默认情况下,Cassandra 的安装禁用了认证。您的应用程序可以连接到 Cassandra,所以在您的应用程序中使用cluster.Authenticator 配置选项没有影响。除此之外,您可以使用cqlsh 命令而不需要任何证书,如下图所示。这是因为Cassandra的认证配置设置为authenticator: AllowAllAuthenticator 。
/# cqlsh
Connected to Test Cluster at 127.0.0.1:9042.
[cqlsh 5.0.1 | Cassandra 3.11.9 | CQL spec 3.4.4 | Native protocol v4]
Use HELP for help.
如果你想启用认证,你可以将Cassandra的认证配置设置为authenticator: PasswordAuthenticator 。Cassandra创建的默认凭证设置为 "cassandra"(用户名)和 "cassandra"(密码)。让我们来确认这一点。
/# cqlsh -u cassandra -p cassandra
Connected to Test Cluster at 127.0.0.1:9042.
[cqlsh 5.0.1 | Cassandra 3.11.9 | CQL spec 3.4.4 | Native protocol v4]
Use HELP for help.
cqlsh$ LIST USERS;
name | super
-----------+-------
cassandra | True
cqlsh$ LIST ALL OF cassandra;
role | username | resource | permission
-----------+-----------+--------------+------------
cassandra | cassandra | role inanzzz | ALTER
cassandra | cassandra | role inanzzz | DROP
cassandra | cassandra | role inanzzz | AUTHORIZE
你可以用下面的命令创建一个新的用户。如果你想让这个用户成为 "超级",那么在查询的末尾添加SUPERUSER 关键:
cqlsh$ CREATE USER 'inanzzz' WITH PASSWORD '123123';
cqlsh$ LIST USERS;
name | super
-----------+-------
cassandra | True
inanzzz | False
cqlsh$ LIST ALL OF inanzzz;
role | resource | permissions
------+----------+-------------
你可以给用户授予权限。您需要将 Cassandra 配置的授权设置为authorizer: CassandraAuthorizer 。第一个授予inanzzz 对blog 密钥空间的 "只读 "权限,第二个授予 "完全 "权限:
cqlsh$ GRANT SELECT ON KEYSPACE blog TO inanzzz;
cqlsh$ LIST ALL OF inanzzz;
role | username | resource | permission
---------+----------+---------------+------------
inanzzz | inanzzz | keyspace blog | SELECT
cqlsh$ GRANT ALL ON KEYSPACE blog TO inanzzz;
cqlsh$ LIST ALL OF inanzzz;
role | username | resource | permission
---------+----------+---------------+------------
inanzzz | inanzzz | keyspace blog | CREATE
inanzzz | inanzzz | keyspace blog | ALTER
inanzzz | inanzzz | keyspace blog | DROP
inanzzz | inanzzz | keyspace blog | SELECT
inanzzz | inanzzz | keyspace blog | MODIFY
inanzzz | inanzzz | keyspace blog | AUTHORIZE
应用实例
├── docker
│ ├── cassandra.yaml
│ └── docker-compose.yaml
├── internal
│ └── cassandra
│ └── cassandra.go
└── main.go
文件
cassandra.go
package cassandra
import (
"time"
"github.com/gocql/gocql"
)
type Config struct {
Hosts []string
Port int
Username string
Password string
ProtoVersion int
Consistency string
Keyspace string
Timeout time.Duration
}
func New(config Config) (*gocql.Session, error) {
cluster := gocql.NewCluster(config.Hosts...)
cluster.Port = config.Port
cluster.ProtoVersion = config.ProtoVersion
cluster.Keyspace = config.Keyspace
cluster.Consistency = gocql.ParseConsistency(config.Consistency)
cluster.Timeout = config.Timeout
cluster.Authenticator = gocql.PasswordAuthenticator{
Username: config.Username,
Password: config.Password,
}
return cluster.CreateSession()
}
main.go
package main
import (
"fmt"
"log"
"time"
"github.com/you/blog/internal/cassandra"
)
func main() {
cas, err := cassandra.New(cassandra.Config{
Hosts: []string{"127.0.0.1"},
Port: 9042,
Username: "inanzzz",
Password: "123123",
ProtoVersion: 4,
Consistency: "Quorum",
Keyspace: "blog",
Timeout: time.Second * 5,
})
if err != nil {
log.Fatalln(err)
}
defer cas.Close()
fmt.Printf("%+v\n", cas)
}
docker-compose.yaml
version: "3.7"
services:
blog-cassandra:
image: "cassandra:3.11.9"
container_name: "blog-cassandra"
ports:
- "9042:9042"
environment:
- "MAX_HEAP_SIZE=256M"
- "HEAP_NEWSIZE=128M"
volumes:
- "./cassandra.yaml:/etc/cassandra/cassandra.yaml"
cassandra.yaml
只有下面的选项被改变了,其余的保持原样:
...
authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer
...
......
