Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Flag for Custom Authenticators in Cassandra Storage #5628

Merged
merged 12 commits into from
Jun 18, 2024
+27 −5
Merged

Add Flag for Custom Authenticators in Cassandra Storage #5628

Show file tree
Hide file tree
Changes from 11 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
7bb8259
added more options auth for cassandra
hellspawn679 Jun 14, 2024
e8775e7
added AllowedAuthenticators
hellspawn679 Jun 14, 2024
89b2275
Merge branch 'jaegertracing:main' into auth
hellspawn679 Jun 16, 2024
9346d16
added aiven auth
hellspawn679 Jun 16, 2024
4e4450c
reverting back
hellspawn679 Jun 16, 2024
279ab59
added flags for auth
hellspawn679 Jun 16, 2024
e2cf82e
Merge branch 'main' into auth
hellspawn679 Jun 17, 2024
504ac07
updated integration test for cassandra
hellspawn679 Jun 17, 2024
1959b26
added flags
hellspawn679 Jun 17, 2024
31a8da3
Merge branch 'main' into auth
hellspawn679 Jun 17, 2024
0c892c7
update flag description
hellspawn679 Jun 17, 2024
82204d4
updated flag
hellspawn679 Jun 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 5 additions & 4 deletions pkg/cassandra/config/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,8 +50,8 @@ type Configuration struct {

// Authenticator holds the authentication properties needed to connect to a Cassandra cluster
type Authenticator struct {
Basic BasicAuthenticator `yaml:"basic" mapstructure:",squash"`
// TODO: add more auth types
yurishkuro marked this conversation as resolved.
Show resolved Hide resolved
Basic BasicAuthenticator `yaml:"basic" mapstructure:",squash"`
AllowedAuthenticators []string `yaml:"allowed_authenticators" mapstructure:"allowed_authenticators"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AllowedAuthenticators should be inside BasicAuthenticator struct. And lets add a comment to it

// The comma-separated list of allowed password authenticators for Cassandra.
// If none are specified, there is a default "approved" list that is used
//    https://github.com/gocql/gocql/blob/34fdeebefcbf183ed7f916f931aa0586fdaa1b40/conn.go#L27
// If a non-empty list is provided, only specified authenticators are allowed.
// See also https://github.com/jaegertracing/jaeger/issues/5627#issuecomment-2174454633

}

// BasicAuthenticator holds the username and password for a password authenticator for a Cassandra cluster
Expand Down Expand Up @@ -143,8 +143,9 @@ func (c *Configuration) NewCluster(logger *zap.Logger) (*gocql.ClusterConfig, er

if c.Authenticator.Basic.Username != "" && c.Authenticator.Basic.Password != "" {
cluster.Authenticator = gocql.PasswordAuthenticator{
Username: c.Authenticator.Basic.Username,
Password: c.Authenticator.Basic.Password,
Username: c.Authenticator.Basic.Username,
Password: c.Authenticator.Basic.Password,
AllowedAuthenticators: c.Authenticator.AllowedAuthenticators,
}
yurishkuro marked this conversation as resolved.
Show resolved Hide resolved
}
tlsCfg, err := c.TLS.Config(logger)
Expand Down
19 changes: 18 additions & 1 deletion plugin/storage/cassandra/options.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ const (
suffixSocketKeepAlive = ".socket-keep-alive"
suffixUsername = ".username"
suffixPassword = ".password"

suffixAuth = ".auth"
yurishkuro marked this conversation as resolved.
Show resolved Hide resolved
// common storage settings
suffixSpanStoreWriteCacheTTL = ".span-store-write-cache-ttl"
suffixIndexTagsBlacklist = ".index.tag-blacklist"
Expand Down Expand Up @@ -214,6 +214,21 @@ func addFlags(flagSet *flag.FlagSet, nsConfig namespaceConfig) {
nsConfig.namespace+suffixPassword,
nsConfig.Authenticator.Basic.Password,
"Password for password authentication for Cassandra")
flagSet.String(
nsConfig.namespace+suffixAuth,
"",
"(the authentication is only handled by server)The comma-separated list of Allowed password authenticators for Cassandra.\n"+
"list of acceptable strings: "+
"org.apache.cassandra.auth.PasswordAuthenticator, "+
"com.instaclustr.cassandra.auth.SharedSecretAuthenticator, "+
"com.datastax.bdp.cassandra.auth.DseAuthenticator, "+
"io.aiven.cassandra.auth.AivenAuthenticator, "+
"com.ericsson.bss.cassandra.ecaudit.auth.AuditPasswordAuthenticator, "+
"com.amazon.helenus.auth.HelenusAuthenticator, "+
"com.ericsson.bss.cassandra.ecaudit.auth.AuditAuthenticator, "+
"com.scylladb.auth.SaslauthdAuthenticator, "+
"com.scylladb.auth.TransitionalAuthenticator, "+
"com.instaclustr.cassandra.auth.InstaclustrPasswordAuthenticator")
yurishkuro marked this conversation as resolved.
Show resolved Hide resolved
}

// InitFromViper initializes Options with properties from viper
Expand Down Expand Up @@ -256,6 +271,8 @@ func (cfg *namespaceConfig) initFromViper(v *viper.Viper) {
cfg.SocketKeepAlive = v.GetDuration(cfg.namespace + suffixSocketKeepAlive)
cfg.Authenticator.Basic.Username = v.GetString(cfg.namespace + suffixUsername)
cfg.Authenticator.Basic.Password = v.GetString(cfg.namespace + suffixPassword)
authentication := stripWhiteSpace(v.GetString(cfg.namespace + suffixAuth))
cfg.Authenticator.AllowedAuthenticators = strings.Split(authentication, ",")
cfg.DisableCompression = v.GetBool(cfg.namespace + suffixDisableCompression)
var err error
cfg.TLS, err = tlsFlagsConfig.InitFromViper(v)
Expand Down
8 changes: 8 additions & 0 deletions plugin/storage/cassandra/options_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,17 +64,24 @@ func TestOptionsWithFlags(t *testing.T) {
"--cas.index.tag-whitelist=flerg, flarg,florg ",
"--cas.index.tags=true",
"--cas.index.process-tags=false",
"--cas.auth=org.apache.cassandra.auth.PasswordAuthenticator,com.datastax.bdp.cassandra.auth.DseAuthenticator",
"--cas.username=username",
"--cas.password=password",
// enable aux with a couple overrides
"--cas-aux.enabled=true",
"--cas-aux.keyspace=jaeger-archive",
"--cas-aux.servers=3.3.3.3, 4.4.4.4",
"--cas-aux.username=username",
"--cas-aux.password=password",
"--cas-aux.auth=org.apache.cassandra.auth.PasswordAuthenticator,com.ericsson.bss.cassandra.ecaudit.auth.AuditAuthenticator",
})
opts.InitFromViper(v)

primary := opts.GetPrimary()
assert.Equal(t, "jaeger", primary.Keyspace)
assert.Equal(t, "mojave", primary.LocalDC)
assert.Equal(t, []string{"1.1.1.1", "2.2.2.2"}, primary.Servers)
assert.Equal(t, []string{"org.apache.cassandra.auth.PasswordAuthenticator", "com.datastax.bdp.cassandra.auth.DseAuthenticator"}, primary.Authenticator.AllowedAuthenticators)
assert.Equal(t, "ONE", primary.Consistency)
assert.Equal(t, []string{"blerg", "blarg", "blorg"}, opts.TagIndexBlacklist())
assert.Equal(t, []string{"flerg", "flarg", "florg"}, opts.TagIndexWhitelist())
Expand All @@ -86,6 +93,7 @@ func TestOptionsWithFlags(t *testing.T) {
require.NotNil(t, aux)
assert.Equal(t, "jaeger-archive", aux.Keyspace)
assert.Equal(t, []string{"3.3.3.3", "4.4.4.4"}, aux.Servers)
assert.Equal(t, []string{"org.apache.cassandra.auth.PasswordAuthenticator", "com.ericsson.bss.cassandra.ecaudit.auth.AuditAuthenticator"}, aux.Authenticator.AllowedAuthenticators)
assert.Equal(t, 42, aux.ConnectionsPerHost)
assert.Equal(t, 42, aux.MaxRetryAttempts)
assert.Equal(t, 42*time.Second, aux.Timeout)
Expand Down
3 changes: 3 additions & 0 deletions plugin/storage/integration/cassandra_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,9 @@ func (*CassandraStorageIntegration) initializeCassandraFactory(t *testing.T, fla

func (s *CassandraStorageIntegration) initializeCassandra(t *testing.T) {
f := s.initializeCassandraFactory(t, []string{
"--cassandra.auth=",
"--cassandra.password=password",
"--cassandra.username=username",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why does this work? Are these the default values for username/password in Cassandra image

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I think it's because we have no auth configured on the server, so the extra auth client might send is just getting ignored.

"--cassandra.keyspace=jaeger_v1_dc1",
"--cassandra-archive.keyspace=jaeger_v1_dc1_archive",
"--cassandra-archive.enabled=true",
Expand Down
Loading