[ https://issues.apache.org/jira/browse/CASSANDRA-16456?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17520483#comment-17520483 ]
Stefan Miklosovic edited comment on CASSANDRA-16456 at 4/11/22 10:43 AM: ------------------------------------------------------------------------- Hi [~bhouser], I put more comments into PR. It would be nice if you find some time to take care of them, thanks in advance. Few observations, though. If we are using auth provider in cqlshrc like this: {code:java} [auth_provider] module = cassandra.auth classname = PlainTextAuthProvider [auth_provider_config] username = cassandra password = cassandra {code} and if you also have ~/.cassandra/credentials like this: {code:java} cat ~/.cassandra/credentials [plain_text_auth] username = cassandra password = cassandra {code} that credentials file will take precedence over what is in cqlshrc, which makes sense, but, specifically for PlainTextAuthProvider, if you go with that solution and you leave out username and password from your config, like this: {code:java} $ cat ~/.cassandra/cqlshrc [auth_provider] module = cassandra.auth classname = PlainTextAuthProvider {code} It will error out like this: {code:java} ./bin/cqlsh Traceback (most recent call last): File "/home/smiklosovic/dev/cassandra/cassandra-instaclustr/cassandra/bin/cqlsh.py", line 2386, in <module> main(*read_options(sys.argv[1:], os.environ)) File "/home/smiklosovic/dev/cassandra/cassandra-instaclustr/cassandra/bin/cqlsh.py", line 2355, in main auth_provider=authproviderhandling.load_custom_auth_provider(CONFIG_FILE)) File "/home/smiklosovic/dev/cassandra/cassandra-instaclustr/cassandra/bin/../pylib/cqlshlib/authproviderhandling.py", line 79, in load_custom_auth_provider return auth_provider_klass() TypeError: __init__() missing 2 required positional arguments: 'username' and 'password' {code} I would expect that it will take the username and password from cli, then from ~/.cassandra/credentials then from cqlshrc's username and password (up to now it is done like that) and finally from config properties of auth provider and error out only in case none of these are set. I think the solution is to pass username and password to the method resolving the custom auth and add them into class arguments manually if they are not None. The second observation is, and maybe this is a little bit radical but hear me out here: do we need auth_provider_config? Why it can not be the part of auth_config directly? If we know what module and classname is the stuff we need in order to instantiate it, can not we treat all other parameters as config values for that provider already? I am looking for something simple for the end user. It is easier for him to put everything into auth_provider than to split it into multiple sections. These two sections are inherently related to each other. It would be nice if [~Bowen Song] added his two cents here as he is the author of the credentials resolving from the separate file. was (Author: smiklosovic): Hi [~bhouser], I put more comments into PR. It would be nice if you find some time to take care of them, thanks in advance. Few observations, though. If we are using auth provider in cqlshrc like this: {code:java} [auth_provider] module = cassandra.auth classname = PlainTextAuthProvider [auth_provider_config] username = cassandra password = cassandra {code} and if you also have ~/.cassandra/credentials like this: {code:java} cat ~/.cassandra/credentials [plain_text_auth] username = cassandra password = cassandra {code} that credentials file will take precedence over what is in cqlshrc, which makes sense, but, specifically for PlainTextAuthProvider, if you go with that solution and you leave out username and password from your config, like this: {code:java} $ cat ~/.cassandra/cqlshrc [auth_provider] module = cassandra.auth classname = PlainTextAuthProvider {code} It will error out like this: {code:java} ./bin/cqlsh Traceback (most recent call last): File "/home/smiklosovic/dev/cassandra/cassandra-instaclustr/cassandra/bin/cqlsh.py", line 2386, in <module> main(*read_options(sys.argv[1:], os.environ)) File "/home/smiklosovic/dev/cassandra/cassandra-instaclustr/cassandra/bin/cqlsh.py", line 2355, in main auth_provider=authproviderhandling.load_custom_auth_provider(CONFIG_FILE)) File "/home/smiklosovic/dev/cassandra/cassandra-instaclustr/cassandra/bin/../pylib/cqlshlib/authproviderhandling.py", line 79, in load_custom_auth_provider return auth_provider_klass() TypeError: __init__() missing 2 required positional arguments: 'username' and 'password' {code} I would expect that it will take the username and password from cli, then from ~/.cassandra/credentials then from cqlshrc's username and password (up to now it is done like that) and finally from config properties of auth provider and error out only in case none of these are set. I think the solution is to pass username and password to the method resolving the custom auth and add them into class arguments manually if they are not None. The second observation is, and maybe this is a little bit radical but hear me out here: do we need auth_provider_config? Why it can not be the part of auth_config directly? If we know what module and classname is the stuff we need in order to instantiate it, can not we treat all other parameters as config values for that provider already? I am looking for something simple for the end user. It is easier for him to put everything into auth_provider that to split it into multiple sections. These two sections are inherently related to each other. It would be nice if [~Bowen Song] added his two cents here as he is the author of the credentials resolving from the separate file. > Add Plugin Support for CQLSH > ---------------------------- > > Key: CASSANDRA-16456 > URL: https://issues.apache.org/jira/browse/CASSANDRA-16456 > Project: Cassandra > Issue Type: New Feature > Components: Tool/cqlsh > Reporter: Brian Houser > Assignee: Brian Houser > Priority: Normal > Labels: gsoc2021, mentor > Time Spent: 2h > Remaining Estimate: 0h > > Currently the Cassandra drivers offer a plugin authenticator architecture for > the support of different authentication methods. This has been leveraged to > provide support for LDAP, Kerberos, and Sigv4 authentication. Unfortunately, > cqlsh, the included CLI tool, does not offer such support. Switching to a new > enhanced authentication scheme thus means being cut off from using cqlsh in > normal operation. > We should have a means of using the same plugins and authentication providers > as the Python Cassandra driver. > Here's a link to an initial draft of > [CEP|https://docs.google.com/document/d/1_G-OZCAEmDyuQuAN2wQUYUtZBEJpMkHWnkYELLhqvKc/edit?usp=sharing]. -- This message was sent by Atlassian Jira (v8.20.1#820001) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org