smiklosovic
commented
2 years ago Hi @tadaspe ,
could you elaborate on this?
"Trying to login with active directlry login, which do not have cassandra role."
I dont get it.
Thanks
Closed tadaspe closed 2 years ago
smiklosovic
commented
2 years ago Hi @tadaspe ,
could you elaborate on this?
"Trying to login with active directlry login, which do not have cassandra role."
I dont get it.
Thanks
tadaspe
commented
2 years ago Hi @smiklosovic , example is under "What did you do?". When I list roles (users) with: list roles;
there is no role for active directory user D000505. After first login "cqlsh -u D000505", I run "list roles" again and this role is now created.
But it was done automatically, I have not executed "create role 'CN=D000505,OU=Service Accounts,OU=Admin,DC=
when trying to login with not active directory non-existing login, I get this message;
[root]# cqlsh -u non_existing_user
Password:
Connection error: ('Unable to connect to any servers', {'
why then it is not same for active directory login? I think login should fail, and not succeed. Role (user) should not be created in Cassandra.
Hope it is clear now.
Kind Regards, Tadas
smiklosovic
commented
2 years ago Hi @tadaspe ,
believe or not, this is expected and correct behaviour. The role will get created automatically in Cassandra when you login via LDAP successfully.
tadaspe
commented
2 years ago Hi @smiklosovic , do you know or have any reference on why it is done in this way? Thanks!
smiklosovic
commented
2 years ago Because your role under which you are doing operations in Cassandra has to exist, it can not live "out of the box".
nguyenthai0107
commented
1 year ago Hello @tadaspe i face exactly issue
Connection error: ('Unable to connect to any servers', {':9042': AuthenticationFailed('Failed to authenticate to :9042: Error from server: code=0100 [Bad credentials] message="Could not authenticate: com.instaclustr.cassandra.ldap.exception.LDAPAuthFailedException: Not possible to login non_existing_user"',)})Could you please help me to resolved it ? thank you. regards.
Please answer these questions before submitting your issue. Thanks!
What version of Cassandra are you using?
4.0.1-1
What version of Cassandra LDAP are you using?
4.0.0-1.0.0-1
What LDAP server you are using? Any specifics?
Windows server
What did you do?
Trying to login with active directlry login, which do not have cassandra role. Current roles:
Then after first login of AD user D000505:
[root]# cqlsh -u D000505 Password:
role for D000505 is created:
What did you expect to see?
Expect login to fail and role not to be created
What did you see instead?
Cassandra role is created for this active directory login
If you are having connectivity related issues please share the following additional information
Describe your Cassandra cluster
please provide the following information
nodetool statusDatacenter: DK1
Status=Up/Down |/ State=Normal/Leaving/Joining/Moving -- Address Load Tokens Owns (effective) Host ID Rack UN 10.148.93.72 213.9 KiB 8 100.0% 228d77a4-6671-470e-b053-1869ebabf983 RAC1
output of
SELECT peer, rpc_address FROM system.peerspeer | rpc_address ------+-------------
(0 rows)
describe keyspace system_authcassandra@cqlsh> describe keyspace system_auth;CREATE KEYSPACE system_auth WITH replication = {'class': 'SimpleStrategy', 'replication_factor': '1'} AND durable_writes = true;
CREATE TABLE system_auth.network_permissions ( role text PRIMARY KEY, dcs frozen<set>
) WITH additional_write_policy = '99p'
AND bloom_filter_fp_chance = 0.01
AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
AND cdc = false
AND comment = 'user network permissions'
AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'}
AND compression = {'chunk_length_in_kb': '16', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'}
AND crc_check_chance = 1.0
AND default_time_to_live = 0
AND extensions = {}
AND gc_grace_seconds = 7776000
AND max_index_interval = 2048
AND memtable_flush_period_in_ms = 0
AND min_index_interval = 128
AND read_repair = 'BLOCKING'
AND speculative_retry = '99p';
CREATE TABLE system_auth.resource_role_permissons_index ( resource text, role text, PRIMARY KEY (resource, role) ) WITH CLUSTERING ORDER BY (role ASC) AND additional_write_policy = '99p' AND bloom_filter_fp_chance = 0.01 AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'} AND cdc = false AND comment = 'index of db roles with permissions granted on a resource' AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'} AND compression = {'chunk_length_in_kb': '16', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'} AND crc_check_chance = 1.0 AND default_time_to_live = 0 AND extensions = {} AND gc_grace_seconds = 7776000 AND max_index_interval = 2048 AND memtable_flush_period_in_ms = 0 AND min_index_interval = 128 AND read_repair = 'BLOCKING' AND speculative_retry = '99p';
CREATE TABLE system_auth.role_members ( role text, member text, PRIMARY KEY (role, member) ) WITH CLUSTERING ORDER BY (member ASC) AND additional_write_policy = '99p' AND bloom_filter_fp_chance = 0.01 AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'} AND cdc = false AND comment = 'role memberships lookup table' AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'} AND compression = {'chunk_length_in_kb': '16', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'} AND crc_check_chance = 1.0 AND default_time_to_live = 0 AND extensions = {} AND gc_grace_seconds = 7776000 AND max_index_interval = 2048 AND memtable_flush_period_in_ms = 0 AND min_index_interval = 128 AND read_repair = 'BLOCKING' AND speculative_retry = '99p';
CREATE TABLE system_auth.role_permissions ( role text, resource text, permissions set,
PRIMARY KEY (role, resource)
) WITH CLUSTERING ORDER BY (resource ASC)
AND additional_write_policy = '99p'
AND bloom_filter_fp_chance = 0.01
AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
AND cdc = false
AND comment = 'permissions granted to db roles'
AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'}
AND compression = {'chunk_length_in_kb': '16', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'}
AND crc_check_chance = 1.0
AND default_time_to_live = 0
AND extensions = {}
AND gc_grace_seconds = 7776000
AND max_index_interval = 2048
AND memtable_flush_period_in_ms = 0
AND min_index_interval = 128
AND read_repair = 'BLOCKING'
AND speculative_retry = '99p';
CREATE TABLE system_auth.roles ( role text PRIMARY KEY, can_login boolean, is_superuser boolean, salted_hash text, member_of set
) WITH additional_write_policy = '99p'
AND bloom_filter_fp_chance = 0.01
AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
AND cdc = false
AND comment = 'role definitions'
AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'}
AND compression = {'chunk_length_in_kb': '16', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'}
AND crc_check_chance = 1.0
AND default_time_to_live = 0
AND extensions = {}
AND gc_grace_seconds = 7776000
AND max_index_interval = 2048
AND memtable_flush_period_in_ms = 0
AND min_index_interval = 128
AND read_repair = 'BLOCKING'
AND speculative_retry = '99p';
cassandra@cqlsh>