K
Q

How to enable Cassandra Password Authentication in Kubernetes deployment file

6/20/2017

I've been struggling with this for quite a while now. My effort so far is shown below. The env variable, CASSANDRA_AUTHENTICATOR, in my opinion, is supposed to enable password authentication. However, I'm still able to logon without a password after redeploying with this config. Any ideas on how to enable password authentication in a Kubernetes deployment file?

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: cassandra
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: cassandra
    spec:
      containers:
          - name: cassandra
            image: cassandra
            env:
              - name: CASSANDRA_CLUSTER_NAME
                value: Cassandra
              - name: CASSANDRA_AUTHENTICATOR
                value: PasswordAuthenticator
            ports:
              - containerPort: 7000
                name: intra-node
              - containerPort: 7001
                name: tls-intra-node
              - containerPort: 7199
                name: jmx
              - containerPort: 9042
                name: cql

            volumeMounts:
              - mountPath: /var/lib/cassandra/data
                name: data
      volumes:
        - name: data
          emptyDir: {}

The environment is Google Cloud Platform.

-- okello
cassandra
google-cloud-platform
kubernetes

Similar Questions

Allocating temporary VMs to parallelize one-shot batch jobs (GCP, Azure or AWS)
Get Kubernetes Errors and Logs on GCE
Which Docker versions will K8s 1.7 support?
Tasks distribution among pods

1 Answer

7/16/2017

So I made few changes to the artifact you have mentioned:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: cassandra
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: cassandra
    spec:
      containers:
          - name: cassandra
            image: bitnami/cassandra:latest
            env:
              - name: CASSANDRA_CLUSTER_NAME
                value: Cassandra
              - name: CASSANDRA_PASSWORD
                value: pass123
            ports:
              - containerPort: 7000
                name: intra-node
              - containerPort: 7001
                name: tls-intra-node
              - containerPort: 7199
                name: jmx
              - containerPort: 9042
                name: cql

            volumeMounts:
              - mountPath: /var/lib/cassandra/data
                name: data
      volumes:
        - name: data
          emptyDir: {}

The changes I made were:

image name has been changed to bitnami/cassandra:latest and then replaced the env CASSANDRA_AUTHENTICATOR with CASSANDRA_PASSWORD.

After you deploy the above artifact then I could authenticate as shown below

  • Trying to exec into pod

    fedora@dhcp35-42:~/tmp/cassandra$ oc exec -it cassandra-2750650372-g8l9s bash
root@cassandra-2750650372-g8l9s:/#

  • Once inside the pod trying to authenticate with the server

    root@cassandra-2750650372-g8l9s:/# cqlsh 127.0.0.1 9042 -p pass123 -u cassandra
Connected to Cassandra at 127.0.0.1:9042.
[cqlsh 5.0.1 | Cassandra 3.11.0 | CQL spec 3.4.4 | Native protocol v4]
Use HELP for help.
cassandra@cqlsh>

This image documentation can be found at https://hub.docker.com/r/bitnami/cassandra/

If you are not comfortable using the third party image and wanna use the image that upstream community manages then look for following solution, which is more DIY but also is more flexible.

To setup the password you were trying to use the env CASSANDRA_AUTHENTICATOR but this is not merged proposal yet for the image cassandra. You can see the open PRs here.

Right now the upstream suggest doing the mount of file cassandra.yaml at /etc/cassandra/cassandra.yaml, so that people can set whatever settings they want.

So follow the steps to do it:

I have made following changes to the file:

$ diff cassandra.yaml mycassandra.yaml 
103c103
< authenticator: AllowAllAuthenticator
---
> authenticator: PasswordAuthenticator
  • Create configmap with that file

We have to create Kubernetes Configmap which then we will mount inside the container, we cannot do host mount similar to docker.

    $ cp mycassandra.yaml cassandra.yaml
    $ k create configmap cassandraconfig --from-file ./cassandra.yaml

The name of configmap is cassandraconfig.

  • Now edit the deployment to use this config and mount it in right place

    apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: cassandra
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: cassandra
    spec:
      containers:
          - name: cassandra
            image: cassandra
            env:
              - name: CASSANDRA_CLUSTER_NAME
                value: Cassandra
            ports:
              - containerPort: 7000
                name: intra-node
              - containerPort: 7001
                name: tls-intra-node
              - containerPort: 7199
                name: jmx
              - containerPort: 9042
                name: cql

            volumeMounts:
              - mountPath: /var/lib/cassandra/data
                name: data
              - mountPath: /etc/cassandra/
                name: cassandraconfig
      volumes:
        - name: data
          emptyDir: {}
        - name: cassandraconfig
          configMap:
            name: cassandraconfig

Once you create this deployment.

  • Now exec in the pod

    $ k exec -it cassandra-1663662957-6tcj6 bash
root@cassandra-1663662957-6tcj6:/#

  • Try using the client

    root@cassandra-1663662957-6tcj6:/# cqlsh 127.0.0.1 9042
Connection error: ('Unable to connect to any servers', {'127.0.0.1': AuthenticationFailed('Remote end requires authentication.',)})

For more information on creating configMap and using it by mounting inside container you can read this doc, which helped me for this answer.

-- surajd
Source: StackOverflow