Search code examples
authenticationvisual-c++thriftsaslcyrus

Thrift sasl with username/password authentication for C++


I've been trying to add security to my project which uses Apache Thrift. In C#, there is a class TSASLClientTransport which accepts the parameters TSocket, username and password. Similarly I need a cpp class so that I can implement the same in C++.

I came across this task https://issues.apache.org/jira/browse/THRIFT-1667, which is still in Open state. There's a patch available in this task though. Using this patch I imported the TsaslTransport class, but I don't find a way to provide username/password here. If possible can anyone share any examples on this.

Or is there a way to provide simple username/password authentication in thrift using C++?

Can Cyrus-SASL be used here?

Any help is greatly appreciated.


Solution

  • After some investigation I found out a working solution. I’ve used cyrus-sasl project along with the patch from Apache THRIFT.

    First create a TTransport with a hive service running in a secure cluster.

    boost::shared_ptr<TTransport> socket(new TSocket("hive_host", hive_port));
    boost::shared_ptr<TTransport> transport(new TBufferedTransport(socket));
    

    Create array of Callbacks to get the username from &simple and password from &getsecret in client.

      static sasl_callback_t callbacks[] ={
               {
                SASL_CB_USER, (sasl_callback_ft)&simple, NULL 
               }, {
                SASL_CB_AUTHNAME, (sasl_callback_ft)&simple, NULL 
               }, {
                SASL_CB_PASS, (sasl_callback_ft)&getsecret, NULL
               }, {
                SASL_CB_LIST_END, NULL, NULL
               }
    };
    

    Use libSaslClient from saslimpl.cpp to choose the mechanism and service. This initializes the client. And use this client in TSaslTransport to open a connection and communicate with the server.

    map<string, string> props; 
    sasl::libSaslClient libSaslClient("PLAIN", "", "ldap", "host", props, callbacks);
    boost::shared_ptr<TSaslTransport> tsaslTransport(new TSaslTransport(&libSaslClient, transport));
    tsaslTransport->open();
    tsaslTransport->close();
    

    On successful open you will be able to communicate with a secure cluster given the right username and password.