Authentication is activated in Reaper by default. It relies on Apache Shiro, which allows to store users and password in files, databases or connect through LDAP and Active Directory out of the box. The default authentication uses the dummy username and password as found in the default shiro.ini. It is expected you override this in a production environment.

This default Shiro authentication configuration is referenced via the following block in the Reaper yaml file :

  sessionTimeout: PT10M
    iniConfigs: ["classpath:shiro.ini"]

Default settings

As of Reaper 1.4.0, authentication is enabled by default and credentials are:

  • Username: admin
  • Password: admin

With clear passwords

Copy the default shiro.ini file and adapt it overriding the “users” section :

user1 = password1
user2 = password2

If you use a container, make sure you set the environment variable REAPER_SHIRO_INI to a valid path inside the container otherwise your custom shiro.ini will not be used.

With encrypted passwords

Based on Shiro’s document on Encrypting passwords :

authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
authc.loginUrl = /webui/login.html
sha256Matcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher
iniRealm.credentialsMatcher = $sha256Matcher
filterChainResolver.globalFilters = null

john = 807A09440428C0A8AEF58BD3ECE32938B0D76E638119E47619756F5C2C20FF3A

To generate a password, you case use for example :

  • From the command line :
echo -n "Hello World" | shasum -a 256
echo -n "Hello World" | sha256sum
  • Or some language of your choice (like Python here) :
import hashlib
hash_object = hashlib.sha256(b'Hello World')
hex_dig = hash_object.hexdigest()

With LDAP accounts

Based on Shiro’s LDAP realm usage.

An example configuration for LDAP authentication exists (commented out) in the default shiro.ini :

# Example LDAP realm, see
ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm
ldapRealm.userDnTemplate = uid={0},ou=users,dc=cassandra-reaper,dc=io
ldapRealm.contextFactory.url = ldap://ldapHost:389
;ldapRealm.contextFactory.authenticationMechanism = DIGEST-MD5
;ldapRealm.contextFactory.systemUsername = cn=Manager, dc=example, dc=com
;ldapRealm.contextFactory.systemPassword = secret
;ldapRealm.contextFactory.environment[] = ldap_password

Accessing Reaper via the command line spreaper

In order to interact with Reaper through spreaper when Shiro authentication is activated, you will first need to login as follows:

$ ./spreaper login admin
Password: *****
# Logging in...
You are now authenticated to Reaper.
# JWT saved

The JWT will be saved in ~/.reaper/jwt and automatically used by Reaper for any other call. Pre-existing tokens can be passed to spreaper using --jwt <token> with any call.

Accessing Reaper via the REST API

The RESTful endpoints to Reaper can also be authenticated using JWT (Java Web Token).

A token can be generated from the /jwt url by passing the Session ID cookie retrieved from the /login endpoint. Logging in through /login is described in the REST Api page.