Jolokia Authentication not working
SuhailRahman opened this issue · 4 comments
Bug Report
What did you do?
I followed the steps on the orange casskop website to create a Jolokia-auth secret and added the statements in the cassandracluster.yaml. As shown below.
CasandraCluster
kind: "CassandraCluster"
metadata:
name: cassandra-demo
labels:
cluster: k8s.kaas
spec:
cassandraImage: devtools-docker-local.artifactory.eng.vmware.com/rsuhail/orangeopensource/cassandra:3.11
bootstrapImage: devtools-docker-local.artifactory.eng.vmware.com/rsuhail/orangeopensource/cassandra-bootstrap:0.1.7
configMapName: cassandra-configmap-v1
dataCapacity: "200Mi"
dataStorageClass: "raid-5-thin"
imagepullpolicy: IfNotPresent
imageJolokiaSecret:
name: jolokia-auth
hardAntiAffinity: false # Do we ensure only 1 cassandra on each node ?
deletePVC: true
autoPilot: false
gcStdout: true
autoUpdateSeedList: false
maxPodUnavailable: 1
runAsUser: 999
resources:
requests:
cpu: '1'
memory: 2Gi
limits:
cpu: '1'
memory: 2Gi
topology:
dc:
- name: dc1
nodesPerRacks: 1
rack:
- name: rack1
- name: rack2
- name: rack3
Jolokia Secret File
apiVersion: v1
kind: Secret
metadata:
name: jolokia-auth
type: Opaque
data:
password: cGFzc3dvcmQK
username: c3VoYWls
$kubectl get po
NAME READY STATUS RESTARTS AGE
cassandra-demo-dc1-rack1-0 2/2 Running 0 15h
cassandra-demo-dc1-rack2-0 2/2 Running 0 15h
cassandra-demo-dc1-rack3-0 2/2 Running 0 14h
casskop-cassandra-operator-b8dc4c587-xkg57 1/1 Running 0 23h
# Enable Jolokia
JVM_OPTS="$JVM_OPTS -javaagent:/extra-lib/jolokia-agent.jar=host=0.0.0.0,executor=fixed,authMode=basic,user=suhail,password=password
"
cassandra@cassandra-demo-dc1-rack2-0:/$ cqlsh -u cassandra
Warning: Cannot create directory at `/home/cassandra/.cassandra`. Command history will not be saved.
Password:
Connected to cassandra-demo at 127.0.0.1:9042.
[cqlsh 5.0.1 | Cassandra 3.11.9 | CQL spec 3.4.4 | Native protocol v4]
Use HELP for help.
cassandra@cqlsh> list roles;
role | super | login | options
-----------+-------+-------+---------
cassandra | True | True | {}
What did you expect to see?
On running the command inside cassandra-demo-dc1-rack1-0 pod cqlsh -u suhail -p password, it should authenticate inside the cqlsh terminal.
What did you see instead? Under which circumstances?
It returns :
Connection error: ('Unable to connect to any servers', {'127.0.0.1': AuthenticationFailed('Failed to authenticate to 127.0.0.1: Error from server: code=0100 [Bad credentials] message="Provided username suhail and/or password are incorrect"',)})
Environment
- casskop version:
Version = "1.1.2"
- Kubernetes version information:
Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.3", GitCommit:"1e11e4a2108024935ecfcb2912226cedeafd99df", GitTreeState:"clean", BuildDate:"2020-10-14T12:50:19Z", GoVersion:"go1.15.2", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.3+vmware.1", GitCommit:"e217534f4f3b1a34bff302c8410b28229690cdfd", GitTreeState:"clean", BuildDate:"2019-11-13T22:18:20Z", GoVersion:"go1.12.12", Compiler:"gc", Platform:"linux/amd64"}
- Kubernetes cluster kind:
Google Compute engine
- Cassandra version:
Cassandra 3.11.9
@SuhailRahman You're confounding JMX authentication and Cassandra authentication. Those are 2 different things. If you want to authenticate with Cassandra you need to overwrite the default configuration file using a ConfigMap and update https://github.com/Orange-OpenSource/casskop/blob/master/docker/bootstrap/files/cassandra.yaml#L92-L110. Then it'll use cassandra/cassandra login/password by default and you'll have to create/update your passwords using cql or you favorite IDE. CassKop doesn't run any CQL statements.
@cscetbon is there a reason why CassKop doesn't run any cqlsh statements? Would you be interested in a PR where Casskop supports the creation of custom users after Cassandra is started?
@ajaybhat yes, that was a decision that was made when we started to avoid any interaction with the database as long as possible. Avoid any dependency to cql and only interact with Jolokia that we set up. If we wanted to add the creation of users or anything else, we would add a sidecar in order to do that. Right now it's down as an operation on the side by the users of the Cluster database, when CassKop only manages the cluster/nodes.