search

apache / cassandra-gocql-driver

GoCQL Driver for Apache Cassandra®
https://cassandra.apache.org/
Apache License 2.0
2.59k stars 622 forks source link

Authentication failed with Datastax Cassandra and LDAP+internal dual authentication #1603

Open sujanks opened 2 years ago

sujanks commented 2 years ago

Please answer these questions before submitting your issue. Thanks!

What version of Cassandra are you using?

Datastax 6.8.9 with Cassandra 3.11

What version of Gocql are you using?

v0.0.0-20220224095938-0eacd3183625

What version of Go are you using?

1.15

What did you do?

Doing a simple connection, as show below. But what I observed is in Datastax Cassandra if ldap and interal dual authentication scheme is on. If the default scheme is ldap and authentication failed, it doesn't fall to internal authentication even the user is valid, therefore login fails.

However, if i disable ldap, i'm able to connect with same user using internal authentication scheme.

So my expectation is if ldap auth fail, the internal scheme should be forced for authentication.

cluster := gocql.NewCluster("localhost")
cluster.Authenticator = gocql.PasswordAuthenticator{
  Username: "cassandra",
  Password: "cassandra",
}

cluster.Consistency = gocql.LocalQuorum
session, _ := cluster.CreateSession()

What did you expect to see?

Successful login

What did you see instead?

gocql: unable to create session control: unable to connect to initial hosts: Failed to login. Please re-try.

If you are having connectivity related issues please share the following additional information

Describe your Cassandra cluster

please provide the following information

Zariel commented 2 years ago

What is the error returned?

Chris On 6 Mar 2022, 1:26 AM +0100, sujanks @.***>, wrote:

Please answer these questions before submitting your issue. Thanks! What version of Cassandra are you using? Datastax 6.8.9 with Cassandra 3.11 What version of Gocql are you using? v0.0.0-20220224095938-0eacd3183625 What version of Go are you using? 1.15 What did you do? Doing a simple connection, as show below. But what I observed is in Datastax Cassandra if ldap and interal dual authentication scheme is on. If the default scheme is ldap and authentication failed, it does fall to internal authentication even the user is valid, therefore login fails. cluster := gocql.NewCluster("localhost") cluster.Authenticator = gocql.PasswordAuthenticator{ Username: "cassandra", Password: "cassandra", }

cluster.Consistency = gocql.LocalQuorum session, _ := cluster.CreateSession() What did you expect to see? What did you see instead? If you are having connectivity related issues please share the following additional information Describe your Cassandra cluster please provide the following information

• output of nodetool status • output of SELECT peer, rpc_address FROM system.peers • rebuild your application with the gocql_debug tag and post the output

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.Message ID: @.***>

sujanks commented 2 years ago

@Zariel

Thanks for looking into it.

Bit of typo on my comment above, should be "....it does not...",

"If the default scheme is ldap and authentication failed, it does not fall to internal authentication even the user is valid, therefore login fails."

The error is as below

gocql: unable to create session control: unable to connect to initial hosts: Failed to login. Please re-try.

Thanks

martin-sucha commented 2 years ago

It seems that Failed to login. Please re-try part of the error comes from the server. Is there anything related in the server logs? Does the login work with another client (like cqlsh)?

If you want to debug from gocql point of view, you could try copying the PasswordAuthenticator and adding logging there. Also one thing that could theoretically help is if the authenticator responded to the challenge multiple times (i.e. return non-nil second value from Challenge()) in case the server challenges the client multiple times in this case, for example:

type MyPasswordAuthenticator struct {
    Username              string
    Password              string
    AllowedAuthenticators []string
}

func (p MyPasswordAuthenticator) Challenge(req []byte) ([]byte, Authenticator, error) {
    log.Printf("auth: received challenge: %q", string(req))
    if !approve(string(req), p.AllowedAuthenticators) {
        return nil, nil, fmt.Errorf("unexpected authenticator %q", req)
    }
    resp := make([]byte, 2+len(p.Username)+len(p.Password))
    resp[0] = 0
    copy(resp[1:], p.Username)
    resp[len(p.Username)+1] = 0
    copy(resp[2+len(p.Username):], p.Password)
    log.Printf("auth: sending username+password")
    return resp, p, nil
}

func (p MyPasswordAuthenticator) Success(data []byte) error {
    log.Printf("auth: success")
    return nil
}
MiloSram commented 2 years ago

Hi, similar problem trying to connect to ibm cloud DataStax Cassandra (credentials and certs working from Python [cqlsh 6.8.0 | DSE 6.8.15 | CQL spec 3.4.5 | DSE protocol v2]) but from go app I get: gocql: unable to create session: unable to discover protocol version: gocql: unsupported protocol response version: 72 Any hints? Thanks.

martin-sucha commented 2 years ago

@MiloSram that error message seems unrelated. Could you please open a separate issue?

vladimirovichsa commented 6 months ago

We are faced with a similar problem. It would be nice if you added org.apache.cassandra.auth.LDAPAuthenticator in approved list by analogy with https://github.com/gocql/gocql/pull/1711.