Cassandra用户管理

Cassandra用role代替用户和用户组，默认创建的role没有login和super权限；

但是默认创建的user是有login的权限

(1)角色

#创建角色

cassandra@cqlsh:keyspace1> create role cdhu1;

cassandra@cqlsh:keyspace1> create role cdhu2 with password='147258' and login=true;

cassandra@cqlsh:keyspace1> create role cdhu3 with password='147258' and login=true and superuser=true;

#查看角色

cassandra@cqlsh:keyspace1> list roles;

role      | super | login | options

-----------+-------+-------+---------

cassandra |  True |  True |        {}

     cdhu1 | False | False |        {}

     cdhu2 | False |  True |        {}

     cdhu3 |  True |  True |        {}

cassandra@cqlsh:keyspace1> list roles of cdhu3;

role  | super | login | options

-------+-------+-------+---------

cdhu3 |  True |  True |        {}

#修改角色cdhu3的属性

cassandra@cqlsh:keyspace1> ALTER ROLE cdhu3 WITH PASSWORD = '147258' AND SUPERUSER = false;

#把角色cdhu3的权限赋予传递给角色cdhu2：

cassandra@cqlsh:keyspace1> grant cdhu3 to cdhu2;

cassandra@cqlsh:keyspace1> revoke cdhu3 from cdhu2;

(2)用户

cassandra@cqlsh:keyspace1> create user user1 with password '147258' superuser;

cassandra@cqlsh:keyspace1> create user user2 with password '147258' nosuperuser;

cassandra@cqlsh:keyspace1> list users;

name      | super

-----------+-------

cassandra |  True

     user1 |  True

     user2 | False

(3)权限

CREATE

ALTER

DROP

SELECT

MODIFY

AUTHORIZE

DESCRIBE

EXECUTE

#grant&revoke

cassandra@cqlsh:keyspace1> grant select on keyspace1.t1 to cdhu2;

cassandra@cqlsh:keyspace1> grant modify on keyspace keyspace1 to cdhu2;

cassandra@cqlsh:keyspace1> revoke select on kyepsace1.t1 from cdhu2

#查看角色或用户的权限

cassandra@cqlsh:keyspace1> list all permissions;

cassandra@cqlsh:keyspace1> list all permissions of cdhu2;

role  | username | resource             | permission

-------+----------+----------------------+------------

cdhu2 |    cdhu2 | <keyspace keyspace1> |     MODIFY

cdhu2 |    cdhu2 | <table keyspace1.t1> |     SELECT

cassandra@cqlsh:keyspace1> list all permissions on keyspace1.t1 of cdhu2;

role  | username | resource             | permission

-------+----------+----------------------+------------

cdhu2 |    cdhu2 | <keyspace keyspace1> |     MODIFY

cdhu2 |    cdhu2 | <table keyspace1.t1> |     SELECT

(4)登录设置

#修改配置文件

$ vim /usr/local/cassandra/conf /cassandra.yaml

authenticator: PasswordAuthenticator

authorizer: CassandraAuthorizer

#重启数据库会自动创建system_auto，并且生成三个表credentials,users,permissions

#停止cassandra服务

[tnuser@sht-sgmhadoopdn-02 bin]$ nodetool stopdaemon

Cassandra has shutdown.

error: Connection refused (Connection refused)

-- StackTrace --

[tnuser@sht-sgmhadoopdn-02 bin]$cassandra

#再次访问，没有用户和密码会报错：

[tnuser@sht-sgmhadoopdn-02 bin]$ cqlsh

Connection error: ('Unable to connect to any servers', {'127.0.0.1': AuthenticationFailed('Remote end requires authentication.',)})

#使用cassandra默认的用户名和密码cassandra/cassandra:

[tnuser@sht-sgmhadoopdn-02 bin]$ cqlsh -ucassandra -pcassandra

Connected to mycluster at 127.0.0.1:9042.

[cqlsh 5.0.1 | Cassandra 2.1.18 | CQL spec 3.2.1 | Native protocol v3]

Use HELP for help.

#修改密码

cassandra@cqlsh> alter user cassandra with password '147258';

cassandra@cqlsh> quit

cassandra@cqlsh:system_auth> desc tables;

credentials  users  permissions

cassandra@cqlsh:system_auth> select * from credentials;

username  | options | salted_hash

-----------+---------+--------------------------------------------------------------

cassandra |    null | $2a$10$SqGQtA8PLhBwoWLBBDQgN.oAiQGD3MrnU0Jeln7QZRJj8g1jIJ3n6

cassandra@cqlsh:system_auth> select * from users ;

name      | super

-----------+-------

cassandra |  True

#配置无密码登录Cassandra:

[tnuser@sht-sgmhadoopdn-02 ~]$ vim ~/.cassandra/sqlshrc

[authentication]

username = cassandra

password = 147258

cassandra@cqlsh> list users;

name      | super

-----------+-------

cassandra |  True