-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
There exists a Cassandra TCP Connector with username and password based authentication #1241
Comments
@BradleyBoutcher can you add the cassandra.yml as a volume mount to the cassandra container (if you define it locally in your test dir)? Does the cassandra.yml file include the authentication configuration info for the cassandra instance, eg to use username-password auth and/or set the username/password? Can you run the test with secretless configured to set username |
I'd like to see the definition of done be:
|
Currently, no. That will be the primary objective of this spike, as we currently cannot inject credentials through secretless yet. |
Thanks! That helps me understand where it's at. So Secretless can proxy right now, but it's not "secretless" yet :) |
Overview
There exists a TCP connector for Apache Cassandra in secretless-broker
We are using gocql as a third party library to assist in implementing the underlying cassandra protocol.
Connected to #1242
Definition of done
There is a docker-compose environment that stands up cassandra and secretless for validating flows
There is an initial e2e implementation of a cassandra connector that can take a client request with no or bad credentials, get valid creds from the secretless config, negotiate the user/password authn with the cassandra server, and return the authenticated connection to the client to make subsequent privileged queries
There is a README with minimal information about how to run the initial flow and what we validated it with, so that other people can also try this initial POC connector
Currently Supported Actions
start
script in the Cassandra integration test directorycqlsh
command line tool. Not all flags have been tested, but-u
and-p
currently work properly.Example
When we run
cqlsh localhost 2223 --debug --connect-timeout="1000000" -u "cassandra" -p "cassandra"
, we successfully connect to the cassandra node through secretless as the usercassandra
Additional Information
Cassandra relies on a
cassandra.yml
file for configuration before creating the node. According to their docs, it seems they discourage configuring your node after creation. Currently I am uncertain as to how we can inject this yml file into a docker-compose script, but we may need to make a custom Dockerfile.Authentication needs to be configured in advance, including username and password based authentication. We can create a
cassandra.yml
using information found heregocql
uses a custom struct,Conn
, as a wrapper for a network connection. This can be used to expand support for features such as username and password based authentication and handling the underlying protocolsCassandra makes use of authenticators for handling username and password based authenticators. These are defined when the cassandra node is created, and are implemented in
gocql
to decorate our cluster configuration before performing our call to connect. More info can be found hereKnown issues
Secretless broker creates a single connection when communicating with
cqlsh
. Currently, two connections are created for unknown reasons.Disconnecting from a node and attempting to re-connect can result in an error where we attempt to send a STARTUP packet again, and the node has already received this packet from a previous connection. It then rejects the connection.
The text was updated successfully, but these errors were encountered: