Skip to content
GitLab
Explore
Sign in
Register
Primary navigation
Search or go to…
Project
S
swh-docs
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Wiki
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Package Registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Vincent Sellier
swh-docs
Commits
3f0f9332
Verified
Commit
3f0f9332
authored
1 year ago
by
Vincent Sellier
Browse files
Options
Downloads
Patches
Plain Diff
sysadmin/cassandra: describe the authentication activation
Related to
swh/infra/sysadm-environment#4824
parent
0b6c37ae
No related branches found
No related tags found
No related merge requests found
Pipeline
#3451
passed
1 year ago
Stage: external
Changes
1
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
docs/sysadm/data-silos/cassandra/installation.rst
+123
-2
123 additions, 2 deletions
docs/sysadm/data-silos/cassandra/installation.rst
with
123 additions
and
2 deletions
docs/sysadm/data-silos/cassandra/installation.rst
+
123
−
2
View file @
3f0f9332
...
...
@@ -57,12 +57,133 @@ System installation
- Check the configuration looks correct and start the instance(s) with `systemctl start cassandra@<instance>`
Cassandra configuration
-----------------------
This section explains how to configure the keyspaces and roles for the specific swh usage.
Cassandra need to be configured with authentication and authorization activated. The following options
need to be present on the `cassandra.yaml` file:
::
authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer
Several users are used:
- `swh-rw`: The main user used by swh-storage to manage the content in the database
- `swh-ro`: A read-only user used for read-only storages (webapp, ...) or humans
- `reaper`: A read-write user on the `reaper` keyspace. `Reaper <http://cassandra-reaper.io/>`_ is the tool in charge of managing the repairs
The command line will use the staging environment as examples. The configuration is for a medium
data volume, with a Replication factor (RF) of 3. Adapt according to your own needs.
1. Create the keyspaces to be able to configure the accesses
::
CREATE KEYSPACE swh WITH replication = {'class': 'NetworkTopologyStrategy', 'sesi_rocquencourt_staging': '3'} AND durable_writes = true;
# If needed
CREATE KEYSPACE swh WITH reaper_db = {'class': 'NetworkTopologyStrategy', 'sesi_rocquencourt_staging': '3'} AND durable_writes = true;
2. Alter the system keyspace replication to prepare the authenticated accesses
(from https://cassandra.apache.org/doc/latest/cassandra/operating/security.html#password-authentication)
::
export PASS=<your jmx password>
ALTER KEYSPACE system_auth WITH replication = {'class': 'NetworkTopologyStrategy', 'sesi_rocquencourt_staging': 3};
seq 1 3 | xargs -t -i{} /opt/cassandra/bin/nodetool -h cassandra{} -u cassandra --password $PASS repair -j4 system_auth
3. Create a new `admin` superuser
In cqlsh (the default admin user is `cassandra`/`cassandra`):
::
CREATE ROLE admin WITH SUPERUSER = true AND LOGIN = true AND PASSWORD = 'changeme';
4. Disable the default superuser
Connect to cqlsh with the new `admin` user:
::
ALTER ROLE cassandra WITH SUPERUSER = false AND LOGIN = false;
5. Create the `swh-rw` user
::
CREATE ROLE 'swh-rw' WITH LOGIN = true AND PASSWORD = 'changeme';
GRANT CREATE ON ALL KEYSPACES to 'swh-rw';
GRANT CREATE ON ALL FUNCTIONS to 'swh-rw';
GRANT ALTER ON ALL FUNCTIONS to 'swh-rw';
GRANT SELECT ON KEYSPACE swh to 'swh-rw';
GRANT MODIFY ON KEYSPACE swh to 'swh-rw';
6. Create the `swh-ro` user
::
CREATE ROLE 'swh-ro' WITH LOGIN = true AND PASSWORD = 'changeme';
GRANT SELECT ON KEYSPACE swh to 'swh-ro';
7. Create the `reaper` user
::
CREATE ROLE 'reaper' WITH LOGIN = true AND PASSWORD = 'changeme';
GRANT CREATE ON ALL KEYSPACES to 'reaper';
GRANT SELECT ON KEYSPACE reaper_db to 'reaper';
GRANT MODIFY ON KEYSPACE reaper_db to 'reaper';
8. Specific table configurations
The table compaction and compression strategies depend on the hardware topology cassandra is deployed on.
For the high density servers used by swh, these specific configurations are used:
- LCS compaction on big tables to reduce the free disk space needed by compactions
- ZSTD compression on big tables to optimize the disk space
.. warning:: These configurations can be applied only once the swh-storage schema was created by the storage
- In staging
::
ALTER TABLE content WITH
compaction = {'class' : 'LeveledCompactionStrategy', 'sstable_size_in_mb':'160'}
AND compression = {'class': 'ZstdCompressor', 'compression_level':'1'};
ALTER TABLE directory_entry WITH
compaction = {'class' : 'LeveledCompactionStrategy', 'sstable_size_in_mb':'4096'}
AND compression = {'class': 'ZstdCompressor', 'compression_level':'1'};
- In production
::
ALTER TABLE content WITH
compaction = {'class' : 'LeveledCompactionStrategy', 'sstable_size_in_mb':'2000'}
AND compression = {'class': 'ZstdCompressor', 'compression_level':'1'};
ALTER TABLE directory_entry WITH
compaction = {'class' : 'LeveledCompactionStrategy', 'sstable_size_in_mb':'20480'}
AND compression = {'class': 'ZstdCompressor', 'compression_level':'1'};
Monitoring
^^^^^^^^^^
----------
TODO
Metric
^^^^^^
------
TODO
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
