Skip to content

Remove pure-sasl dependency by implementing internal SASL client #685

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dkropachev wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Remove pure-sasl dependency by implementing internal SASL client #685

dkropachev wants to merge 1 commit into from
+393 −27

Conversation

@dkropachev
Copy link
Collaborator

@dkropachev dkropachev commented Feb 2, 2026
edited
Loading

Summary

  • Replace the unmaintained pure-sasl dependency with an internal SASL client implementation
  • Add comprehensive unit tests for the new SASL module
  • Update documentation to remove references to pure-sasl

Fixes #666

Background

The pure-sasl package has been unmaintained since 2019. While it currently works, depending on an unmaintained library poses risks for future Python version compatibility and security issues.

Changes

  • New cassandra/sasl.py module: Internal SASL client implementation based on pure-sasl (MIT licensed) with full support for:

    • PLAIN mechanism for username/password authentication
    • GSSAPI mechanism for Kerberos authentication with QOP negotiation
    • Platform-aware kerberos library selection (kerberos on Unix, winkerberos on Windows)

  • Updated cassandra/auth.py:

    • Import SASLClient from internal module instead of puresasl
    • Remove _have_puresasl checks (SASL is now always available)
    • Update docstrings to reference cassandra.sasl.QOP instead of puresasl.QOP

  • Updated pyproject.toml: Removed pure-sasl from dev dependencies

  • Updated docs/security.rst: Removed references to pure-sasl package

  • Updated tests:

    • Removed pure-sasl skip check from integration tests
    • Added comprehensive unit tests for the new SASL implementation

Test plan

  • Unit tests pass: pytest tests/unit/test_auth.py -v
  • Integration tests with authentication enabled
  • Verify GSSAPI mechanism works with Kerberos environment

github-code-quality[bot]
github-code-quality bot found potential problems Feb 2, 2026
View reviewed changes
@dkropachev dkropachev force-pushed the remove-pure-sasl-dependency branch 2 times, most recently from 0dece76 to 6029c30 Compare February 3, 2026 23:09
@dkropachev
Remove pure-sasl dependency by implementing internal SASL client
fb19b65 
This change eliminates the external pure-sasl dependency which has been
unmaintained since 2019 (addresses #666). The implementation provides:

- Internal SASL client in cassandra/sasl.py based on pure-sasl (MIT licensed)
- Full PLAIN mechanism support for username/password authentication
- Full GSSAPI mechanism support for Kerberos authentication with QOP negotiation
- Platform-aware kerberos library selection (kerberos/winkerberos)

The internal implementation maintains API compatibility with existing code
while removing the risk of depending on an unmaintained external library.
@dkropachev dkropachev force-pushed the remove-pure-sasl-dependency branch from 6029c30 to fb19b65 Compare February 3, 2026 23:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-code-quality github-code-quality[bot] github-code-quality[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Monitor pure-sasl dependency

2 participants

@dkropachev