Return-Path: <user-return-54280-archive-asf-public=cust-asf.ponee.io@cassandra.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 7C75A200BB0
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Sun, 30 Oct 2016 19:12:22 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 7B264160AF1; Sun, 30 Oct 2016 18:12:22 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id BC00A160ADD
	for <archive-asf-public@cust-asf.ponee.io>; Sun, 30 Oct 2016 19:12:21 +0100 (CET)
Received: (qmail 23477 invoked by uid 500); 30 Oct 2016 18:12:19 -0000
Mailing-List: contact user-help@cassandra.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@cassandra.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@cassandra.apache.org>
List-Post: <mailto:user@cassandra.apache.org>
List-Id: <user.cassandra.apache.org>
Reply-To: user@cassandra.apache.org
Delivered-To: mailing list user@cassandra.apache.org
Received: (qmail 23467 invoked by uid 99); 30 Oct 2016 18:12:19 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 30 Oct 2016 18:12:19 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 457B01806A1
	for <user@cassandra.apache.org>; Sun, 30 Oct 2016 18:12:19 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 2.629
X-Spam-Level: **
X-Spam-Status: No, score=2.629 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	FREEMAIL_ENVFROM_END_DIGIT=0.25, HTML_MESSAGE=2,
	RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01,
	RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001]
	autolearn=disabled
Authentication-Results: spamd3-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=gmail.com
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024)
	with ESMTP id ec1EcpVlSRHZ for <user@cassandra.apache.org>;
	Sun, 30 Oct 2016 18:12:18 +0000 (UTC)
Received: from mail-wm0-f53.google.com (mail-wm0-f53.google.com [74.125.82.53])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id C26335F22F
	for <user@cassandra.apache.org>; Sun, 30 Oct 2016 18:12:17 +0000 (UTC)
Received: by mail-wm0-f53.google.com with SMTP id p190so109122334wmp.1
        for <user@cassandra.apache.org>; Sun, 30 Oct 2016 11:12:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:from:date:message-id:subject:to;
        bh=dmal+QeTocOQLVTeYIwNadGFt3YcZMJFXQb2jQOTVWA=;
        b=IiU96VEuQPTXZhwSHHyYa6IybEb3FI+X8bMD3/m5dmTYMUMhRPxaQJhYESBzNuUz6D
         LRwHjQ1+FmGTA68EJiTXNXbdpvQ2rrtHCkGtGnuNIPpRUKP6yyX3WE4Fbjyxyc9vYgQX
         yTouqjQR1NU1FChyGz8EQuut9lYc9pGDzyT0dVSuF06/6x06VssR9DkTPItLH6FRkgG8
         pK+0IXeZ6/tXduCAcE6wzpkS3FRrOgjRNXDCuQgBrrJ4xECs8XYRCuJprFsmQtKnvGCe
         e4z+C83b6hoHR+JpaAwMxQOMPqfj7pjjB0AtE6s/+UImlREJcN2VE1YhVQTalOyppvFz
         jpVQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=dmal+QeTocOQLVTeYIwNadGFt3YcZMJFXQb2jQOTVWA=;
        b=bdkTAlV9JHGK2cQJesIqBdvOEZg0ngMdV2016ajY2FH5uw8h+B9kzQc+ShN0Q6qQM7
         /Hpm0yhgd56EvtJPrNhFvw3R8An7Fu4HfnGMsEd8bd+b1qqUCJV5rd9fCKsR2sI4NfUq
         gbp91G4+ocAgbriwCZGXgy0jFFDWowUNxtgcCsoOV2NIS4k/HsAYj/LeHHjAwQe+yIzH
         q3EgSV0klzFbxBZ0LPdgVLcH9Y1985sVNDZhGwPYC31dEJKRhh7wxmwk5g9j4Z+5tvV1
         Lpou9boPN1jJ5unMiI3aPDKFWB3Qno8hHoIOeBeyHoAzooncQPekMwFasf/M6qkmOC7C
         nO+g==
X-Gm-Message-State: ABUngvfE//2Pok7yuXZ+1KfU0DYGT6VkaK0ZApHCWoxY4alx8seWi4suEEiIJLpU9oqd+Z5jdpu1qTO/omK/vA==
X-Received: by 10.28.158.148 with SMTP id h142mr3537695wme.59.1477851136463;
 Sun, 30 Oct 2016 11:12:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.28.68.69 with HTTP; Sun, 30 Oct 2016 11:11:55 -0700 (PDT)
From: Raimund Klein <chessray77@gmail.com>
Date: Sun, 30 Oct 2016 18:11:55 +0000
Message-ID: <CAFx9sfP--_NsESnMs3KLBiW_B11zby4VNxvCH9k43qzRzJJmYw@mail.gmail.com>
Subject: Securing a Cassandra 2.2.6 Cluster
To: user@cassandra.apache.org
Content-Type: multipart/alternative; boundary=001a114b36080519f205401908cb
archived-at: Sun, 30 Oct 2016 18:12:22 -0000

--001a114b36080519f205401908cb
Content-Type: text/plain; charset=UTF-8

Hi everyone,

We've managed to set up a Cassandra 2.2.6 cluster of two physical nodes
(nodetool sees both of them, so I'm quite certain the cluster is indeed
active). My steps to create the cluster were (this applies to both
machines):

 - Empty listen_address and rpc_address.
 - Define a cluster_name.
 - Define both machines as seeds.
 - Open ports 9042, 7000 and 7001 for external communication.



Now I want to secure access to the cluster in all forms:

 - define a different database user with a new password
 - encrypt communication bet ween clients and the cluster including client
verification
 - encrypt communication between the nodes including verification

What is the best order of steps and correct way to achieve this? I wanted
to start with defining a different user, but cqlsh refuses to connect after
enforcing user/password authentication:

cqlsh -u cassandra -p cassandra
Connection error: ('Unable to connect to any servers', {'127.0.0.1':
error(111, "Tried connecting to [('127.0.0.1', 9042)]. Last error:
Connection refused")})



This happens when I run the command on either of the two machines. Any help
would be greatly appreciated.

--001a114b36080519f205401908cb
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hi everyone,</div><div>=C2=A0</div><div>We&#39;ve man=
aged to set up a Cassandra 2.2.6 cluster of two physical nodes (nodetool se=
es both of them, so I&#39;m quite certain the cluster is indeed active). My=
 steps to create the cluster were (this applies to both machines):</div><di=
v><br></div><div>=C2=A0- Empty <font face=3D"monospace, monospace">listen_a=
ddress</font> and <font face=3D"monospace, monospace">rpc_address</font>.</=
div><div>=C2=A0- Define a <font face=3D"monospace, monospace">cluster_name<=
/font>.</div><div>=C2=A0- Define both machines as <font face=3D"monospace, =
monospace">seeds</font>.</div><div>=C2=A0- Open ports 9042, 7000 and 7001 f=
or external communication.</div><div><br></div><div>=C2=A0</div><div><br></=
div><div>Now I want to secure access to the cluster in all forms:</div><div=
><br></div><div>=C2=A0- define a different database user with a new passwor=
d</div><div>=C2=A0- encrypt communication bet ween clients and the cluster =
including client verification</div><div>=C2=A0- encrypt communication betwe=
en the nodes including verification</div><div><br></div><div>What is the be=
st order of steps and correct way to achieve this? I wanted to start with d=
efining a different user, but cqlsh refuses to connect after enforcing user=
/password authentication:</div><div><br></div><div><font face=3D"monospace,=
 monospace">cqlsh -u cassandra -p cassandra</font></div><div><font face=3D"=
monospace, monospace">Connection error: (&#39;Unable to connect to any serv=
ers&#39;, {&#39;127.0.0.1&#39;: error(111, &quot;Tried connecting to [(&#39=
;127.0.0.1&#39;, 9042)]. Last error: Connection refused&quot;)})</font></di=
v><div><br></div><div>=C2=A0</div><div><br></div><div>This happens when I r=
un the command on either of the two machines. Any help would be greatly app=
reciated.</div><div><br></div></div>

--001a114b36080519f205401908cb--