Thrift sasl with username/password authentication for C++

Question

I've been trying to add security to my project which uses Apache Thrift. In C#, there is a class TSASLClientTransport which accepts the parameters TSocket, username and password. Similarly I need a cpp class so that I can implement the same in C++.

I came across this task https://issues.apache.org/jira/browse/THRIFT-1667, which is still in Open state. There's a patch available in this task though. Using this patch I imported the TsaslTransport class, but I don't find a way to provide username/password here. If possible can anyone share any examples on this.

Or is there a way to provide simple username/password authentication in thrift using C++?

Can Cyrus-SASL be used here?

Any help is greatly appreciated.

Answer 1

After some investigation I found out a working solution. I’ve used cyrus-sasl project along with the patch from Apache THRIFT.

First create a TTransport with a hive service running in a secure cluster.

boost::shared_ptr<TTransport> socket(new TSocket("hive_host", hive_port));
boost::shared_ptr<TTransport> transport(new TBufferedTransport(socket));

Create array of Callbacks to get the username from &simple and password from &getsecret in client.

  static sasl_callback_t callbacks[] ={
           {
            SASL_CB_USER, (sasl_callback_ft)&simple, NULL 
           }, {
            SASL_CB_AUTHNAME, (sasl_callback_ft)&simple, NULL 
           }, {
            SASL_CB_PASS, (sasl_callback_ft)&getsecret, NULL
           }, {
            SASL_CB_LIST_END, NULL, NULL
           }
};

Use libSaslClient from saslimpl.cpp to choose the mechanism and service. This initializes the client. And use this client in TSaslTransport to open a connection and communicate with the server.

map<string, string> props; 
sasl::libSaslClient libSaslClient("PLAIN", "", "ldap", "host", props, callbacks);
boost::shared_ptr<TSaslTransport> tsaslTransport(new TSaslTransport(&libSaslClient, transport));
tsaslTransport->open();
tsaslTransport->close();

On successful open you will be able to communicate with a secure cluster given the right username and password.