|
| 1 | +Security |
| 2 | +======== |
| 3 | +The two main security components you will use with the |
| 4 | +Python driver are Authentication and SSL. |
| 5 | + |
| 6 | +Authentication |
| 7 | +-------------- |
| 8 | +Versions 2.0 and higher of the driver support a SASL-based |
| 9 | +authentication mechanism when :attr:`~.Cluster.protocol_version` |
| 10 | +is set to 2 or higher. To use this authentication, set |
| 11 | +:attr:`~.Cluster.auth_provider` to an instance of a subclass |
| 12 | +of :class:`~cassandra.auth.AuthProvider`. When working |
| 13 | +with Cassandra's ``PasswordAuthenticator``, you can use |
| 14 | +the :class:`~cassandra.auth.PlainTextAuthProvider` class. |
| 15 | + |
| 16 | +For example, suppose Cassandra is setup with its default |
| 17 | +'cassandra' user with a password of 'cassandra': |
| 18 | + |
| 19 | +.. code-block:: python |
| 20 | +
|
| 21 | + from cassandra.cluster import Cluster |
| 22 | + from cassandra.auth import PlainTextAuthProvider |
| 23 | +
|
| 24 | + auth_provider = PlainTextAuthProvider(username='cassandra', password='cassandra') |
| 25 | + cluster = Cluster(auth_provider=auth_provider, protocol_version=2) |
| 26 | +
|
| 27 | +
|
| 28 | +When working with version 2 or higher of the driver, the protocol |
| 29 | +version is set to 2 by default, but we've included it in the example |
| 30 | +to be explicit. |
| 31 | + |
| 32 | +Custom Authenticators |
| 33 | +^^^^^^^^^^^^^^^^^^^^^ |
| 34 | +If you're using something other than Cassandra's ``PasswordAuthenticator``, |
| 35 | +you may need to create your own subclasses of :class:`~.AuthProvider` and |
| 36 | +:class:`~.Authenticator`. You can use :class:`~.PlainTextAuthProvider` |
| 37 | +and :class:`~.PlainTextAuthenticator` as example implementations. |
| 38 | + |
| 39 | +Protocol v1 Authentication |
| 40 | +^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 41 | +When working with Cassandra 1.2 (or a higher version with |
| 42 | +:attr:`~.Cluster.protocol_version` set to ``1``), you will not pass in |
| 43 | +an :class:`~.AuthProvider` instance. Instead, you should pass a dict |
| 44 | +of credentials with a ``username`` and ``password`` key: |
| 45 | + |
| 46 | +.. code-block:: python |
| 47 | +
|
| 48 | + from cassandra.cluster import Cluster |
| 49 | +
|
| 50 | + credentials = {'username': 'joe', 'password': '1234'} |
| 51 | + cluster = Cluster(auth_provider=credentials, protocol_version=1) |
| 52 | +
|
| 53 | +SSL |
| 54 | +--- |
| 55 | +To enable SSL you will need to set :attr:`.Cluster.ssl_options` to a |
| 56 | +dict of options. These will be passed as kwargs to ``ssl.wrap_socket()`` |
| 57 | +when new sockets are created. This should be used when client encryption |
| 58 | +is enabled in Cassandra. |
| 59 | + |
| 60 | +By default, a ``ca_certs`` value should be supplied (the value should be |
| 61 | +a string pointing to the location of the CA certs file), and you probably |
| 62 | +want to specify ``ssl_version`` as ``ssl.PROTOCOL_TLSv1`` to match |
| 63 | +Cassandra's default protocol. |
| 64 | + |
| 65 | +For example: |
| 66 | + |
| 67 | +.. code-block:: python |
| 68 | +
|
| 69 | + from cassandra.cluster import Cluster |
| 70 | + from ssl import PROTOCOL_TLSv1 |
| 71 | +
|
| 72 | + ssl_opts = {'ca_certs': '/path/to/my/ca.certs', |
| 73 | + 'ssl_version': PROTOCOL_TLSv1} |
| 74 | + cluster = Cluster(ssl_options=ssl_opts) |
| 75 | +
|
| 76 | +For further reading, Andrew Mussey has published a thorough guide on |
| 77 | +`Using SSL with the DataStax Python driver <http://blog.amussey.com/post/64036730812/cassandra-2-0-client-server-ssl-with-datastax-python>`_. |
0 commit comments