cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Halstead <badbee...@gmail.com>
Subject Datastax Agent 5.1+ Configuration
Date Mon, 02 Mar 2015 17:56:07 GMT
I recently attempted to get our cassandra instances talking securely to one
another with ssl opscenter communication.  We are using DSE 4.6, opscenter
5.1.  While a lot of the datastax documentation is fairly good, when it
comes to advanced configuration topics or security configuration, I find
the docs very lacking.

I setup a 3 node cluster with SSL encryption between nodes and
PasswordAuthentication turned on.  As it being obvious, you need to setup
the user/pass in the agent configuration as well.  These used to be
thrift_user and thrift_pass (or something along those lines) and the ssl
was thrift_keystore / thrift_truststore, etc..

In Opscenter 5.1, the system changed from using thrift to the native
interface.  However there is nothing in the docs about what agent
properties do you need to set for the ssl security and authentication.

After my dealings with Datastax Support, I thought I would post this here
until they update their documentation.

Agent configuration (address.yaml)

C* connection options

*IP addresses

Before 5.1, we were using either thrift_rpc_interface (when storing
metrics/settings in the same cluster) or storage_thrift_hosts
(separate cluster) to determine what IP to use to connect to C*. In
5.1, both options were replaced with hosts, that accepts an array of
strings (including an array w/ a single string for the same cluster
case) instead of a single string:

hosts: ["123.234.111.11", "10.1.1.1"]

C* port
storage_thrift_port was removed, thrift_port was supplemented by cassandra_port

C* autodiscovery
autodiscovery_enabled, autodiscovery_interval, and storage_dc were
removed, autodiscovery can’t really be disabled for our java-driver,
but we never connect to hosts that are not specified in the agent’s
config.

Misc
thrift_socket_timeout and thrift_conn_timeout were removed.

C*/DSE security
PLAINTEXT AUTH
thrift_user, storage_thrift_user, thift_pass, and storage_thrift_pass
were replaced by cassandra_user & cassandra_pass

ENCRYPTION
thrift_ssl_truststore and thrift_ssl_truststore_password were replaced
by ssl_keystore and ssl_keystore_password, respectively.
thrift_ssl_truststore_type, thrift_max_frame_size were removed.

KERBEROS
We completely changed the way we setup kerberos (I thought it was
doc’d but apparently it wasn’t). We removed everything
kerberos-related from the config except for a single option,
kerberos_service. When it’s set (to the Kerberos service name) we’re
using kerberos. All the configuration takes place in the
kerberos.config file.
opscenterd cluster configs

[cassandra]
send_thrift_rpc was renamed to be thrift_rpc

[agents]
thrift_ssl_truststore and thrift_ssl_truststore_password were renamed
to ssl_keystore and ssl_keystore_password, respectively.
thrift_ssl_truststore_type was removed.

Hopefully this will be helpful for those running the latest opscenter and
want a secure setup.

Thanks to datastax for the help in this matter.

Mime
View raw message