self.refresh_kerberos_tickets(self.charlie_keytab,
                                      "*****@*****.**", self.krb_conf)
        auth_provider = DSEGSSAPIAuthProvider(service='dse',
                                              qops=["auth"],
                                              principal="*****@*****.**")
        self.connect_and_query(auth_provider, query=query)

        # Try proxy login with bob
        self.refresh_kerberos_tickets(self.bob_keytab, "*****@*****.**",
                                      self.krb_conf)
        auth_provider = DSEGSSAPIAuthProvider(
            service='dse',
            qops=["auth"],
            principal="*****@*****.**",
            authorization_id='*****@*****.**')
        self.connect_and_query(auth_provider, query=query)

        # Try logging with bob without mentioning charlie
        self.refresh_kerberos_tickets(self.bob_keytab, "*****@*****.**",
                                      self.krb_conf)
        auth_provider = DSEGSSAPIAuthProvider(service='dse',
                                              qops=["auth"],
                                              principal="*****@*****.**")
        self.assertRaises(Unauthorized,
                          self.connect_and_query,
                          auth_provider,
                          query=query)

        self._remove_proxy_setup()
示例#6
0
    def test_should_not_authenticate_with_bad_user_ticket(self):
        """
        This tests will attempt to authenticate with a user that has a valid ticket, but is not a valid dse user.
        @since 3.20
        @jira_ticket PYTHON-457
        @test_category dse auth
        @expected_result NoHostAvailable exception should be thrown

        """
        self.refresh_kerberos_tickets(self.dseuser_keytab,
                                      "*****@*****.**", self.krb_conf)
        auth_provider = DSEGSSAPIAuthProvider(service='dse', qops=["auth"])
        self.assertRaises(NoHostAvailable, self.connect_and_query,
                          auth_provider)
示例#7
0
    def test_connect_with_kerberos_host_not_resolved(self):
        """
        This tests will attempt to authenticate with IP, this will fail on osx.
        The success or failure of this test is dependent on a reverse dns lookup which can be impacted by your environment
        if it fails don't panic.
        @since 3.20
        @jira_ticket PYTHON-566
        @test_category dse auth
        @expected_result Client should error when ip is used

        """
        self.refresh_kerberos_tickets(self.cassandra_keytab,
                                      "*****@*****.**", self.krb_conf)
        DSEGSSAPIAuthProvider(service='dse',
                              qops=["auth"],
                              resolve_host_name=False)
示例#8
0
    def test_host_resolution(self):
        # resolves by default
        provider = DSEGSSAPIAuthProvider(service='test', qops=QOP.all)
        authenticator = provider.new_authenticator('127.0.0.1')
        self.assertEqual(authenticator.sasl.host, 'localhost')

        # numeric fallback okay
        authenticator = provider.new_authenticator('192.0.2.1')
        self.assertEqual(authenticator.sasl.host, '192.0.2.1')

        # disable explicitly
        provider = DSEGSSAPIAuthProvider(service='test',
                                         qops=QOP.all,
                                         resolve_host_name=False)
        authenticator = provider.new_authenticator('127.0.0.1')
        self.assertEqual(authenticator.sasl.host, '127.0.0.1')
示例#9
0
def get_auth_provider(config_file, env, username=None, password=None, options=None):
    def print_debug(message):
        if options and hasattr(options, "debug") and options.debug:
            sys.stderr.write(message)

    if username:
        print_debug("Using DSEPlainTextAuthProvider\n")
        return DSEPlainTextAuthProvider(username=username, password=password)

    """
    Kerberos auth provider can be configured in the cqlshrc file [kerberos] section
    or with environment variables:

    Config option      Environment Variable      Description
    -------------      --------------------      -----------
    service            KRB_SERVICE               Service to authenticate with
    qops               QOPS                      Comma separated list of QOP values (default: auth)
    """
    configs = configparser.SafeConfigParser() if sys.version_info < (3, 2) else configparser.ConfigParser()
    configs.read(config_file)

    def get_option(section, option, env_variable, default=None):
        value = env.get(env_variable)
        if value is None:
            try:
                value = configs.get(section, option)
            except configparser.Error:
                value = default
        return value

    krb_service = get_option('kerberos', 'service', 'KRB_SERVICE', 'dse')
    krb_qop_value = get_option('kerberos', 'qops', 'QOPS', 'auth')

    try:
        provider = DSEGSSAPIAuthProvider(service=krb_service, qops=krb_qop_value.split(','))
        print_debug("Using DSEGSSAPIAuthProvider(service=%s, qops=%s)\n" % (krb_service, krb_qop_value))
        print_debug("    This will only be used if the server requests kerberos authentication\n")
        return provider
    except ImportError as e:
        print_debug("Attempted to use DSEGSSAPIAuthProvider(service=%s, qops=%s)\n" % (krb_service, krb_qop_value))
        print_debug("    Attempt failed because: %s\n" % str(e))
        return None
示例#10
0
    def _remove_proxy_setup(self):
        os.environ['KRB5_CONFIG'] = self.krb_conf
        self.refresh_kerberos_tickets(self.cassandra_keytab,
                                      "*****@*****.**", self.krb_conf)
        auth_provider = DSEGSSAPIAuthProvider(
            service='dse', qops=["auth"], principal='*****@*****.**')
        cluster = Cluster(auth_provider=auth_provider)
        session = cluster.connect()

        session.execute("REVOKE PROXY.LOGIN ON ROLE '{0}' FROM '{1}'".format(
            '*****@*****.**', '*****@*****.**'))

        session.execute(
            "DROP ROLE IF EXISTS '{0}';".format('*****@*****.**'))
        session.execute(
            "DROP ROLE IF EXISTS '{0}';".format('*****@*****.**'))

        # Create a keyspace and allow only charlie to query it.

        session.execute("DROP KEYSPACE testkrbproxy")

        cluster.shutdown()
示例#11
0
    def test_connect_with_kerberos(self):
        """
        This tests will attempt to authenticate with a user that is valid and has a ticket
        @since 3.20
        @jira_ticket PYTHON-457
        @test_category dse auth
        @expected_result Client should be able to connect and run a basic query

        """
        self.refresh_kerberos_tickets(self.cassandra_keytab,
                                      "*****@*****.**", self.krb_conf)
        auth_provider = DSEGSSAPIAuthProvider()
        rs = self.connect_and_query(auth_provider)
        self.assertIsNotNone(rs)
        connections = [
            c for holders in self.cluster.get_connection_holders()
            for c in holders.get_connections()
        ]
        # Check to make sure our server_authenticator class is being set appropriate
        for connection in connections:
            self.assertTrue('DseAuthenticator' in connection.authenticator.
                            server_authenticator_class)
示例#12
0
    def test_connect_with_kerberos_and_graph(self):
        """
        This tests will attempt to authenticate with a user and execute a graph query
        @since 3.20
        @jira_ticket PYTHON-457
        @test_category dse auth
        @expected_result Client should be able to connect and run a basic graph query with authentication

        """
        self.refresh_kerberos_tickets(self.cassandra_keytab,
                                      "*****@*****.**", self.krb_conf)

        auth_provider = DSEGSSAPIAuthProvider(service='dse', qops=["auth"])
        rs = self.connect_and_query(auth_provider)
        self.assertIsNotNone(rs)
        reset_graph(self.session, self._testMethodName.lower())
        profiles = self.cluster.profile_manager.profiles
        profiles[
            EXEC_PROFILE_GRAPH_DEFAULT].graph_options.graph_name = self._testMethodName.lower(
            )
        self.session.execute_graph(ClassicGraphFixtures.classic())

        rs = self.session.execute_graph('g.V()')
        self.assertIsNotNone(rs)