Cassandra Authentication for SSL
238 views
Skip to first unread message
Taylor Thomas
Feb 8, 2017, 1:32:48 PM2/8/17
to KairosDB
I am working on connecting Kairos to our Cassandra instance that is running SSL. For the life of me I can't find any examples on how to specify the certificate in kairosdb.properties. The only examples are "user" and "password" and I am unsure what the property name is for specifying the ssl configuration. Does anyone have experience with this?
Benjamin Coetzer
Feb 9, 2017, 10:15:49 AM2/9/17
to KairosDB
Hi Taylor Thomas
I'm afraid I don't have much to add in terms of troubleshooting but I'd like to mention that I too have been trying to get KairosDB configured to work with cassandra thats setup with internode and server-client SSL certificates. If you manage to find anything please do let me know - similarly I will do the same.
I'm afraid I don't have much to add in terms of troubleshooting but I'd like to mention that I too have been trying to get KairosDB configured to work with cassandra thats setup with internode and server-client SSL certificates. If you manage to find anything please do let me know - similarly I will do the same.
Brian Hawkins
Feb 9, 2017, 10:45:22 AM2/9/17
to KairosDB
I'm not sure you can setup an SSL connection with hector. The CQL code I'm working on now will support ssl.
Brian
Taylor Thomas
Feb 9, 2017, 1:31:29 PM2/9/17
to KairosDB
That is great to hear Brian! Do you have a link to the code or a PR somewhere that I can follow along with?
Brian Hawkins
Feb 9, 2017, 3:57:10 PM2/9/17
to KairosDB
feature/cql branch
Taylor Thomas
Feb 9, 2017, 4:59:13 PM2/9/17
to KairosDB
Thanks!
Matt Potter
Sep 7, 2017, 6:14:38 PM9/7/17
to KairosDB
Taylor,
I hit the same issue with the current release version of KairosDB 1.1.3. My solution probably does not apply to the new beta that uses the native protocol. Hope it will support SSL too and mention example of how to set that up.
Anyway here's what worked for me:
- Grabbed the X.509 CA cert via OpsCenter via LCM link in the Cluster Details for your cluster definition and copied it to my KairosDB machine
- On the KairosDB machine I created a Java Keystore using this cert like this:
- /opt/jdk1.8.0_141/bin/keytool -import -alias cacert -file ~/.cassandra/cacert.crt -keystore truststore.jks
- pick a password (exa: foopass)... well maybe pick a 'good' password 8)
- enter 'yes' to Trust this certificate?
- Alternative to 1&2 is to grab the existing JKS client truststore file from a DSE node (exa: /etc/dse/keystores/client.keystore) and share the password the admin used to make this for cassandra. Either way you should now have a JKS truststore file specific to the target cluster you want to connect to on your KairosDB machine.
- Edit the /opt/kairosdb/bin/kairosdb-env.sh file and add the following -D switches to JAVA_OPTS:
- JAVA_OPTS="-Dssl.truststore=/opt/kairosdb/ssl/truststore.jks -Dssl.truststore.password=foopass"
- service kairosdb restart
I also got tripped up a bit on some confusing reference to the auth key name "user" and "password" in the docs, but the actual settings that worked for the authorization for Cassandra were like this:
kairosdb.datastore.cassandra.auth.username=cassandra
kairosdb.datastore.cassandra.auth.password=randomgibberishdsnfadfsaHope this helps.
-Matt
Matt Potter
Sep 7, 2017, 6:17:55 PM9/7/17
to KairosDB
Brain,
Awesome, will give it a try once its released. Unfortunately I'm required to stick to release distro only so I posted some notes on getting the 1.1.3 over Hector/Thrift working.
On Thursday, February 9, 2017 at 7:45:22 AM UTC-8, Brian Hawkins wrote:
Reply all
Reply to author
Forward
0 new messages