osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Authentication with Java driver


Thanks Ben,

Do you mean lots of instances of the process or lots of instances of the cluster/session object?

Lots of instances of the process are generated.
I wanted to confirm that `other` doesn't authenticate.

If I want to avoid that, my application has to create new cluster/session objects per instance.
But it is inefficient and uncommon.
So, we aren't sure that the application works when a lot of cluster/session objects are created.
Is it correct?

Thank you,
Yuji



On Wed, Feb 8, 2017 at 12:01 PM, Ben Bromhead <ben@xxxxxxxxxxxxxxx> wrote:
On Tue, 7 Feb 2017 at 17:52 Yuji Ito <yuji@xxxxxxxxxxxxxxx> wrote:
Thanks Andrew, Ben,

My application creates a lot of instances connecting to Cassandra with basically the same set of credentials.
Do you mean lots of instances of the process or lots of instances of the cluster/session object?
 
After an instance connects to Cassandra with the credentials, can any instance connect to Cassandra without credentials?
As long as you don't share the session or cluster objects. Each new cluster/session will need to reauthenticate. 


== example ==
A first = new A("database", "user", "password");  // proper credentials
r = first.get();
...
A other = new A("database", "user", "pass"); // wrong password
r = other.get();
== example ==

I want to refuse the `other` instance with improper credentials.

This looks like you are creating new cluster/session objects (filling in the blanks for your pseudocode here). So "other" will not authenticate to Cassandra.

This brings up a wider point of why you are doing this? Generally most applications will create a single longed lived session object that lasts the life of the application process. 

I would not rely on Cassandra auth to authenticate downstream actors, not because it's bad, just its generally inefficient to create lots of session objects. The session object maintains a connection pool, pipelines requests, is thread safe and generally pretty solid. 

 

Yuji
 

On Wed, Feb 8, 2017 at 4:11 AM, Ben Bromhead <ben@xxxxxxxxxxxxxxx> wrote:
What are you specifically trying to achieve? Are you trying to authenticate multiple Cassandra users from a single application instance? Or will your have lot's of application instances connecting to Cassandra using the same set of credentials? Or a combination of both? Multiple application instances with different credentials?

On Tue, 7 Feb 2017 at 06:19 Andrew Tolbert <andrew.tolbert@xxxxxxxxxxxx> wrote:
Hello,

The API seems kind of not correct because credentials should be
usually set with a session but actually they are set with a cluster.

With the datastax driver, Session is what manages connection pools to each node.  Cluster manages configuration and a separate connection ('control connection') to subscribe to state changes (schema changes, node topology changes, node up/down events).


So, if there are 1000 clients, then with this API it has to create
1000 cluster instances ?

I'm unsure how common it is for per-user authentication to be done when connecting to the database.  I think an application would normally authenticate with one set of credentials instead of multiple.  The protocol Cassandra uses does authentication at the connection level instead of at the request level, so that is currently a limitation to support something like reusing Sessions for authenticating multiple users.

Thanks,
Andy
 

On Tue, Feb 7, 2017 at 7:19 AM Hiroyuki Yamada <mogwaing@xxxxxxxxx> wrote:
Hi,

The API seems kind of not correct because credentials should be
usually set with a session but actually they are set with a cluster.

So, if there are 1000 clients, then with this API it has to create
1000 cluster instances ?
1000 clients seems usual if there are many nodes (say 20) and each
node has some concurrency (say 50),
but 1000 cluster instances seems too many.

Is this an expected way to do this ? or
Is there any way to authenticate per session ?

Thanks,
Hiro

On Tue, Feb 7, 2017 at 11:38 AM, Yuji Ito <yuji@xxxxxxxxxxxxxxx> wrote:
> Hi all,
>
> I want to know how to authenticate Cassandra users for multiple instances
> with Java driver.
> For instance, each thread creates a instance to access Cassandra with
> authentication.
>
> As the implementation example, only the first constructor builds a cluster
> and a session.
> Other constructors use them.
> This example is implemented according to the datastax document: "Basically
> you will want to share the same cluster and session instances across your
> application".
> http://www.datastax.com/dev/blog/4-simple-rules-when-using-the-datastax-drivers-for-cassandra
>
> However, other constructors don't authenticate the user and the password.
> That's because they don't need to build a cluster and a session.
>
> So, should I create a cluster and a session per instance for the
> authentication?
> If yes, can I create a lot of instances(clusters and sessions) to access C*
> concurrently?
>
> == example ==
> public class A {
>   private static Cluster cluster = null;
>   private static Map<String, Session> sessions = null;
>   private Session session;
>
>   public A (String keyspace, String user, String password) {
>     if (cluster == null) {
>         builder = Cluster.builder();
>         ...
>         builder = builder.withCredentials(user, password);
>         cluster = builder.build();
>     }
>     session = sessions.get(keyspace);
>     if (session == null) {
>         session = cluster.connection(keyspace);
>         sessions.put(keyspace, session)
>     }
>     ...
>   }
>   ...
>   public ResultSet update(...) {
>   ...
>   public ResultSet get(...) {
>   ...
> }
> == example ==
>
> Thanks,
> Yuji
--
Ben Bromhead
CTO | Instaclustr
Managed Cassandra / Spark on AWS, Azure and Softlayer

--
Ben Bromhead
CTO | Instaclustr
Managed Cassandra / Spark on AWS, Azure and Softlayer