add support for user authentication

https://cassandra.apache.org/doc/latest/operating/security.html#enabling-password-authentication Signed-off-by: Jakub Sokołowski <[email protected]>
status-im · Oct 7, 2020 · 4b2d040 · 4b2d040
1 parent f9416e8
commit 4b2d040
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 52 deletions.
diff --git a/README.md b/README.md
@@ -12,9 +12,13 @@ cassandra_cluster_name: 'my-cassandra-cluster'
 cassandra_num_tokens: 256
 cassandra_storage_port: 7000
 cassandra_native_port: 9042
+cassandra_users:
+  - { user: 'admin', pass: 'secret' }
+  - { user: 'app-1', pass: 'secret' }
 
 consul_catalog_url: 'http://localhost:1234/v1/catalog'
 ```
+If `cassandra_users` is an empty list no authentication is required.
 
 # Management
 

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -9,6 +9,8 @@ cassandra_service_name: 'cassandra'
 cassandra_service_user: 'cassandra'
 cassandra_storage_port: 7000
 cassandra_native_port: 9042
+cassandra_users: []
+#  - { user: 'admin', pass: 'secret' }
 
 cassandra_data_dir: '/var/lib/cassandra'
 cassandra_cluster_name: ~

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -4,3 +4,4 @@
 - import_tasks: discover.yml
 - import_tasks: config.yml
 - import_tasks: service.yml
+- import_tasks: users.yml
diff --git a/tasks/users.yml b/tasks/users.yml
@@ -0,0 +1,12 @@
+---
+- name: Create specified DB users
+  shell: |
+    echo "CREATE ROLE {{ item.user }} WITH SUPERUSER = true AND LOGIN = true AND PASSWORD = '{{ item.pass }}';" | \
+      /opt/cassandra/bin/cqlsh {{ cassandra_listen_address }} -u '{{ item.user }}' -p '{{ item.user }}'
+  with_items: '{{ cassandra_users }}'
+
+- name: Disable default user
+  shell: |
+    echo "ALTER ROLE cassandra WITH SUPERUSER = false AND LOGIN = false;" | \
+      /opt/cassandra/bin/cqlsh {{ cassandra_listen_address }} -u '{{ item.user }}' -p '{{ item.user }}'
+  when: '{{ (cassandra_users|length) > 0 }}'
diff --git a/templates/cassandra.yaml.j2 b/templates/cassandra.yaml.j2
@@ -4,6 +4,14 @@
 # one logical cluster from joining another.
 cluster_name: '{{ cassandra_cluster_name | mandatory }}'
 
+# - AllowAllAuthenticator performs no checks - set it to disable authentication.
+# - PasswordAuthenticator relies on username/password pairs to authenticate users.
+#   It keeps usernames and hashed passwords in system_auth.roles table.
+authenticator: {{ (cassandra_users|length > 0) | ternary("PasswordAuthenticator", "AllowAllAuthenticator") }}
+
+# Manages access to databases and stores role data in the system_auth keyspace.
+role_manager: CassandraRoleManager
+
 # This defines the number of tokens randomly assigned to this node on the ring
 # The more tokens, relative to other nodes, the larger the proportion of data
 # that this node will store. You probably want all nodes to have the same number

diff --git a/templates/config.yml.j2 b/templates/config.yml.j2