实战-Cassandra之账号权限管理

密码认证器

默认的认证器是 org.apache.cassandra.auth.AllowAllAuthenticator。如果想要求客户端提供凭证，Cassandra提供另一种选择  org.apache.cassandra.auth.PasswordAuthenticatot

配置认证器

默认登录cqlsh不需要密码，修改cassandra.yaml 修改 

# authenticator: AllowAllAuthenticator
authenticator: PasswordAuthenticator

Cassandra2.2或以后的版本，会看到使用 PasswordAuthenticator必须使用CassandraRoleManager，是Cassandra授权功能的一部分。

增加用户

修改之后登录提示需要账号密码，默认账号密码都是 cassandra

[cassandra@node2 bin]$ ./cqlsh node2
Connection error: ('Unable to connect to any servers', {'192.168.56.12': AuthenticationFailed('Remote end requires authentication.',)})
[cassandra@node2 bin]$ ./cqlsh node2 -u cassandra -p cassandra
Connected to Cluster01 at node2:9042.
[cqlsh 5.0.1 | Cassandra 3.11.5 | CQL spec 3.4.4 | Native protocol v4]
Use HELP for help.
cassandra@cqlsh> 

修改cassandra账号的密码：

cassandra@cqlsh> alter user cassandra with password 'cass@123';
cassandra@cqlsh> quit
[cassandra@node2 bin]$ ./cqlsh node2 -u cassandra -p cassandra
Connection error: ('Unable to connect to any servers', {'192.168.56.12': AuthenticationFailed('Failed to authenticate to 192.168.56.12: Error from server: code=0100 [Bad credentials] message="Provided username cassandra and/or password are incorrect"',)})
[cassandra@node2 bin]$ ./cqlsh node2 -u cassandra -p cass@123
Connected to Cluster01 at node2:9042.
[cqlsh 5.0.1 | Cassandra 3.11.5 | CQL spec 3.4.4 | Native protocol v4]
Use HELP for help.
cassandra@cqlsh> 

创建账号：

[cassandra@node2 bin]$ ./cqlsh node2 -u cassandra -p cass@123
Connected to Cluster01 at node2:9042.
[cqlsh 5.0.1 | Cassandra 3.11.5 | CQL spec 3.4.4 | Native protocol v4]
Use HELP for help.
cassandra@cqlsh> 
cassandra@cqlsh> list users;

 name      | super
-----------+-------
 cassandra |  True

(1 rows)
cassandra@cqlsh> create user cass with password 'cass@111';
cassandra@cqlsh> 
cassandra@cqlsh> list users;

 name      | super
-----------+-------
      cass | False
 cassandra |  True

(2 rows)
cassandra@cqlsh> 

配置自动登录，为了避免每次登录cqlsh都需要输入账号密码，可以在家目录中创建文件 .cqlshrc

[cassandra@node2 ~]$ ls -al
total 24
drwx------. 3 cassandra cassandra  117 Feb 11 04:59 .
drwxr-xr-x. 3 root      root        23 Feb  4 03:24 ..
-rw-------. 1 cassandra cassandra 8074 Feb 11 01:17 .bash_history
-rw-r--r--. 1 cassandra cassandra   18 Aug  8  2019 .bash_logout
-rw-r--r--. 1 cassandra cassandra  193 Aug  8  2019 .bash_profile
-rw-r--r--. 1 cassandra cassandra  231 Aug  8  2019 .bashrc
drwxrwxr-x. 2 cassandra cassandra   51 Feb 11 04:59 .cassandra
-rw-rw-r--. 1 cassandra cassandra   58 Feb 11 04:57 .cqlshrc
[cassandra@node2 ~]$ cat .cqlshrc 
[authentication]
username = cassandra
password = cass@123
[cassandra@node2 ~]$ cd /data/cass/bin
[cassandra@node2 bin]$ ./cqlsh
Connection error: ('Unable to connect to any servers', {'127.0.0.1': error(111, "Tried connecting to [('127.0.0.1', 9042)]. Last error: Connection refused")})
[cassandra@node2 bin]$ ./cqlsh node2
Connected to Cluster01 at node2:9042.
[cqlsh 5.0.1 | Cassandra 3.11.5 | CQL spec 3.4.4 | Native protocol v4]
Use HELP for help.
cassandra@cqlsh>quit
[cassandra@node2 bin]$ cd
[cassandra@node2 ~]$ ls -al
total 20
drwx------. 3 cassandra cassandra  101 Feb 11 04:59 .
drwxr-xr-x. 3 root      root        23 Feb  4 03:24 ..
-rw-------. 1 cassandra cassandra 8074 Feb 11 01:17 .bash_history
-rw-r--r--. 1 cassandra cassandra   18 Aug  8  2019 .bash_logout
-rw-r--r--. 1 cassandra cassandra  193 Aug  8  2019 .bash_profile
-rw-r--r--. 1 cassandra cassandra  231 Aug  8  2019 .bashrc
drwxrwxr-x. 2 cassandra cassandra   66 Feb 11 04:59 .cassandra
[cassandra@node2 ~]$ cd .cassandra/
[cassandra@node2 .cassandra]$ ll
total 16
-rw-------. 1 cassandra cassandra 3978 Feb 11 04:59 cqlsh_history
-rw-rw-r--. 1 cassandra cassandra   58 Feb 11 04:57 cqlshrc
-rw-rw-r--. 1 cassandra cassandra 5833 Feb 10 22:00 nodetool.history
[cassandra@node2 .cassandra]$ cat cqlshrc 
[authentication]
username = cassandra
password = cass@123

切换账号无需退出重新登录，执行时可以不加密码，在命令行输入。用户家目录下面 .cassandra/cqlsh_history 文件中会记录所有命令行上输入的内容

[cassandra@node2 bin]$ ./cqlsh node3
Connected to Cluster01 at node3:9042.
[cqlsh 5.0.1 | Cassandra 3.11.5 | CQL spec 3.4.4 | Native protocol v4]
Use HELP for help.
cassandra@cqlsh> 
cassandra@cqlsh> list users;

 name      | super
-----------+-------
      cass | False
 cassandra |  True

(2 rows)
cassandra@cqlsh> login cass 'cass@111';
cass@cqlsh> 

修改账号密码，删除账号

cassandra@cqlsh> alter user cass with password 'cass@222';
cassandra@cqlsh> login cass 'cass@222';
cass@cqlsh> login cassandra 'cass@123';
cassandra@cqlsh> drop user cass;
cassandra@cqlsh> list users;

 name      | super
-----------+-------
 cassandra |  True

(1 rows)

使用CassandraAuthorizer

通过授权器，授权用户访问集群中的键和表。 默认授权器 org.apache.cassandra.auth.AllowAllAuthorizer。 

关闭集群，配置脚本 bin/stop-server 

echo "Cassandra is shutting down"

user=`whoami`
pgrep -u $user -f cassandra | xargs kill -9
if ps -ef|grep cassandra|grep -v grep|grep java; then
    echo "Cassandra shutdown failed"
else
    echo "Cassandra closed"
fi

修改cassandra.yaml

# authorizer: AllowAllAuthorizer
authorizer: CassandraAuthorizer

普通用户登录查看keyspace和table没有权限

[cassandra@node2 bin]$ ./cqlsh node2
Connected to Cluster01 at node2:9042.
[cqlsh 5.0.1 | Cassandra 3.11.5 | CQL spec 3.4.4 | Native protocol v4]
Use HELP for help.
cassandra@cqlsh> desc keyspaces;

system_schema  system     system_distributed  test01
system_auth    keyspace1  system_traces     

cassandra@cqlsh> list users;

 name      | super
-----------+-------
      cass | False
 cassandra |  True

(2 rows)
cassandra@cqlsh> login cass;
Password: 
cass@cqlsh> desc keyspaces;

system_schema  system     system_distributed  test01
system_auth    keyspace1  system_traces     

SyntaxException: line 1:0 no viable alternative at input 'ues' ([ues]...)
cass@cqlsh> use test01;
cass@cqlsh:test01> desc tables;

test01

cass@cqlsh:test01> select * from test01;
Unauthorized: Error from server: code=2100 [Unauthorized] message="User cass has no SELECT permission on <table test01.test01> or any of its parents"
cass@cqlsh:test01> 

通过grant命令给用户赋予权限

cassandra@cqlsh> grant select on test01.test01 to cass;
cassandra@cqlsh> login cass;
Password: 
cass@cqlsh> use test01;
cass@cqlsh:test01> select * from test01;

 key | C0 | C1 | C2 | C3 | C4
-----+----+----+----+----+----

(0 rows)

基于角色的访问控制

Cassandra提供一种基于角色的访问控制(role-based access control, RBAC)功能。创建角色，给角色赋予权限，给用户赋予角色的权限。

cassandra@cqlsh:test01> list roles;

 role      | super | login | options
-----------+-------+-------+---------
      cass | False |  True |        {}
 cassandra |  True |  True |        {}

(2 rows)
cassandra@cqlsh:test01> create role dev;
cassandra@cqlsh:test01> grant all on keyspace test to dev;
InvalidRequest: Error from server: code=2200 [Invalid query] message="Resource <keyspace test> doesn't exist"
cassandra@cqlsh:test01> grant all on keyspace test01 to dev;
cassandra@cqlsh:test01> 
cassandra@cqlsh:test01> drop user cass;
cassandra@cqlsh:test01> create user cass with password 'cass@111';
cassandra@cqlsh:test01> login cass
Password: 
cass@cqlsh:test01> select * from test01.test01;
Unauthorized: Error from server: code=2100 [Unauthorized] message="User cass has no SELECT permission on <table test01.test01> or any of its parents"
cass@cqlsh:test01> login cassandra
Password: 
cassandra@cqlsh:test01> grant dev to cass;
cassandra@cqlsh:test01> login cass
Password: 
cass@cqlsh:test01> select * from test01.test01;

 key | C0 | C1 | C2 | C3 | C4
-----+----+----+----+----+----

(0 rows)

Cassandra中角色是可加的，这表示，如果授权一个用户的任意一个角色有某个特定的权限，那么这个用户就会授权这个权限。

在后台Cassandra把用户和角色存储在system_auth 键空间。如果为集群配置的授权，那么只有管理员用户可以访问这个键空间，所以使用管理员用户登录cqlsh来检查这个键空间内容；

cassandra@cqlsh:system> use system_auth;
cassandra@cqlsh:system_auth> desc tables;

resource_role_permissons_index  role_permissions  role_members  roles

cassandra@cqlsh:system_auth> 
cassandra@cqlsh:system_auth> select * from role_members;

 role | member
------+--------
  dev |   cass

(1 rows)
cassandra@cqlsh:system_auth> select * from role_permissions;

 role | resource    | permissions
------+-------------+--------------------------------------------------------------
  dev | data/test01 | {'ALTER', 'AUTHORIZE', 'CREATE', 'DROP', 'MODIFY', 'SELECT'}

(1 rows)
cassandra@cqlsh:system_auth> select * from resource_role_permissons_index;

 resource  | role
-----------+-----------
 roles/dev | cassandra

(1 rows)
cassandra@cqlsh:system_auth> select * from roles;

 role      | can_login | is_superuser | member_of | salted_hash
-----------+-----------+--------------+-----------+--------------------------------------------------------------
 cassandra |      True |         True |      null | $2a$10$6q2SqzrdcARz6qGcLj7DreKWAnQjJT653r4acBAJlHWzQW/e/4SQm
      cass |      True |        False |   {'dev'} | $2a$10$Z/KpRFIkmhQ6uEn45eDa4eyymaj/sty6LN1MDBfZdrxZwHnMI8ow2
       dev |     False |        False |      null |                                                         null

(3 rows)

实际上并没有一个单独的数据库级用户的概念，Cassandra使用角色概念来耿总用户以及角色。

改变system_auth 副本因子

需要指出重要的一点，system_auth键空间默认配置为使用SimpleStrategy，副本因子为1.

这说明默认情况下，我们配置的任何用户，角色和权限不会再集群上分布存储，除非我们重新配置system_auth键空间 的复制策略，使之与我们的集群拓扑一致。

加密

从3.0版本开始，Cassandra通过客户端与服务器(节点)间的加密以及节点间的加密来保护数据的安全。Cassandra3.0以后，只有DataStax企业版的Cassandra才支持数据文件(静态数据)加密。

数据文件加密路线图

有很多Cassandra JIRA请求都说针对提供加密特性的3.x版本系列。

提示的加密： https://issues.apache.org/jira/browse/CASSANDRA-11040

提交日志的加密： https://issues.apache.org/jira/browse/CASSANDRA-6018