From 7bb82592ebc979083d06111bf88ff20e7789e12f Mon Sep 17 00:00:00 2001 From: mehul gautam Date: Sat, 15 Jun 2024 02:23:57 +0530 Subject: [PATCH 1/9] added more options auth for cassandra Signed-off-by: mehul gautam --- pkg/cassandra/config/config.go | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/pkg/cassandra/config/config.go b/pkg/cassandra/config/config.go index e898b74d6f6..b2142327ce2 100644 --- a/pkg/cassandra/config/config.go +++ b/pkg/cassandra/config/config.go @@ -48,6 +48,21 @@ type Configuration struct { TLS tlscfg.Options `mapstructure:"tls"` } +var ( + defaultApprovedAuthenticators = []string{ + "org.apache.cassandra.auth.PasswordAuthenticator", + "com.instaclustr.cassandra.auth.SharedSecretAuthenticator", + "com.datastax.bdp.cassandra.auth.DseAuthenticator", + "io.aiven.cassandra.auth.AivenAuthenticator", + "com.ericsson.bss.cassandra.ecaudit.auth.AuditPasswordAuthenticator", + "com.amazon.helenus.auth.HelenusAuthenticator", + "com.ericsson.bss.cassandra.ecaudit.auth.AuditAuthenticator", + "com.scylladb.auth.SaslauthdAuthenticator", + "com.scylladb.auth.TransitionalAuthenticator", + "com.instaclustr.cassandra.auth.InstaclustrPasswordAuthenticator", + } +) + // Authenticator holds the authentication properties needed to connect to a Cassandra cluster type Authenticator struct { Basic BasicAuthenticator `yaml:"basic" mapstructure:",squash"` @@ -143,8 +158,9 @@ func (c *Configuration) NewCluster(logger *zap.Logger) (*gocql.ClusterConfig, er if c.Authenticator.Basic.Username != "" && c.Authenticator.Basic.Password != "" { cluster.Authenticator = gocql.PasswordAuthenticator{ - Username: c.Authenticator.Basic.Username, - Password: c.Authenticator.Basic.Password, + Username: c.Authenticator.Basic.Username, + Password: c.Authenticator.Basic.Password, + AllowedAuthenticators: defaultApprovedAuthenticators, } } tlsCfg, err := c.TLS.Config(logger) From e8775e7f67af4495857798d158910654e431727c Mon Sep 17 00:00:00 2001 From: mehul gautam Date: Sat, 15 Jun 2024 03:34:10 +0530 Subject: [PATCH 2/9] added AllowedAuthenticators Signed-off-by: mehul gautam --- pkg/cassandra/config/config.go | 21 +++------------------ 1 file changed, 3 insertions(+), 18 deletions(-) diff --git a/pkg/cassandra/config/config.go b/pkg/cassandra/config/config.go index b2142327ce2..4e71584301b 100644 --- a/pkg/cassandra/config/config.go +++ b/pkg/cassandra/config/config.go @@ -48,25 +48,10 @@ type Configuration struct { TLS tlscfg.Options `mapstructure:"tls"` } -var ( - defaultApprovedAuthenticators = []string{ - "org.apache.cassandra.auth.PasswordAuthenticator", - "com.instaclustr.cassandra.auth.SharedSecretAuthenticator", - "com.datastax.bdp.cassandra.auth.DseAuthenticator", - "io.aiven.cassandra.auth.AivenAuthenticator", - "com.ericsson.bss.cassandra.ecaudit.auth.AuditPasswordAuthenticator", - "com.amazon.helenus.auth.HelenusAuthenticator", - "com.ericsson.bss.cassandra.ecaudit.auth.AuditAuthenticator", - "com.scylladb.auth.SaslauthdAuthenticator", - "com.scylladb.auth.TransitionalAuthenticator", - "com.instaclustr.cassandra.auth.InstaclustrPasswordAuthenticator", - } -) - // Authenticator holds the authentication properties needed to connect to a Cassandra cluster type Authenticator struct { - Basic BasicAuthenticator `yaml:"basic" mapstructure:",squash"` - // TODO: add more auth types + Basic BasicAuthenticator `yaml:"basic" mapstructure:",squash"` + AllowedAuthenticators []string `yaml:"allowedAuthenticators" mapstructure:"allowedAuthenticators"` } // BasicAuthenticator holds the username and password for a password authenticator for a Cassandra cluster @@ -160,7 +145,7 @@ func (c *Configuration) NewCluster(logger *zap.Logger) (*gocql.ClusterConfig, er cluster.Authenticator = gocql.PasswordAuthenticator{ Username: c.Authenticator.Basic.Username, Password: c.Authenticator.Basic.Password, - AllowedAuthenticators: defaultApprovedAuthenticators, + AllowedAuthenticators: c.Authenticator.AllowedAuthenticators, } } tlsCfg, err := c.TLS.Config(logger) From 9346d167e6d3bc469d672d76a437442de212f3ef Mon Sep 17 00:00:00 2001 From: mehul gautam Date: Sun, 16 Jun 2024 16:52:11 +0530 Subject: [PATCH 3/9] added aiven auth Signed-off-by: mehul gautam --- pkg/cassandra/config/config.go | 44 ++++++++++++++++++++++++++++++---- 1 file changed, 39 insertions(+), 5 deletions(-) diff --git a/pkg/cassandra/config/config.go b/pkg/cassandra/config/config.go index 4e71584301b..b042fa2866c 100644 --- a/pkg/cassandra/config/config.go +++ b/pkg/cassandra/config/config.go @@ -50,8 +50,9 @@ type Configuration struct { // Authenticator holds the authentication properties needed to connect to a Cassandra cluster type Authenticator struct { - Basic BasicAuthenticator `yaml:"basic" mapstructure:",squash"` - AllowedAuthenticators []string `yaml:"allowedAuthenticators" mapstructure:"allowedAuthenticators"` + Basic BasicAuthenticator `yaml:"basic" mapstructure:",squash"` + AivenAuthenticator string `yaml:"aiven_authenticator" mapstructure:"aiven_authenticator"` + // TODO: add more auth types } // BasicAuthenticator holds the username and password for a password authenticator for a Cassandra cluster @@ -143,11 +144,14 @@ func (c *Configuration) NewCluster(logger *zap.Logger) (*gocql.ClusterConfig, er if c.Authenticator.Basic.Username != "" && c.Authenticator.Basic.Password != "" { cluster.Authenticator = gocql.PasswordAuthenticator{ - Username: c.Authenticator.Basic.Username, - Password: c.Authenticator.Basic.Password, - AllowedAuthenticators: c.Authenticator.AllowedAuthenticators, + Username: c.Authenticator.Basic.Username, + Password: c.Authenticator.Basic.Password, } + } else if c.Authenticator.AivenAuthenticator == "aiven" { + auth, _ := getAivenAuthenticator(c.Authenticator.AivenAuthenticator, c.Authenticator.Basic.Username, c.Authenticator.Basic.Password) + cluster.Authenticator = auth } + tlsCfg, err := c.TLS.Config(logger) if err != nil { return nil, err @@ -177,3 +181,33 @@ func (c *Configuration) Validate() error { _, err := govalidator.ValidateStruct(c) return err } + +func getAivenAuthenticator(authenticatorName, username, password string) (gocql.Authenticator, error) { + switch authenticatorName { + case "aiven": + return &AivenAuthenticator{ + Username: username, + Password: password, + }, nil + default: + return nil, fmt.Errorf("unsupported authenticator: %s", authenticatorName) + } +} + +// AivenAuthenticator implementation +type AivenAuthenticator struct { + Username string + Password string +} + +func (a *AivenAuthenticator) InitialResponse() ([]byte, error) { + return []byte(a.Username + "\x00" + a.Password), nil +} + +func (a *AivenAuthenticator) Challenge(challenge []byte) ([]byte, gocql.Authenticator, error) { + return nil, nil, nil +} + +func (a *AivenAuthenticator) Success(data []byte) error { + return nil +} From 4e4450c3655b807f9dc329c0eea17f9306a08320 Mon Sep 17 00:00:00 2001 From: mehul gautam Date: Sun, 16 Jun 2024 21:05:13 +0530 Subject: [PATCH 4/9] reverting back Signed-off-by: mehul gautam --- pkg/cassandra/config/config.go | 44 ++++------------------------------ 1 file changed, 5 insertions(+), 39 deletions(-) diff --git a/pkg/cassandra/config/config.go b/pkg/cassandra/config/config.go index b042fa2866c..4e71584301b 100644 --- a/pkg/cassandra/config/config.go +++ b/pkg/cassandra/config/config.go @@ -50,9 +50,8 @@ type Configuration struct { // Authenticator holds the authentication properties needed to connect to a Cassandra cluster type Authenticator struct { - Basic BasicAuthenticator `yaml:"basic" mapstructure:",squash"` - AivenAuthenticator string `yaml:"aiven_authenticator" mapstructure:"aiven_authenticator"` - // TODO: add more auth types + Basic BasicAuthenticator `yaml:"basic" mapstructure:",squash"` + AllowedAuthenticators []string `yaml:"allowedAuthenticators" mapstructure:"allowedAuthenticators"` } // BasicAuthenticator holds the username and password for a password authenticator for a Cassandra cluster @@ -144,14 +143,11 @@ func (c *Configuration) NewCluster(logger *zap.Logger) (*gocql.ClusterConfig, er if c.Authenticator.Basic.Username != "" && c.Authenticator.Basic.Password != "" { cluster.Authenticator = gocql.PasswordAuthenticator{ - Username: c.Authenticator.Basic.Username, - Password: c.Authenticator.Basic.Password, + Username: c.Authenticator.Basic.Username, + Password: c.Authenticator.Basic.Password, + AllowedAuthenticators: c.Authenticator.AllowedAuthenticators, } - } else if c.Authenticator.AivenAuthenticator == "aiven" { - auth, _ := getAivenAuthenticator(c.Authenticator.AivenAuthenticator, c.Authenticator.Basic.Username, c.Authenticator.Basic.Password) - cluster.Authenticator = auth } - tlsCfg, err := c.TLS.Config(logger) if err != nil { return nil, err @@ -181,33 +177,3 @@ func (c *Configuration) Validate() error { _, err := govalidator.ValidateStruct(c) return err } - -func getAivenAuthenticator(authenticatorName, username, password string) (gocql.Authenticator, error) { - switch authenticatorName { - case "aiven": - return &AivenAuthenticator{ - Username: username, - Password: password, - }, nil - default: - return nil, fmt.Errorf("unsupported authenticator: %s", authenticatorName) - } -} - -// AivenAuthenticator implementation -type AivenAuthenticator struct { - Username string - Password string -} - -func (a *AivenAuthenticator) InitialResponse() ([]byte, error) { - return []byte(a.Username + "\x00" + a.Password), nil -} - -func (a *AivenAuthenticator) Challenge(challenge []byte) ([]byte, gocql.Authenticator, error) { - return nil, nil, nil -} - -func (a *AivenAuthenticator) Success(data []byte) error { - return nil -} From 279ab596e5cdf57540f710671f8dc1b2f9be85f2 Mon Sep 17 00:00:00 2001 From: mehul gautam Date: Mon, 17 Jun 2024 00:23:00 +0530 Subject: [PATCH 5/9] added flags for auth Signed-off-by: mehul gautam --- plugin/storage/cassandra/options.go | 8 +++++++- plugin/storage/cassandra/options_test.go | 4 ++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/plugin/storage/cassandra/options.go b/plugin/storage/cassandra/options.go index b2e76b24710..3e946fc3b8c 100644 --- a/plugin/storage/cassandra/options.go +++ b/plugin/storage/cassandra/options.go @@ -45,7 +45,7 @@ const ( suffixSocketKeepAlive = ".socket-keep-alive" suffixUsername = ".username" suffixPassword = ".password" - + suffixAuth = ".auth" // common storage settings suffixSpanStoreWriteCacheTTL = ".span-store-write-cache-ttl" suffixIndexTagsBlacklist = ".index.tag-blacklist" @@ -214,6 +214,10 @@ func addFlags(flagSet *flag.FlagSet, nsConfig namespaceConfig) { nsConfig.namespace+suffixPassword, nsConfig.Authenticator.Basic.Password, "Password for password authentication for Cassandra") + flagSet.String( + nsConfig.namespace+suffixAuth, + "", + "The comma-separated list of Allowed password authentication for Cassandra.") } // InitFromViper initializes Options with properties from viper @@ -256,6 +260,8 @@ func (cfg *namespaceConfig) initFromViper(v *viper.Viper) { cfg.SocketKeepAlive = v.GetDuration(cfg.namespace + suffixSocketKeepAlive) cfg.Authenticator.Basic.Username = v.GetString(cfg.namespace + suffixUsername) cfg.Authenticator.Basic.Password = v.GetString(cfg.namespace + suffixPassword) + authentication := stripWhiteSpace(v.GetString(cfg.namespace + suffixAuth)) + cfg.Authenticator.AllowedAuthenticators = strings.Split(authentication, ",") cfg.DisableCompression = v.GetBool(cfg.namespace + suffixDisableCompression) var err error cfg.TLS, err = tlsFlagsConfig.InitFromViper(v) diff --git a/plugin/storage/cassandra/options_test.go b/plugin/storage/cassandra/options_test.go index 57c8ddbfe19..6436d2691ef 100644 --- a/plugin/storage/cassandra/options_test.go +++ b/plugin/storage/cassandra/options_test.go @@ -64,10 +64,12 @@ func TestOptionsWithFlags(t *testing.T) { "--cas.index.tag-whitelist=flerg, flarg,florg ", "--cas.index.tags=true", "--cas.index.process-tags=false", + "--cas.auth=org.apache.cassandra.auth.PasswordAuthenticator,com.datastax.bdp.cassandra.auth.DseAuthenticator", // enable aux with a couple overrides "--cas-aux.enabled=true", "--cas-aux.keyspace=jaeger-archive", "--cas-aux.servers=3.3.3.3, 4.4.4.4", + "--cas-aux.auth=org.apache.cassandra.auth.PasswordAuthenticator,com.ericsson.bss.cassandra.ecaudit.auth.AuditAuthenticator", }) opts.InitFromViper(v) @@ -75,6 +77,7 @@ func TestOptionsWithFlags(t *testing.T) { assert.Equal(t, "jaeger", primary.Keyspace) assert.Equal(t, "mojave", primary.LocalDC) assert.Equal(t, []string{"1.1.1.1", "2.2.2.2"}, primary.Servers) + assert.Equal(t, []string{"org.apache.cassandra.auth.PasswordAuthenticator", "com.datastax.bdp.cassandra.auth.DseAuthenticator"}, primary.Authenticator.AllowedAuthenticators) assert.Equal(t, "ONE", primary.Consistency) assert.Equal(t, []string{"blerg", "blarg", "blorg"}, opts.TagIndexBlacklist()) assert.Equal(t, []string{"flerg", "flarg", "florg"}, opts.TagIndexWhitelist()) @@ -86,6 +89,7 @@ func TestOptionsWithFlags(t *testing.T) { require.NotNil(t, aux) assert.Equal(t, "jaeger-archive", aux.Keyspace) assert.Equal(t, []string{"3.3.3.3", "4.4.4.4"}, aux.Servers) + assert.Equal(t, []string{"org.apache.cassandra.auth.PasswordAuthenticator", "com.ericsson.bss.cassandra.ecaudit.auth.AuditAuthenticator"}, aux.Authenticator.AllowedAuthenticators) assert.Equal(t, 42, aux.ConnectionsPerHost) assert.Equal(t, 42, aux.MaxRetryAttempts) assert.Equal(t, 42*time.Second, aux.Timeout) From 504ac076aa5c99dfc244a526195a6b316ed53ee7 Mon Sep 17 00:00:00 2001 From: mehul gautam Date: Tue, 18 Jun 2024 02:12:35 +0530 Subject: [PATCH 6/9] updated integration test for cassandra Signed-off-by: mehul gautam --- pkg/cassandra/config/config.go | 2 +- plugin/storage/cassandra/options.go | 17 ++++++++++++++--- plugin/storage/integration/cassandra_test.go | 3 +++ 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/pkg/cassandra/config/config.go b/pkg/cassandra/config/config.go index 4e71584301b..56779539eca 100644 --- a/pkg/cassandra/config/config.go +++ b/pkg/cassandra/config/config.go @@ -51,7 +51,7 @@ type Configuration struct { // Authenticator holds the authentication properties needed to connect to a Cassandra cluster type Authenticator struct { Basic BasicAuthenticator `yaml:"basic" mapstructure:",squash"` - AllowedAuthenticators []string `yaml:"allowedAuthenticators" mapstructure:"allowedAuthenticators"` + AllowedAuthenticators []string `yaml:"allowed_authenticators" mapstructure:"allowed_authenticators"` } // BasicAuthenticator holds the username and password for a password authenticator for a Cassandra cluster diff --git a/plugin/storage/cassandra/options.go b/plugin/storage/cassandra/options.go index 3e946fc3b8c..d1c4e049192 100644 --- a/plugin/storage/cassandra/options.go +++ b/plugin/storage/cassandra/options.go @@ -215,9 +215,20 @@ func addFlags(flagSet *flag.FlagSet, nsConfig namespaceConfig) { nsConfig.Authenticator.Basic.Password, "Password for password authentication for Cassandra") flagSet.String( - nsConfig.namespace+suffixAuth, - "", - "The comma-separated list of Allowed password authentication for Cassandra.") + nsConfig.namespace + suffixAuth, + "", + "The comma-separated list of Allowed password authenticators for Cassandra.\n" + + "list of acceptable strings: " + + "org.apache.cassandra.auth.PasswordAuthenticator, " + + "com.instaclustr.cassandra.auth.SharedSecretAuthenticator, " + + "com.datastax.bdp.cassandra.auth.DseAuthenticator, " + + "io.aiven.cassandra.auth.AivenAuthenticator, " + + "com.ericsson.bss.cassandra.ecaudit.auth.AuditPasswordAuthenticator, " + + "com.amazon.helenus.auth.HelenusAuthenticator, " + + "com.ericsson.bss.cassandra.ecaudit.auth.AuditAuthenticator, " + + "com.scylladb.auth.SaslauthdAuthenticator, " + + "com.scylladb.auth.TransitionalAuthenticator, " + + "com.instaclustr.cassandra.auth.InstaclustrPasswordAuthenticator") } // InitFromViper initializes Options with properties from viper diff --git a/plugin/storage/integration/cassandra_test.go b/plugin/storage/integration/cassandra_test.go index f61af7d1f84..3c8dfb409c0 100644 --- a/plugin/storage/integration/cassandra_test.go +++ b/plugin/storage/integration/cassandra_test.go @@ -62,6 +62,9 @@ func (*CassandraStorageIntegration) initializeCassandraFactory(t *testing.T, fla func (s *CassandraStorageIntegration) initializeCassandra(t *testing.T) { f := s.initializeCassandraFactory(t, []string{ + "--cassandra.auth=", + "--cassandra.password=password", + "--cassandra.username=username", "--cassandra.keyspace=jaeger_v1_dc1", "--cassandra-archive.keyspace=jaeger_v1_dc1_archive", "--cassandra-archive.enabled=true", From 1959b26737d481125b47f0e3a48dc05a5d483819 Mon Sep 17 00:00:00 2001 From: mehul gautam Date: Tue, 18 Jun 2024 02:29:06 +0530 Subject: [PATCH 7/9] added flags Signed-off-by: mehul gautam --- plugin/storage/cassandra/options.go | 28 ++++++++++++------------ plugin/storage/cassandra/options_test.go | 4 ++++ 2 files changed, 18 insertions(+), 14 deletions(-) diff --git a/plugin/storage/cassandra/options.go b/plugin/storage/cassandra/options.go index d1c4e049192..71e9ba873e2 100644 --- a/plugin/storage/cassandra/options.go +++ b/plugin/storage/cassandra/options.go @@ -215,20 +215,20 @@ func addFlags(flagSet *flag.FlagSet, nsConfig namespaceConfig) { nsConfig.Authenticator.Basic.Password, "Password for password authentication for Cassandra") flagSet.String( - nsConfig.namespace + suffixAuth, - "", - "The comma-separated list of Allowed password authenticators for Cassandra.\n" + - "list of acceptable strings: " + - "org.apache.cassandra.auth.PasswordAuthenticator, " + - "com.instaclustr.cassandra.auth.SharedSecretAuthenticator, " + - "com.datastax.bdp.cassandra.auth.DseAuthenticator, " + - "io.aiven.cassandra.auth.AivenAuthenticator, " + - "com.ericsson.bss.cassandra.ecaudit.auth.AuditPasswordAuthenticator, " + - "com.amazon.helenus.auth.HelenusAuthenticator, " + - "com.ericsson.bss.cassandra.ecaudit.auth.AuditAuthenticator, " + - "com.scylladb.auth.SaslauthdAuthenticator, " + - "com.scylladb.auth.TransitionalAuthenticator, " + - "com.instaclustr.cassandra.auth.InstaclustrPasswordAuthenticator") + nsConfig.namespace+suffixAuth, + "", + "The comma-separated list of Allowed password authenticators for Cassandra.\n"+ + "list of acceptable strings: "+ + "org.apache.cassandra.auth.PasswordAuthenticator, "+ + "com.instaclustr.cassandra.auth.SharedSecretAuthenticator, "+ + "com.datastax.bdp.cassandra.auth.DseAuthenticator, "+ + "io.aiven.cassandra.auth.AivenAuthenticator, "+ + "com.ericsson.bss.cassandra.ecaudit.auth.AuditPasswordAuthenticator, "+ + "com.amazon.helenus.auth.HelenusAuthenticator, "+ + "com.ericsson.bss.cassandra.ecaudit.auth.AuditAuthenticator, "+ + "com.scylladb.auth.SaslauthdAuthenticator, "+ + "com.scylladb.auth.TransitionalAuthenticator, "+ + "com.instaclustr.cassandra.auth.InstaclustrPasswordAuthenticator") } // InitFromViper initializes Options with properties from viper diff --git a/plugin/storage/cassandra/options_test.go b/plugin/storage/cassandra/options_test.go index 6436d2691ef..e9c20a1403b 100644 --- a/plugin/storage/cassandra/options_test.go +++ b/plugin/storage/cassandra/options_test.go @@ -65,10 +65,14 @@ func TestOptionsWithFlags(t *testing.T) { "--cas.index.tags=true", "--cas.index.process-tags=false", "--cas.auth=org.apache.cassandra.auth.PasswordAuthenticator,com.datastax.bdp.cassandra.auth.DseAuthenticator", + "--cas.username=username", + "--cas.password=password", // enable aux with a couple overrides "--cas-aux.enabled=true", "--cas-aux.keyspace=jaeger-archive", "--cas-aux.servers=3.3.3.3, 4.4.4.4", + "--cas-aux.username=username", + "--cas-aux.password=password", "--cas-aux.auth=org.apache.cassandra.auth.PasswordAuthenticator,com.ericsson.bss.cassandra.ecaudit.auth.AuditAuthenticator", }) opts.InitFromViper(v) From 0c892c7d3f61bb0100c48c907c613463d3d8d9f4 Mon Sep 17 00:00:00 2001 From: mehul gautam Date: Tue, 18 Jun 2024 03:14:09 +0530 Subject: [PATCH 8/9] update flag description Signed-off-by: mehul gautam --- plugin/storage/cassandra/options.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugin/storage/cassandra/options.go b/plugin/storage/cassandra/options.go index 71e9ba873e2..13f3330a35e 100644 --- a/plugin/storage/cassandra/options.go +++ b/plugin/storage/cassandra/options.go @@ -217,7 +217,7 @@ func addFlags(flagSet *flag.FlagSet, nsConfig namespaceConfig) { flagSet.String( nsConfig.namespace+suffixAuth, "", - "The comma-separated list of Allowed password authenticators for Cassandra.\n"+ + "(the authentication is only handled by server)The comma-separated list of Allowed password authenticators for Cassandra.\n"+ "list of acceptable strings: "+ "org.apache.cassandra.auth.PasswordAuthenticator, "+ "com.instaclustr.cassandra.auth.SharedSecretAuthenticator, "+ From 82204d41baf43d5b5a8de5e0508fe9cba3861751 Mon Sep 17 00:00:00 2001 From: mehul gautam Date: Tue, 18 Jun 2024 03:42:33 +0530 Subject: [PATCH 9/9] updated flag Signed-off-by: mehul gautam --- pkg/cassandra/config/config.go | 11 ++++++----- plugin/storage/cassandra/options.go | 20 ++++++-------------- plugin/storage/cassandra/options_test.go | 8 ++++---- plugin/storage/integration/cassandra_test.go | 2 +- 4 files changed, 17 insertions(+), 24 deletions(-) diff --git a/pkg/cassandra/config/config.go b/pkg/cassandra/config/config.go index 56779539eca..5b383851ea5 100644 --- a/pkg/cassandra/config/config.go +++ b/pkg/cassandra/config/config.go @@ -50,14 +50,15 @@ type Configuration struct { // Authenticator holds the authentication properties needed to connect to a Cassandra cluster type Authenticator struct { - Basic BasicAuthenticator `yaml:"basic" mapstructure:",squash"` - AllowedAuthenticators []string `yaml:"allowed_authenticators" mapstructure:"allowed_authenticators"` + Basic BasicAuthenticator `yaml:"basic" mapstructure:",squash"` + // TODO: add more auth types } // BasicAuthenticator holds the username and password for a password authenticator for a Cassandra cluster type BasicAuthenticator struct { - Username string `yaml:"username" mapstructure:"username"` - Password string `yaml:"password" mapstructure:"password" json:"-"` + Username string `yaml:"username" mapstructure:"username"` + Password string `yaml:"password" mapstructure:"password" json:"-"` + AllowedAuthenticators []string `yaml:"allowed_authenticators" mapstructure:"allowed_authenticators"` } // ApplyDefaults copies settings from source unless its own value is non-zero. @@ -145,7 +146,7 @@ func (c *Configuration) NewCluster(logger *zap.Logger) (*gocql.ClusterConfig, er cluster.Authenticator = gocql.PasswordAuthenticator{ Username: c.Authenticator.Basic.Username, Password: c.Authenticator.Basic.Password, - AllowedAuthenticators: c.Authenticator.AllowedAuthenticators, + AllowedAuthenticators: c.Authenticator.Basic.AllowedAuthenticators, } } tlsCfg, err := c.TLS.Config(logger) diff --git a/plugin/storage/cassandra/options.go b/plugin/storage/cassandra/options.go index 13f3330a35e..a0a6718ddb2 100644 --- a/plugin/storage/cassandra/options.go +++ b/plugin/storage/cassandra/options.go @@ -45,7 +45,7 @@ const ( suffixSocketKeepAlive = ".socket-keep-alive" suffixUsername = ".username" suffixPassword = ".password" - suffixAuth = ".auth" + suffixAuth = ".basic.allowed-authenticators" // common storage settings suffixSpanStoreWriteCacheTTL = ".span-store-write-cache-ttl" suffixIndexTagsBlacklist = ".index.tag-blacklist" @@ -217,18 +217,10 @@ func addFlags(flagSet *flag.FlagSet, nsConfig namespaceConfig) { flagSet.String( nsConfig.namespace+suffixAuth, "", - "(the authentication is only handled by server)The comma-separated list of Allowed password authenticators for Cassandra.\n"+ - "list of acceptable strings: "+ - "org.apache.cassandra.auth.PasswordAuthenticator, "+ - "com.instaclustr.cassandra.auth.SharedSecretAuthenticator, "+ - "com.datastax.bdp.cassandra.auth.DseAuthenticator, "+ - "io.aiven.cassandra.auth.AivenAuthenticator, "+ - "com.ericsson.bss.cassandra.ecaudit.auth.AuditPasswordAuthenticator, "+ - "com.amazon.helenus.auth.HelenusAuthenticator, "+ - "com.ericsson.bss.cassandra.ecaudit.auth.AuditAuthenticator, "+ - "com.scylladb.auth.SaslauthdAuthenticator, "+ - "com.scylladb.auth.TransitionalAuthenticator, "+ - "com.instaclustr.cassandra.auth.InstaclustrPasswordAuthenticator") + "The comma-separated list of allowed password authenticators for Cassandra."+ + "If none are specified, there is a default 'approved' list that is used "+ + "(https://github.com/gocql/gocql/blob/34fdeebefcbf183ed7f916f931aa0586fdaa1b40/conn.go#L27). "+ + "If a non-empty list is provided, only specified authenticators are allowed.") } // InitFromViper initializes Options with properties from viper @@ -272,7 +264,7 @@ func (cfg *namespaceConfig) initFromViper(v *viper.Viper) { cfg.Authenticator.Basic.Username = v.GetString(cfg.namespace + suffixUsername) cfg.Authenticator.Basic.Password = v.GetString(cfg.namespace + suffixPassword) authentication := stripWhiteSpace(v.GetString(cfg.namespace + suffixAuth)) - cfg.Authenticator.AllowedAuthenticators = strings.Split(authentication, ",") + cfg.Authenticator.Basic.AllowedAuthenticators = strings.Split(authentication, ",") cfg.DisableCompression = v.GetBool(cfg.namespace + suffixDisableCompression) var err error cfg.TLS, err = tlsFlagsConfig.InitFromViper(v) diff --git a/plugin/storage/cassandra/options_test.go b/plugin/storage/cassandra/options_test.go index e9c20a1403b..ff7d4f0f85d 100644 --- a/plugin/storage/cassandra/options_test.go +++ b/plugin/storage/cassandra/options_test.go @@ -64,7 +64,7 @@ func TestOptionsWithFlags(t *testing.T) { "--cas.index.tag-whitelist=flerg, flarg,florg ", "--cas.index.tags=true", "--cas.index.process-tags=false", - "--cas.auth=org.apache.cassandra.auth.PasswordAuthenticator,com.datastax.bdp.cassandra.auth.DseAuthenticator", + "--cas.basic.allowed-authenticators=org.apache.cassandra.auth.PasswordAuthenticator,com.datastax.bdp.cassandra.auth.DseAuthenticator", "--cas.username=username", "--cas.password=password", // enable aux with a couple overrides @@ -73,7 +73,7 @@ func TestOptionsWithFlags(t *testing.T) { "--cas-aux.servers=3.3.3.3, 4.4.4.4", "--cas-aux.username=username", "--cas-aux.password=password", - "--cas-aux.auth=org.apache.cassandra.auth.PasswordAuthenticator,com.ericsson.bss.cassandra.ecaudit.auth.AuditAuthenticator", + "--cas-aux.basic.allowed-authenticators=org.apache.cassandra.auth.PasswordAuthenticator,com.ericsson.bss.cassandra.ecaudit.auth.AuditAuthenticator", }) opts.InitFromViper(v) @@ -81,7 +81,7 @@ func TestOptionsWithFlags(t *testing.T) { assert.Equal(t, "jaeger", primary.Keyspace) assert.Equal(t, "mojave", primary.LocalDC) assert.Equal(t, []string{"1.1.1.1", "2.2.2.2"}, primary.Servers) - assert.Equal(t, []string{"org.apache.cassandra.auth.PasswordAuthenticator", "com.datastax.bdp.cassandra.auth.DseAuthenticator"}, primary.Authenticator.AllowedAuthenticators) + assert.Equal(t, []string{"org.apache.cassandra.auth.PasswordAuthenticator", "com.datastax.bdp.cassandra.auth.DseAuthenticator"}, primary.Authenticator.Basic.AllowedAuthenticators) assert.Equal(t, "ONE", primary.Consistency) assert.Equal(t, []string{"blerg", "blarg", "blorg"}, opts.TagIndexBlacklist()) assert.Equal(t, []string{"flerg", "flarg", "florg"}, opts.TagIndexWhitelist()) @@ -93,7 +93,7 @@ func TestOptionsWithFlags(t *testing.T) { require.NotNil(t, aux) assert.Equal(t, "jaeger-archive", aux.Keyspace) assert.Equal(t, []string{"3.3.3.3", "4.4.4.4"}, aux.Servers) - assert.Equal(t, []string{"org.apache.cassandra.auth.PasswordAuthenticator", "com.ericsson.bss.cassandra.ecaudit.auth.AuditAuthenticator"}, aux.Authenticator.AllowedAuthenticators) + assert.Equal(t, []string{"org.apache.cassandra.auth.PasswordAuthenticator", "com.ericsson.bss.cassandra.ecaudit.auth.AuditAuthenticator"}, aux.Authenticator.Basic.AllowedAuthenticators) assert.Equal(t, 42, aux.ConnectionsPerHost) assert.Equal(t, 42, aux.MaxRetryAttempts) assert.Equal(t, 42*time.Second, aux.Timeout) diff --git a/plugin/storage/integration/cassandra_test.go b/plugin/storage/integration/cassandra_test.go index 3c8dfb409c0..f67278503f9 100644 --- a/plugin/storage/integration/cassandra_test.go +++ b/plugin/storage/integration/cassandra_test.go @@ -62,7 +62,7 @@ func (*CassandraStorageIntegration) initializeCassandraFactory(t *testing.T, fla func (s *CassandraStorageIntegration) initializeCassandra(t *testing.T) { f := s.initializeCassandraFactory(t, []string{ - "--cassandra.auth=", + "--cassandra.basic.allowed-authenticators=", "--cassandra.password=password", "--cassandra.username=username", "--cassandra.keyspace=jaeger_v1_dc1",