Cassandra用户管理

rger

Cassandra用role代替用户和用户组，默认创建的role没有login和super权限；
但是默认创建的user是有login的权限

(1)角色
#创建角色
cassandra@cqlsh:keyspace1> create role cdhu1;
cassandra@cqlsh:keyspace1> create role cdhu2 with password='147258' and login=true;
cassandra@cqlsh:keyspace1> create role cdhu3 with password='147258' and login=true and superuser=true;

#查看角色
cassandra@cqlsh:keyspace1> list roles;
role      | super | login | options
-----------+-------+-------+---------
cassandra |  True |  True |        {}
     cdhu1 | False | False |        {}
     cdhu2 | False |  True |        {}
     cdhu3 |  True |  True |        {}

cassandra@cqlsh:keyspace1> list roles of cdhu3;
role  | super | login | options
-------+-------+-------+---------
cdhu3 |  True |  True |        {}

#修改角色cdhu3的属性
cassandra@cqlsh:keyspace1> ALTER ROLE cdhu3 WITH PASSWORD = '147258' AND SUPERUSER = false;

#把角色cdhu3的权限赋予传递给角色cdhu2：
cassandra@cqlsh:keyspace1> grant cdhu3 to cdhu2;
cassandra@cqlsh:keyspace1> revoke cdhu3 from cdhu2;


(2)用户
cassandra@cqlsh:keyspace1> create user user1 with password '147258' superuser;
cassandra@cqlsh:keyspace1> create user user2 with password '147258' nosuperuser;
cassandra@cqlsh:keyspace1> list users;
name      | super
-----------+-------
cassandra |  True
     user1 |  True
     user2 | False

(3)权限

CREATE
ALTER
DROP
SELECT
MODIFY
AUTHORIZE
DESCRIBE
EXECUTE

#grant&revoke
cassandra@cqlsh:keyspace1> grant select on keyspace1.t1 to cdhu2;
cassandra@cqlsh:keyspace1> grant modify on keyspace keyspace1 to cdhu2;
cassandra@cqlsh:keyspace1> revoke select on kyepsace1.t1 from cdhu2

#查看角色或用户的权限
cassandra@cqlsh:keyspace1> list all permissions;
cassandra@cqlsh:keyspace1> list all permissions of cdhu2;
role  | username | resource             | permission
-------+----------+----------------------+------------
cdhu2 |    cdhu2 | <keyspace keyspace1> |     MODIFY
cdhu2 |    cdhu2 | <table keyspace1.t1> |     SELECT

cassandra@cqlsh:keyspace1> list all permissions on keyspace1.t1 of cdhu2;
role  | username | resource             | permission
-------+----------+----------------------+------------
cdhu2 |    cdhu2 | <keyspace keyspace1> |     MODIFY
cdhu2 |    cdhu2 | <table keyspace1.t1> |     SELECT



(4)登录设置
#修改配置文件
$ vim /usr/local/cassandra/conf /cassandra.yaml
authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer

#重启数据库会自动创建system_auto，并且生成三个表credentials,users,permissions
#停止cassandra服务
[tnuser@sht-sgmhadoopdn-02 bin]$ nodetool stopdaemon
Cassandra has shutdown.
error: Connection refused (Connection refused)
-- StackTrace --

[tnuser@sht-sgmhadoopdn-02 bin]$cassandra

#再次访问，没有用户和密码会报错：
[tnuser@sht-sgmhadoopdn-02 bin]$ cqlsh
Connection error: ('Unable to connect to any servers', {'127.0.0.1': AuthenticationFailed('Remote end requires authentication.',)})

#使用cassandra默认的用户名和密码cassandra/cassandra:
[tnuser@sht-sgmhadoopdn-02 bin]$ cqlsh -ucassandra -pcassandra
Connected to mycluster at 127.0.0.1:9042.
[cqlsh 5.0.1 | Cassandra 2.1.18 | CQL spec 3.2.1 | Native protocol v3]
Use HELP for help.

#修改密码
cassandra@cqlsh> alter user cassandra with password '147258';
cassandra@cqlsh> quit

cassandra@cqlsh:system_auth> desc tables;
credentials  users  permissions


cassandra@cqlsh:system_auth> select * from credentials;
username  | options | salted_hash
-----------+---------+--------------------------------------------------------------
cassandra |    null | $2a$10$SqGQtA8PLhBwoWLBBDQgN.oAiQGD3MrnU0Jeln7QZRJj8g1jIJ3n6

cassandra@cqlsh:system_auth> select * from users ;
name      | super
-----------+-------
cassandra |  True


#配置无密码登录Cassandra:
[tnuser@sht-sgmhadoopdn-02 ~]$ vim ~/.cassandra/sqlshrc
[authentication]
username = cassandra
password = 147258

cassandra@cqlsh> list users;
name      | super
-----------+-------
cassandra |  True