user / password authentication advice

[onlinespending <on...@gmail.com>]

Hi,

I’m using Cassandra in an environment where many users can login to use an application I’m developing. I’m curious if anyone has any advice or links to documentation / blogs where it discusses common implementations or best practices for user and password authentication. My cursory search online didn’t bring much up on the subject. I suppose the information needn’t even be specific to Cassandra.

I imagine a few basic steps will be as follows:

user types in username (e.g. email address) and password
this is verified against a table storing username and passwords (encrypted in some way)
a token is return to the app / web browser to allow further transactions using secure token (e.g. cookie)

Obviously I’m only scratching the surface and it’s the detail and best practices of implementing this user / password authentication that I’m curious about.

Thank you,
Ben

Re: user / password authentication advice

[Aaron Morton <aa...@thelastpickle.com>]

Not sure if you are asking about the authentication & authorisation in cassandra or how to implemented the same using cassandra. 

info on the cassandra authentication and authorisation is here http://www.datastax.com/documentation/cassandra/2.0/webhelp/index.html#cassandra/security/securityTOC.html

Hope that helps. 

-----------------
Aaron Morton
New Zealand
@aaronmorton

Co-Founder & Principal Consultant
Apache Cassandra Consulting
http://www.thelastpickle.com

On 12/12/2013, at 4:31 pm, onlinespending <on...@gmail.com> wrote:

> Hi,
> 
> I’m using Cassandra in an environment where many users can login to use an application I’m developing. I’m curious if anyone has any advice or links to documentation / blogs where it discusses common implementations or best practices for user and password authentication. My cursory search online didn’t bring much up on the subject. I suppose the information needn’t even be specific to Cassandra.
> 
> I imagine a few basic steps will be as follows:
> 
> user types in username (e.g. email address) and password
> this is verified against a table storing username and passwords (encrypted in some way)
> a token is return to the app / web browser to allow further transactions using secure token (e.g. cookie)
> 
> Obviously I’m only scratching the surface and it’s the detail and best practices of implementing this user / password authentication that I’m curious about.
> 
> Thank you,
> Ben
> 
> 

Re: user / password authentication advice

[John Sanda <jo...@gmail.com>]

You could use CassandraAuthorizer and PaaswordAuthenticator which ships
with Cassandra. See this article[1] for a good overview.

[1]
http://www.datastax.com/dev/blog/a-quick-tour-of-internal-authentication-and-authorization-security-in-datastax-enterprise-and-apache-cassandra

On Thursday, December 12, 2013, onlinespending wrote:

> OK, thanks for getting me going in the right direction. I imagine most
> people would store password and tokenized authentication information in a
> single table, using the username (e.g. email address) as the key?
>
>
> On Dec 11, 2013, at 10:44 PM, Janne Jalkanen <Janne.Jalkanen@ecyrd.com<javascript:_e({}, 'cvml', 'Janne.Jalkanen@ecyrd.com');>>
> wrote:
>
>
> Hi!
>
> You're right, this isn't really Cassandra-specific. Most languages/web
> frameworks have their own way of doing user authentication, and then you
> just typically write a plugin that just stores whatever data the system
> needs in Cassandra.
>
> For example, if you're using Java (or Scala or Groovy or anything else
> JVM-based), Apache Shiro is a good way of doing user authentication and
> authorization. http://shiro.apache.org/. Just implement a custom Realm
> for Cassandra and you should be set.
>
> /Janne
>
> On Dec 12, 2013, at 05:31 , onlinespending <onlinespending@gmail.com<javascript:_e({}, 'cvml', 'onlinespending@gmail.com');>>
> wrote:
>
> Hi,
>
> I’m using Cassandra in an environment where many users can login to use an
> application I’m developing. I’m curious if anyone has any advice or links
> to documentation / blogs where it discusses common implementations or best
> practices for user and password authentication. My cursory search online
> didn’t bring much up on the subject. I suppose the information needn’t even
> be specific to Cassandra.
>
> I imagine a few basic steps will be as follows:
>
>
>    - user types in username (e.g. email address) and password
>    - this is verified against a table storing username and passwords
>    (encrypted in some way)
>    - a token is return to the app / web browser to allow further
>    transactions using secure token (e.g. cookie)
>
>
> Obviously I’m only scratching the surface and it’s the detail and best
> practices of implementing this user / password authentication that I’m
> curious about.
>
> Thank you,
> Ben
>
>
>
>
>

-- 

- John

Re: user / password authentication advice

[onlinespending <on...@gmail.com>]

OK, thanks for getting me going in the right direction. I imagine most people would store password and tokenized authentication information in a single table, using the username (e.g. email address) as the key?


On Dec 11, 2013, at 10:44 PM, Janne Jalkanen <Ja...@ecyrd.com> wrote:

> 
> Hi!
> 
> You're right, this isn't really Cassandra-specific. Most languages/web frameworks have their own way of doing user authentication, and then you just typically write a plugin that just stores whatever data the system needs in Cassandra.
> 
> For example, if you're using Java (or Scala or Groovy or anything else JVM-based), Apache Shiro is a good way of doing user authentication and authorization. http://shiro.apache.org/. Just implement a custom Realm for Cassandra and you should be set.
> 
> /Janne
> 
> On Dec 12, 2013, at 05:31 , onlinespending <on...@gmail.com> wrote:
> 
>> Hi,
>> 
>> I’m using Cassandra in an environment where many users can login to use an application I’m developing. I’m curious if anyone has any advice or links to documentation / blogs where it discusses common implementations or best practices for user and password authentication. My cursory search online didn’t bring much up on the subject. I suppose the information needn’t even be specific to Cassandra.
>> 
>> I imagine a few basic steps will be as follows:
>> 
>> user types in username (e.g. email address) and password
>> this is verified against a table storing username and passwords (encrypted in some way)
>> a token is return to the app / web browser to allow further transactions using secure token (e.g. cookie)
>> 
>> Obviously I’m only scratching the surface and it’s the detail and best practices of implementing this user / password authentication that I’m curious about.
>> 
>> Thank you,
>> Ben
>> 
>> 
> 

Re: user / password authentication advice

[Janne Jalkanen <Ja...@ecyrd.com>]

Hi!

You're right, this isn't really Cassandra-specific. Most languages/web frameworks have their own way of doing user authentication, and then you just typically write a plugin that just stores whatever data the system needs in Cassandra.

For example, if you're using Java (or Scala or Groovy or anything else JVM-based), Apache Shiro is a good way of doing user authentication and authorization. http://shiro.apache.org/. Just implement a custom Realm for Cassandra and you should be set.

/Janne

On Dec 12, 2013, at 05:31 , onlinespending <on...@gmail.com> wrote:

> Hi,
> 
> I’m using Cassandra in an environment where many users can login to use an application I’m developing. I’m curious if anyone has any advice or links to documentation / blogs where it discusses common implementations or best practices for user and password authentication. My cursory search online didn’t bring much up on the subject. I suppose the information needn’t even be specific to Cassandra.
> 
> I imagine a few basic steps will be as follows:
> 
> user types in username (e.g. email address) and password
> this is verified against a table storing username and passwords (encrypted in some way)
> a token is return to the app / web browser to allow further transactions using secure token (e.g. cookie)
> 
> Obviously I’m only scratching the surface and it’s the detail and best practices of implementing this user / password authentication that I’m curious about.
> 
> Thank you,
> Ben
> 
>