improve user creation to use default user the first time

Signed-off-by: Jakub Sokołowski <[email protected]>
status-im · Oct 8, 2020 · 7559897 · 7559897
1 parent 4000b93
commit 7559897
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -12,13 +12,13 @@ cassandra_cluster_name: 'my-cassandra-cluster'
 cassandra_num_tokens: 256
 cassandra_storage_port: 7000
 cassandra_native_port: 9042
-cassandra_users:
+cassandra_db_users:
   - { user: 'admin', pass: 'secret' }
   - { user: 'app-1', pass: 'secret' }
 
 consul_catalog_url: 'http://localhost:1234/v1/catalog'
 ```
-If `cassandra_users` is an empty list no authentication is required.
+If `cassandra_db_users` is an empty list no authentication is required.
 
 # Management
 

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -9,9 +9,13 @@ cassandra_service_name: 'cassandra'
 cassandra_service_user: 'cassandra'
 cassandra_storage_port: 7000
 cassandra_native_port: 9042
-cassandra_users: []
+cassandra_db_users: []
 #  - { user: 'admin', pass: 'secret' }
 
+# role/user that always exists in a new cluster
+cassandra_db_default_user: 'cassandra'
+cassandra_db_default_pass: 'cassandra'
+
 cassandra_data_dir: '/var/lib/cassandra'
 cassandra_cluster_name: ~
 cassandra_listen_address: '{{ ansible_local.tinc.vpn_ip }}'

diff --git a/tasks/users.yml b/tasks/users.yml
@@ -1,12 +1,32 @@
 ---
+- name: Check default user connection
+  set_fact:
+    echo "DESCRIBE CLUSTER;" |
+      /opt/cassandra/bin/cqlsh {{ cassandra_listen_address }} \
+        -u '{{ cassandra_db_default_user }}' \
+        -p '{{ cassandra_db_default_pass }}'
+  ignore_errors: true
+  register: default_user_auth
+
+# If default user is disabled just use first defined user
+- name: Pick DB auth credentials to use
+  set_fact:
+    cassandra_db_default_user: '{{ cassandra_db_users[0].user }}'
+    cassandra_db_default_pass: '{{ cassandra_db_users[0].pass }}'
+  when: default_user_auth.failed
+
 - name: Create specified DB users
   shell: |
     echo "CREATE ROLE {{ item.user }} WITH SUPERUSER = true AND LOGIN = true AND PASSWORD = '{{ item.pass }}';" | \
-      /opt/cassandra/bin/cqlsh {{ cassandra_listen_address }} -u '{{ item.user }}' -p '{{ item.user }}'
-  with_items: '{{ cassandra_users }}'
+      /opt/cassandra/bin/cqlsh {{ cassandra_listen_address }} \
+        -u '{{ cassandra_db_default_user }}' \
+        -p '{{ cassandra_db_default_pass }}'
+  with_items: '{{ cassandra_db_users }}'
 
 - name: Disable default user
   shell: |
     echo "ALTER ROLE cassandra WITH SUPERUSER = false AND LOGIN = false;" | \
-      /opt/cassandra/bin/cqlsh {{ cassandra_listen_address }} -u '{{ item.user }}' -p '{{ item.user }}'
-  when: '{{ (cassandra_users|length) > 0 }}'
+      /opt/cassandra/bin/cqlsh {{ cassandra_listen_address }} \
+        -u '{{ cassandra_db_users[0].user }}' \
+        -p '{{ cassandra_db_users[0].pass }}'
+  when: '{{ (cassandra_db_users|length) > 0 }}'
diff --git a/templates/cassandra.yaml.j2 b/templates/cassandra.yaml.j2
@@ -7,7 +7,7 @@ cluster_name: '{{ cassandra_cluster_name | mandatory }}'
 # - AllowAllAuthenticator performs no checks - set it to disable authentication.
 # - PasswordAuthenticator relies on username/password pairs to authenticate users.
 #   It keeps usernames and hashed passwords in system_auth.roles table.
-authenticator: {{ (cassandra_users|length > 0) | ternary("PasswordAuthenticator", "AllowAllAuthenticator") }}
+authenticator: {{ (cassandra_db_users|length > 0) | ternary("PasswordAuthenticator", "AllowAllAuthenticator") }}
 
 # Manages access to databases and stores role data in the system_auth keyspace.
 role_manager: CassandraRoleManager