Skip to content
This repository has been archived by the owner on Oct 23, 2024. It is now read-only.

Commit

Permalink
Support password authentication (#88)
Browse files Browse the repository at this point in the history 
Calls by the operator to 'nodetool' are authenticated with credentials provided as a secret by the admin.
  • Loading branch information
Jan Schlicht authored Apr 21, 2020
1 parent 0391c2a commit 76583a0
Show file tree
Hide file tree
Showing 10 changed files with 234 additions and 14 deletions.
3 changes: 3 additions & 0 deletions docs/parameters.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@
| **MAX_HINTS_DELIVERY_THREADS** | The maximum number of delivery threads for hinted handoff. | 2 |
| **BATCHLOG_REPLAY_THROTTLE_IN_KB** | The total maximum throttle for replaying failed logged batches in KBs per second. | 1024 |
| **AUTHENTICATOR** | Authentication backend, implementing IAuthenticator; used to identify users. | AllowAllAuthenticator |
| **AUTHENTICATION_SECRET_NAME** | Name of the secret containing the credentials used by the operator when running 'nodetool' for its functionality. Only relevant if AUTHENTICATOR is set to 'PasswordAuthenticator'. The secret needs to have a 'username' and a 'password' entry. | |
| **AUTHORIZER** | Authorization backend, implementing IAuthorizer; used to limit access/provide permissions. | AllowAllAuthorizer |
| **ROLE_MANAGER** | Part of the Authentication & Authorization backend that implements IRoleManager to maintain grants and memberships between roles, By default, the value set is Apache Cassandra's out of the box Role Manager: CassandraRoleManager | CassandraRoleManager |
| **ROLES_VALIDITY_IN_MS** | Validity period for roles cache; set to 0 to disable | 2000 |
Expand Down Expand Up @@ -191,6 +192,7 @@
| **REPAIR_SESSION_MAX_TREE_DEPTH** | Limits the maximum Merkle tree depth to avoid consuming too much memory during repairs. | |
| **ENABLE_SASI_INDEXES** | Enables SASI index creation on this node. SASI indexes are considered experimental and are not recommended for production use. | |
| **CUSTOM_CASSANDRA_YAML_BASE64** | Base64-encoded Cassandra properties appended to cassandra.yaml. | |
| **KUBECTL_VERSION** | Version of 'bitnami/kubectl' image. This image is used for some functionality of the operator. | 1.18.2 |
| **JVM_OPT_AVAILABLE_PROCESSORS** | In a multi-instance deployment, multiple Cassandra instances will independently assume that all CPU processors are available to it. This setting allows you to specify a smaller set of processors and perhaps have affinity. | |
| **JVM_OPT_JOIN_RING** | Set to false to start Cassandra on a node but not have the node join the cluster. | |
| **JVM_OPT_LOAD_RING_STATE** | Set to false to clear all gossip state for the node on restart. Use when you have changed node information in cassandra.yaml (such as listen_address). | |
Expand Down Expand Up @@ -219,3 +221,4 @@
| **JVM_OPT_G1R_SET_UPDATING_PAUSE_TIME_PERCENT** | Have the JVM do less remembered set work during STW, instead preferring concurrent GC. Reduces p99.9 latency. | |
| **CUSTOM_JVM_OPTIONS_BASE64** | Base64-encoded JVM options appended to jvm.options. | |
| **POD_MANAGEMENT_POLICY** | podManagementPolicy of the Cassandra Statefulset | OrderedReady |
| **REPAIR_POD** | Name of the pod on which 'nodetool repair' should be run. | |
31 changes: 31 additions & 0 deletions docs/security.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,3 +82,34 @@ kubectl kudo install cassandra \

Check out the [parameters reference](./parameters.md) for a complete list of all
configurable settings available for KUDO Cassandra security.

## Authentication and Authorization

The KUDO Cassandra operator can be configured to authenticate and authorize access to the Cassandra cluster. The `AUTHENTICATOR` parameter sets the [authenticator](http://cassandra.apache.org/doc/3.11/operating/security.html#authentication), the `AUTHORIZER` parameter sets the [authorizer](http://cassandra.apache.org/doc/3.11/operating/security.html#authorization).

### Authentication credentials

Some functionality of the operator use `nodetool`, thus these calls need to be authenticated as well. With enabled password authentication, create a [secret](https://kubernetes.io/docs/concepts/configuration/secret/) that contains the credentials of the user the operator should use and set the `AUTHENTICATION_SECRET_NAME` parameter accordingly.

Here's an example of a secret that uses the default cassandra/cassandra credentials:

```
apiVersion: v1
kind: Secret
metadata:
name: cassandra-credential
type: Opaque
data:
username: Y2Fzc2FuZHJh
password: Y2Fzc2FuZHJh
```

Reference this when installing the Cassandra operator with authentication.

```
kubectl kudo install cassandra \
--instance=cassandra \
--namespace=kudo-cassandra \
-p AUTHENTICATOR=PasswordAuthenticator \
-p AUTHENTICATION_SECRET_NAME=cassandra-credential
```
8 changes: 8 additions & 0 deletions operator/params.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -277,6 +277,10 @@ parameters:
description: "Authentication backend, implementing IAuthenticator; used to identify users."
default: "AllowAllAuthenticator"

- name: AUTHENTICATION_SECRET_NAME
description: "Name of the secret containing the credentials used by the operator when running 'nodetool' for its functionality. Only relevant if AUTHENTICATOR is set to 'PasswordAuthenticator'. The secret needs to have a 'username' and a 'password' entry."
default: ""

- name: AUTHORIZER
description: "Authorization backend, implementing IAuthorizer; used to limit access/provide permissions."
default: "AllowAllAuthorizer"
Expand Down Expand Up @@ -781,6 +785,10 @@ parameters:
description: "Base64-encoded Cassandra properties appended to cassandra.yaml."
default: ""

- name: KUBECTL_VERSION
description: "Version of 'bitnami/kubectl' image. This image is used for some functionality of the operator."
default: "1.18.2"

################################################################################
################################ JVM Options ###################################
################################################################################
Expand Down
18 changes: 14 additions & 4 deletions operator/templates/node-scripts.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,30 @@
{{ $auth_params := "" }}
{{ if .Params.AUTHENTICATION_SECRET_NAME }}
{{ $auth_params = "-u $(cat /etc/cassandra/authentication/username) -pwf <(paste -d ' ' /etc/cassandra/authentication/username /etc/cassandra/authentication/password)" }}
{{ end }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Name }}-node-scripts
namespace: {{ .Namespace }}
data:
node-drain.sh: |
{{ if ne $.Params.JMX_LOCAL_ONLY "true" }}
nodetool {{ $auth_params }} --ssl drain
{{ else }}
nodetool {{ $auth_params }} drain
{{ end }}
node-readiness-probe.sh: |
{{ if ne $.Params.JMX_LOCAL_ONLY "true" }}
nodetool --ssl status -p {{ .Params.JMX_PORT }} | grep -q "UN ${POD_IP}"
nodetool {{ $auth_params }} --ssl status -p {{ .Params.JMX_PORT }} | grep -q "UN ${POD_IP}"
{{ else }}
nodetool status -p {{ .Params.JMX_PORT }} | grep -q "UN ${POD_IP}"
nodetool {{ $auth_params }} status -p {{ .Params.JMX_PORT }} | grep -q "UN ${POD_IP}"
{{ end }}
node-liveness-probe.sh: |
{{ if ne $.Params.JMX_LOCAL_ONLY "true" }}
nodetool --ssl info
nodetool {{ $auth_params }} --ssl info
{{ else }}
nodetool info
nodetool {{ $auth_params }} info
{{ end }}
generate-rackdc-properties.sh: |
# Generate the rackdc-properties
Expand Down
22 changes: 20 additions & 2 deletions operator/templates/repair-job.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
{{ $auth_params := "" }}
{{ if $.Params.AUTHENTICATION_SECRET_NAME }}
{{ $auth_params = "-u ${SECRET_USERNAME} -pw ${SECRET_PASSWORD}" }}
{{ end }}
---
apiVersion: batch/v1
kind: Job
Expand All @@ -12,7 +16,21 @@ spec:
spec:
containers:
- name: repair-job
image: bitnami/kubectl:1.18.0
command: [ "kubectl", "exec", "{{ $.Params.REPAIR_POD }}", "--", "nodetool", "repair" ]
image: bitnami/kubectl:{{ $.Params.KUBECTL_VERSION }}
command: ["/bin/bash"]
args: [ "-c", "kubectl exec {{ $.Params.REPAIR_POD }} -- nodetool {{ $auth_params }} repair"]
{{ if $.Params.AUTHENTICATION_SECRET_NAME }}
env:
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: {{ $.Params.AUTHENTICATION_SECRET_NAME }}
key: username
- name: SECRET_PASSWORD
valueFrom:
secretKeyRef:
name: {{ $.Params.AUTHENTICATION_SECRET_NAME }}
key: password
{{ end }}
restartPolicy: Never
serviceAccountName: {{ .Name }}-node-repairer
21 changes: 17 additions & 4 deletions operator/templates/stateful-set.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -121,8 +121,8 @@ spec:
preStop:
exec:
command:
- nodetool
- drain
- /bin/bash
- /etc/cassandra/node-drain.sh
readinessProbe:
exec:
command:
Expand Down Expand Up @@ -225,6 +225,9 @@ spec:
- name: jvm-options
mountPath: /etc/cassandra/jvm.options
subPath: jvm.options
- name: node-scripts
mountPath: /etc/cassandra/node-drain.sh
subPath: node-drain.sh
- name: node-scripts
mountPath: /etc/cassandra/node-readiness-probe.sh
subPath: node-readiness-probe.sh
Expand All @@ -246,6 +249,11 @@ spec:
- name: nodetool-ssl-properties
mountPath: /nodetool-ssl-properties
{{ end }}
{{ if $.Params.AUTHENTICATION_SECRET_NAME }}
- name: authentication-secret
mountPath: /etc/cassandra/authentication
readOnly: true
{{ end }}
{{ if eq $.Params.PROMETHEUS_EXPORTER_ENABLED "true" }}
- name: prometheus-exporter
image: {{ $.Params.PROMETHEUS_EXPORTER_DOCKER_IMAGE }}
Expand Down Expand Up @@ -306,7 +314,7 @@ spec:
{{ if $.Params.NODE_TOPOLOGY }}
initContainers:
- name: node-resolver
image: bitnami/kubectl:latest
image: bitnami/kubectl:{{ $.Params.KUBECTL_VERSION }}
command:
- "sh"
- "-c"
Expand Down Expand Up @@ -384,6 +392,11 @@ spec:
configMap:
name: {{ $.Name }}-nodetool-ssl-properties
{{ end }}
{{ if $.Params.AUTHENTICATION_SECRET_NAME }}
- name: authentication-secret
secret:
secretName: {{ $.Params.AUTHENTICATION_SECRET_NAME }}
{{ end }}
volumeClaimTemplates:
- metadata:
name: var-lib-cassandra
Expand All @@ -400,4 +413,4 @@ spec:
{{ if $.Params.NODE_STORAGE_CLASS }}
storageClassName: {{ $.Params.NODE_STORAGE_CLASS }}
{{ end }}
{{ end }}
{{ end }}
8 changes: 8 additions & 0 deletions templates/operator/params.yaml.template
View file
Original file line number Diff line number Diff line change
Expand Up @@ -277,6 +277,10 @@ parameters:
description: "Authentication backend, implementing IAuthenticator; used to identify users."
default: "AllowAllAuthenticator"

- name: AUTHENTICATION_SECRET_NAME
description: "Name of the secret containing the credentials used by the operator when running 'nodetool' for its functionality. Only relevant if AUTHENTICATOR is set to 'PasswordAuthenticator'. The secret needs to have a 'username' and a 'password' entry."
default: ""

- name: AUTHORIZER
description: "Authorization backend, implementing IAuthorizer; used to limit access/provide permissions."
default: "AllowAllAuthorizer"
Expand Down Expand Up @@ -781,6 +785,10 @@ parameters:
description: "Base64-encoded Cassandra properties appended to cassandra.yaml."
default: ""

- name: KUBECTL_VERSION
description: "Version of 'bitnami/kubectl' image. This image is used for some functionality of the operator."
default: "1.18.2"

################################################################################
################################ JVM Options ###################################
################################################################################
Expand Down
Loading

0 comments on commit 76583a0

Please sign in to comment.