com.datastax.driver.core.sasl

Class KerberosAuthenticator

java.lang.Object

com.datastax.driver.core.sasl.KerberosAuthenticator

All Implemented Interfaces:

Authenticator

public class KerberosAuthenticator
extends Object
implements Authenticator

Responsible for authenticating with secured DSE services using Kerberos over GSSAPI & SASL. The actual SASL negotiation is delegated to a PrivilegedSaslClient which performs the priviledged actions on behalf of the logged in user.

The SASL protocol name defaults to "dse"; should you need to change that it can be overridden using the dse.sasl.protocol system property.

Keytab and ticket cache settings are specified using a standard JAAS configuration file. The location of the file can be set using the java.security.auth.login.config system property or by adding a login.config.url.n entry in the java.security properties file.

See http://docs.oracle.com/javase/1.4.2/docs/guide/security/jaas/tutorials/LoginConfigFile.html for further details on the Login configuration file and http://docs.oracle.com/javase/6/docs/technotes/guides/security/jaas/tutorials/GeneralAcnOnly.html for more on JAAS in general.

Authentication using ticket cache

Run kinit to obtain a ticket and populate the cache before connecting. JAAS config:

 DseClient {
   com.sun.security.auth.module.Krb5LoginModule required
     useTicketCache=true
     renewTGT=true;
 };
 

Authentication using a keytab file

To enable authentication using a keytab file, specify its location on disk. If your keytab contains more than one principal key, you should also specify which one to select.

 DseClient {
     com.sun.security.auth.module.Krb5LoginModule required
       useKeyTab=true
       keyTab="/path/to/file.keytab"
       principal="user@MYDOMAIN.COM";
 };
 

Field Summary

Fields

Modifier and Type	Field and Description
static String	JAAS_CONFIG_ENTRY
static String	SASL_PROTOCOL_NAME
static String	SASL_PROTOCOL_NAME_PROPERTY
static String[]	SUPPORTED_MECHANISMS

Constructor Summary

Constructors

Constructor and Description
KerberosAuthenticator(InetAddress host)

Method Summary

Methods

Modifier and Type	Method and Description
byte[]	evaluateChallenge(byte[] challenge) Evaluate a challenge received from the Server.
byte[]	initialResponse() Obtain an initial response token for initializing the SASL handshake

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

JAAS_CONFIG_ENTRY

public static final String JAAS_CONFIG_ENTRY

See Also:

Constant Field Values

SUPPORTED_MECHANISMS

public static final String[] SUPPORTED_MECHANISMS

SASL_PROTOCOL_NAME

public static final String SASL_PROTOCOL_NAME

See Also:

Constant Field Values

SASL_PROTOCOL_NAME_PROPERTY

public static final String SASL_PROTOCOL_NAME_PROPERTY

See Also:

Constant Field Values

Constructor Detail

KerberosAuthenticator

public KerberosAuthenticator(InetAddress host)

Method Detail

initialResponse

public byte[] initialResponse()

Description copied from interface: Authenticator

Obtain an initial response token for initializing the SASL handshake

Specified by:

initialResponse in interface Authenticator

Returns:

the initial response to send to the server, may be null

evaluateChallenge

public byte[] evaluateChallenge(byte[] challenge)

Description copied from interface: Authenticator

Evaluate a challenge received from the Server. Generally, this method should return null when authentication is complete from the client perspective

Specified by:

evaluateChallenge in interface Authenticator

Parameters:

challenge - the server's SASL challenge

Returns:

updated SASL token, may be null to indicate the client requires no further action