16/02/2021 - CASSANDRA, GO
By default, Cassandra installation disables authentication. Your application can connect to Cassandra so using cluster.Authenticator config option in your application has no affect. On top of that you can use cqlsh command without any credentials as shown below. This is because Cassandra configuration for authentication set as authenticator: AllowAllAuthenticator.
/# cqlsh
Connected to Test Cluster at 127.0.0.1:9042.
[cqlsh 5.0.1 | Cassandra 3.11.9 | CQL spec 3.4.4 | Native protocol v4]
Use HELP for help.
If you wish to enable authentication you can set Cassandra configuration for authentication as authenticator: PasswordAuthenticator. Cassandra creates default credentials set as "cassandra" (username) and "cassandra" (password). Let's confirm this.
/# cqlsh -u cassandra -p cassandra
Connected to Test Cluster at 127.0.0.1:9042.
[cqlsh 5.0.1 | Cassandra 3.11.9 | CQL spec 3.4.4 | Native protocol v4]
Use HELP for help.
cqlsh$ LIST USERS;
name | super
-----------+-------
cassandra | True
cqlsh$ LIST ALL OF cassandra;
role | username | resource | permission
-----------+-----------+--------------+------------
cassandra | cassandra | role inanzzz | ALTER
cassandra | cassandra | role inanzzz | DROP
cassandra | cassandra | role inanzzz | AUTHORIZE
You can create a new user with command below. If you want to make this user as "super" then add SUPERUSER key at the end of the query.
cqlsh$ CREATE USER 'inanzzz' WITH PASSWORD '123123';
cqlsh$ LIST USERS;
name | super
-----------+-------
cassandra | True
inanzzz | False
cqlsh$ LIST ALL OF inanzzz;
role | resource | permissions
------+----------+-------------
You can grant permissions to users. You need to set Cassandra configuration for authorisation to authorizer: CassandraAuthorizer. The first one grants inanzzz only "read only" access to blog keyspace and the second one grants "full" access.
cqlsh$ GRANT SELECT ON KEYSPACE blog TO inanzzz;
cqlsh$ LIST ALL OF inanzzz;
role | username | resource | permission
---------+----------+---------------+------------
inanzzz | inanzzz | keyspace blog | SELECT
cqlsh$ GRANT ALL ON KEYSPACE blog TO inanzzz;
cqlsh$ LIST ALL OF inanzzz;
role | username | resource | permission
---------+----------+---------------+------------
inanzzz | inanzzz | keyspace blog | CREATE
inanzzz | inanzzz | keyspace blog | ALTER
inanzzz | inanzzz | keyspace blog | DROP
inanzzz | inanzzz | keyspace blog | SELECT
inanzzz | inanzzz | keyspace blog | MODIFY
inanzzz | inanzzz | keyspace blog | AUTHORIZE
├── docker
│ ├── cassandra.yaml
│ └── docker-compose.yaml
├── internal
│ └── cassandra
│ └── cassandra.go
└── main.go
package cassandra
import (
"time"
"github.com/gocql/gocql"
)
type Config struct {
Hosts []string
Port int
Username string
Password string
ProtoVersion int
Consistency string
Keyspace string
Timeout time.Duration
}
func New(config Config) (*gocql.Session, error) {
cluster := gocql.NewCluster(config.Hosts...)
cluster.Port = config.Port
cluster.ProtoVersion = config.ProtoVersion
cluster.Keyspace = config.Keyspace
cluster.Consistency = gocql.ParseConsistency(config.Consistency)
cluster.Timeout = config.Timeout
cluster.Authenticator = gocql.PasswordAuthenticator{
Username: config.Username,
Password: config.Password,
}
return cluster.CreateSession()
}
package main
import (
"fmt"
"log"
"time"
"github.com/you/blog/internal/cassandra"
)
func main() {
cas, err := cassandra.New(cassandra.Config{
Hosts: []string{"127.0.0.1"},
Port: 9042,
Username: "inanzzz",
Password: "123123",
ProtoVersion: 4,
Consistency: "Quorum",
Keyspace: "blog",
Timeout: time.Second * 5,
})
if err != nil {
log.Fatalln(err)
}
defer cas.Close()
fmt.Printf("%+v\n", cas)
}
version: "3.7"
services:
blog-cassandra:
image: "cassandra:3.11.9"
container_name: "blog-cassandra"
ports:
- "9042:9042"
environment:
- "MAX_HEAP_SIZE=256M"
- "HEAP_NEWSIZE=128M"
volumes:
- "./cassandra.yaml:/etc/cassandra/cassandra.yaml"
Only the options below have been changed. The rest is left intact.
...
...
authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer
...
...