This tutorial shows you how to set up a Riak Java client to authenticate itself when connecting to Riak.
If you are using trust- or PAM-based authentication, you can use the security setup described below. Certificate-based authentication is not yet supported in the Java client.
This tutorial does not cover certificate generation. It assumes that all
necessary certificates have already been created and are stored in a directory
/ssl_dir. This directory name is used only for example purposes.
Java Client Basics
When connecting to Riak using a Java-based client, you typically do so
by instantiating separate
RiakNode objects for each node in your
RiakCluster object registering those
and finally a
RiakClient object that registers the general cluster
configuration. In this document, we will be working with only one node.
If you are using Riak security, all connecting clients should have
access to the same Certificate Authority (CA) used on the server side,
regardless of which security source you
choose. All clients should also provide a username, regardless of
security source. The example below sets up a single node object (we’ll
simply call it
node) that connects to Riak on
localhost and on port
8087 and specifies
riakuser as a username. That object will be used to
create a cluster object (we’ll call it
cluster), which will in turn be
used to create a
client object. The setup below does not specify a CA:
import com.basho.riak.client.api.RiakClient; import com.basho.riak.client.api.RiakCluster; import com.basho.riak.client.api.RiakNode; RiakNode node = new RiakNode.Builder() .withRemoteAddress("127.0.0.1") .withRemotePort(8087) // This will specify a username but no password or keystore: .withAuth("riakuser", null, null) .build(); RiakCluster cluster = new RiakCluster.Builder(node) .build(); RiakClient client = new RiakClient(cluster);
This client object is not currently set up to use any of the available security sources. This will change in the sections below.
To enable our client to use password-based auth, we can use most of the
setup from the example above, with the exception that we will specify a
password for the client in the
withAuth method in the
constructor rather than leaving it as
null. We will also pass a
KeyStore object into that method.
import java.io.FileInputStream; import java.io.InputStream; import java.security.KeyStore; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; // Generate an InputStream from the CA cert InputStream inputStream = new InputStream("/ssl_dir/cacertfile.pem"); // Generate an X509Certificate from the InputStream and close the stream CertificateFactory certFactory = CertificateFactory.getInstance("X.509"); X509Certificate caCert = (X509Certificate) certFactory.generateCertificate(inputStream); inputStream.close(); // Generate a KeyStore object KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); ks.load(null, "password".toCharArray()); ks.setCertificateEntry("cacert", caCert); RiakNode node = new RiakNode.Builder() .withRemoteAddress("127.0.0.1") .withRemotePort(8087) .withAuth("riakuser", "rosebud", ks) .build(); // Construct the cluster and client object in the same fashion as above
PAM- and Trust-based Authentication
If you are using PAM- or trust-based authentication, the only difference from password-based authentication is that you do not need to specify a password.
Certificate-based authentication is not currently supported in the official Riak Java client.