Skip to content
This repository has been archived by the owner on Oct 23, 2024. It is now read-only.

Support password authentication #88

Merged
merged 11 commits into from
Apr 21, 2020
+234 −14
Merged

Support password authentication #88

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
bb2f436
Support password authentication
Apr 16, 2020
45ae0e8
Address review comments
Apr 20, 2020
1b37a25
Merge branch 'master' into nfnt/authn
Apr 20, 2020
604b041
SSL support for node drain
Apr 20, 2020
43c6c75
Docs
Apr 20, 2020
2614854
Use a pseudo-file for passwords
Apr 20, 2020
4ba6b5d
Use password file for repair job
Apr 20, 2020
db219ec
Fix escaping
Apr 20, 2020
8c5cd43
Let's not bother with escaping echo
Apr 21, 2020
86d5812
Merge branch 'master' into nfnt/authn
Apr 21, 2020
91a2f0a
Can't use pseudo files with 'kubectl exec'
Apr 21, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions docs/parameters.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@
| **MAX_HINTS_DELIVERY_THREADS** | The maximum number of delivery threads for hinted handoff. | 2 |
| **BATCHLOG_REPLAY_THROTTLE_IN_KB** | The total maximum throttle for replaying failed logged batches in KBs per second. | 1024 |
| **AUTHENTICATOR** | Authentication backend, implementing IAuthenticator; used to identify users. | AllowAllAuthenticator |
| **AUTHENTICATION_SECRET_NAME** | Name of the secret containing the credentials used by the operator when running 'nodetool' for its functionality. Only relevant if AUTHENTICATOR is set to 'PasswordAuthenticator'. The secret needs to have a 'username' and a 'password' entry. | |
| **AUTHORIZER** | Authorization backend, implementing IAuthorizer; used to limit access/provide permissions. | AllowAllAuthorizer |
| **ROLE_MANAGER** | Part of the Authentication & Authorization backend that implements IRoleManager to maintain grants and memberships between roles, By default, the value set is Apache Cassandra's out of the box Role Manager: CassandraRoleManager | CassandraRoleManager |
| **ROLES_VALIDITY_IN_MS** | Validity period for roles cache; set to 0 to disable | 2000 |
Expand Down Expand Up @@ -191,6 +192,7 @@
| **REPAIR_SESSION_MAX_TREE_DEPTH** | Limits the maximum Merkle tree depth to avoid consuming too much memory during repairs. | |
| **ENABLE_SASI_INDEXES** | Enables SASI index creation on this node. SASI indexes are considered experimental and are not recommended for production use. | |
| **CUSTOM_CASSANDRA_YAML_BASE64** | Base64-encoded Cassandra properties appended to cassandra.yaml. | |
| **KUBECTL_VERSION** | Version of 'bitnami/kubectl' image. This image is used for some functionality of the operator. | 1.18.2 |
| **JVM_OPT_AVAILABLE_PROCESSORS** | In a multi-instance deployment, multiple Cassandra instances will independently assume that all CPU processors are available to it. This setting allows you to specify a smaller set of processors and perhaps have affinity. | |
| **JVM_OPT_JOIN_RING** | Set to false to start Cassandra on a node but not have the node join the cluster. | |
| **JVM_OPT_LOAD_RING_STATE** | Set to false to clear all gossip state for the node on restart. Use when you have changed node information in cassandra.yaml (such as listen_address). | |
Expand Down Expand Up @@ -219,3 +221,4 @@
| **JVM_OPT_G1R_SET_UPDATING_PAUSE_TIME_PERCENT** | Have the JVM do less remembered set work during STW, instead preferring concurrent GC. Reduces p99.9 latency. | |
| **CUSTOM_JVM_OPTIONS_BASE64** | Base64-encoded JVM options appended to jvm.options. | |
| **POD_MANAGEMENT_POLICY** | podManagementPolicy of the Cassandra Statefulset | OrderedReady |
| **REPAIR_POD** | Name of the pod on which 'nodetool repair' should be run. | |
31 changes: 31 additions & 0 deletions docs/security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,3 +82,34 @@ kubectl kudo install cassandra \

Check out the [parameters reference](./parameters.md) for a complete list of all
configurable settings available for KUDO Cassandra security.

## Authentication and Authorization

The KUDO Cassandra operator can be configured to authenticate and authorize access to the Cassandra cluster. The `AUTHENTICATOR` parameter sets the [authenticator](http://cassandra.apache.org/doc/3.11/operating/security.html#authentication), the `AUTHORIZER` parameter sets the [authorizer](http://cassandra.apache.org/doc/3.11/operating/security.html#authorization).

### Authentication credentials

Some functionality of the operator use `nodetool`, thus these calls need to be authenticated as well. With enabled password authentication, create a [secret](https://kubernetes.io/docs/concepts/configuration/secret/) that contains the credentials of the user the operator should use and set the `AUTHENTICATION_SECRET_NAME` parameter accordingly.

Here's an example of a secret that uses the default cassandra/cassandra credentials:

```
apiVersion: v1
kind: Secret
metadata:
name: cassandra-credential
type: Opaque
data:
username: Y2Fzc2FuZHJh
password: Y2Fzc2FuZHJh
```

Reference this when installing the Cassandra operator with authentication.

```
kubectl kudo install cassandra \
--instance=cassandra \
--namespace=kudo-cassandra \
-p AUTHENTICATOR=PasswordAuthenticator \
-p AUTHENTICATION_SECRET_NAME=cassandra-credential
```
8 changes: 8 additions & 0 deletions operator/params.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -277,6 +277,10 @@ parameters:
description: "Authentication backend, implementing IAuthenticator; used to identify users."
default: "AllowAllAuthenticator"

- name: AUTHENTICATION_SECRET_NAME
description: "Name of the secret containing the credentials used by the operator when running 'nodetool' for its functionality. Only relevant if AUTHENTICATOR is set to 'PasswordAuthenticator'. The secret needs to have a 'username' and a 'password' entry."
default: ""

- name: AUTHORIZER
description: "Authorization backend, implementing IAuthorizer; used to limit access/provide permissions."
default: "AllowAllAuthorizer"
Expand Down Expand Up @@ -781,6 +785,10 @@ parameters:
description: "Base64-encoded Cassandra properties appended to cassandra.yaml."
default: ""

- name: KUBECTL_VERSION
description: "Version of 'bitnami/kubectl' image. This image is used for some functionality of the operator."
default: "1.18.2"

################################################################################
################################ JVM Options ###################################
################################################################################
Expand Down
18 changes: 14 additions & 4 deletions operator/templates/node-scripts.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,20 +1,30 @@
{{ $auth_params := "" }}
{{ if .Params.AUTHENTICATION_SECRET_NAME }}
zmalik marked this conversation as resolved.
Show resolved Hide resolved
{{ $auth_params = "-u $(cat /etc/cassandra/authentication/username) -pwf <(paste -d ' ' /etc/cassandra/authentication/username /etc/cassandra/authentication/password)" }}
{{ end }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Name }}-node-scripts
namespace: {{ .Namespace }}
data:
node-drain.sh: |
{{ if ne $.Params.JMX_LOCAL_ONLY "true" }}
nodetool {{ $auth_params }} --ssl drain
{{ else }}
nodetool {{ $auth_params }} drain
{{ end }}
node-readiness-probe.sh: |
{{ if ne $.Params.JMX_LOCAL_ONLY "true" }}
nodetool --ssl status -p {{ .Params.JMX_PORT }} | grep -q "UN ${POD_IP}"
nodetool {{ $auth_params }} --ssl status -p {{ .Params.JMX_PORT }} | grep -q "UN ${POD_IP}"
{{ else }}
nodetool status -p {{ .Params.JMX_PORT }} | grep -q "UN ${POD_IP}"
nodetool {{ $auth_params }} status -p {{ .Params.JMX_PORT }} | grep -q "UN ${POD_IP}"
{{ end }}
node-liveness-probe.sh: |
{{ if ne $.Params.JMX_LOCAL_ONLY "true" }}
nodetool --ssl info
nodetool {{ $auth_params }} --ssl info
{{ else }}
nodetool info
nodetool {{ $auth_params }} info
{{ end }}
generate-rackdc-properties.sh: |
# Generate the rackdc-properties
Expand Down
22 changes: 20 additions & 2 deletions operator/templates/repair-job.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
{{ $auth_params := "" }}
{{ if $.Params.AUTHENTICATION_SECRET_NAME }}
{{ $auth_params = "-u ${SECRET_USERNAME} -pw ${SECRET_PASSWORD}" }}
{{ end }}
---
apiVersion: batch/v1
kind: Job
Expand All @@ -12,7 +16,21 @@ spec:
spec:
containers:
- name: repair-job
image: bitnami/kubectl:1.18.0
command: [ "kubectl", "exec", "{{ $.Params.REPAIR_POD }}", "--", "nodetool", "repair" ]
image: bitnami/kubectl:{{ $.Params.KUBECTL_VERSION }}
command: ["/bin/bash"]
args: [ "-c", "kubectl exec {{ $.Params.REPAIR_POD }} -- nodetool {{ $auth_params }} repair"]
{{ if $.Params.AUTHENTICATION_SECRET_NAME }}
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: {{ $.Params.AUTHENTICATION_SECRET_NAME }}
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: {{ $.Params.AUTHENTICATION_SECRET_NAME }}
key: password
{{ end }}
restartPolicy: Never
serviceAccountName: {{ .Name }}-node-repairer
21 changes: 17 additions & 4 deletions operator/templates/stateful-set.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,8 +121,8 @@ spec:
preStop:
exec:
command:
- nodetool
- drain
- /bin/bash
- /etc/cassandra/node-drain.sh
readinessProbe:
exec:
command:
Expand Down Expand Up @@ -225,6 +225,9 @@ spec:
- name: jvm-options
mountPath: /etc/cassandra/jvm.options
subPath: jvm.options
- name: node-scripts
mountPath: /etc/cassandra/node-drain.sh
subPath: node-drain.sh
- name: node-scripts
mountPath: /etc/cassandra/node-readiness-probe.sh
subPath: node-readiness-probe.sh
Expand All @@ -246,6 +249,11 @@ spec:
- name: nodetool-ssl-properties
mountPath: /nodetool-ssl-properties
{{ end }}
{{ if $.Params.AUTHENTICATION_SECRET_NAME }}
- name: authentication-secret
mountPath: /etc/cassandra/authentication
readOnly: true
{{ end }}
{{ if eq $.Params.PROMETHEUS_EXPORTER_ENABLED "true" }}
- name: prometheus-exporter
image: {{ $.Params.PROMETHEUS_EXPORTER_DOCKER_IMAGE }}
Expand Down Expand Up @@ -306,7 +314,7 @@ spec:
{{ if $.Params.NODE_TOPOLOGY }}
initContainers:
- name: node-resolver
image: bitnami/kubectl:latest
image: bitnami/kubectl:{{ $.Params.KUBECTL_VERSION }}
command:
- "sh"
- "-c"
Expand Down Expand Up @@ -384,6 +392,11 @@ spec:
configMap:
name: {{ $.Name }}-nodetool-ssl-properties
{{ end }}
{{ if $.Params.AUTHENTICATION_SECRET_NAME }}
- name: authentication-secret
secret:
secretName: {{ $.Params.AUTHENTICATION_SECRET_NAME }}
{{ end }}
volumeClaimTemplates:
- metadata:
name: var-lib-cassandra
Expand All @@ -400,4 +413,4 @@ spec:
{{ if $.Params.NODE_STORAGE_CLASS }}
storageClassName: {{ $.Params.NODE_STORAGE_CLASS }}
{{ end }}
{{ end }}
{{ end }}
8 changes: 8 additions & 0 deletions templates/operator/params.yaml.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -277,6 +277,10 @@ parameters:
description: "Authentication backend, implementing IAuthenticator; used to identify users."
default: "AllowAllAuthenticator"

- name: AUTHENTICATION_SECRET_NAME
description: "Name of the secret containing the credentials used by the operator when running 'nodetool' for its functionality. Only relevant if AUTHENTICATOR is set to 'PasswordAuthenticator'. The secret needs to have a 'username' and a 'password' entry."
default: ""

- name: AUTHORIZER
description: "Authorization backend, implementing IAuthorizer; used to limit access/provide permissions."
default: "AllowAllAuthorizer"
Expand Down Expand Up @@ -781,6 +785,10 @@ parameters:
description: "Base64-encoded Cassandra properties appended to cassandra.yaml."
default: ""

- name: KUBECTL_VERSION
description: "Version of 'bitnami/kubectl' image. This image is used for some functionality of the operator."
default: "1.18.2"

################################################################################
################################ JVM Options ###################################
################################################################################
Expand Down
Loading