[cassandra] Use authenticated connections
In order to use different level of accesses (R/O, R/W) we need to disable the unauthenticated access to cassandra and add dedicated user per workload type
Link to the documentation: https://cassandra.apache.org/doc/latest/cassandra/operating/security.html
- Improve swh-storage to support cassandra authentication provider (#4864 (closed))
- Allow to configure the authentication provider in the helm chart
- Configure the staging environment to use an authentication provider
-
Configure cassandra to only allow authenticated connection
- create a superuser
-
create a read/write user (
swh-rw) -
create a read/only user for internal r/o storage (
swh-ro) -
create a read/only user for human access (
guest/guest)
Activity
changed milestone to %Cassandra in production as primary storage [Roadmap - Tooling and infrastructure]
mentioned in issue #4864 (closed)
added priority:High label
assigned to @vsellier
added state:wip label
mentioned in commit swh/infra/ci-cd/swh-charts@50c5fb38
mentioned in merge request swh/infra/ci-cd/swh-charts!77 (merged)
mentioned in commit swh/infra/ci-cd/swh-charts@288422a2
mentioned in commit swh/infra/ci-cd/swh-charts@3af16b5c
mentioned in commit swh/infra/ci-cd/swh-charts@ddc8f1ed
The configuration is updated in staging to provide an authentication provider.
As cassandra is not yet configured, this log is traced but everything is still working:
storage-replayer WARNING:cassandra.connection:An authentication challenge was not sent, this is suspicious because the driver expects authentication (configured authenticator = PlainTextAuthenticator)Edited by Vincent Selliermentioned in commit swh/infra/ci-cd/swh-charts@9977f224
mentioned in commit swh/infra/ci-cd/swh-charts@34e0e7df
