How to enable Cassandra Password Authentication in Kubernetes deployment file

Question

I've been struggling with this for quite a while now. My effort so far is shown below. The env variable, CASSANDRA_AUTHENTICATOR , in my opinion, is supposed to enable password authentication. However, I'm still able to logon without a password after redeploying with this config. Any ideas on how to enable password authentication in a Kubernetes deployment file?

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: cassandra
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: cassandra
    spec:
      containers:
          - name: cassandra
            image: cassandra
            env:
              - name: CASSANDRA_CLUSTER_NAME
                value: Cassandra
              - name: CASSANDRA_AUTHENTICATOR
                value: PasswordAuthenticator
            ports:
              - containerPort: 7000
                name: intra-node
              - containerPort: 7001
                name: tls-intra-node
              - containerPort: 7199
                name: jmx
              - containerPort: 9042
                name: cql

            volumeMounts:
              - mountPath: /var/lib/cassandra/data
                name: data
      volumes:
        - name: data
          emptyDir: {}

The environment is Google Cloud Platform.

Answer 1

So I made few changes to the artifact you have mentioned:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: cassandra
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: cassandra
    spec:
      containers:
          - name: cassandra
            image: bitnami/cassandra:latest
            env:
              - name: CASSANDRA_CLUSTER_NAME
                value: Cassandra
              - name: CASSANDRA_PASSWORD
                value: pass123
            ports:
              - containerPort: 7000
                name: intra-node
              - containerPort: 7001
                name: tls-intra-node
              - containerPort: 7199
                name: jmx
              - containerPort: 9042
                name: cql

            volumeMounts:
              - mountPath: /var/lib/cassandra/data
                name: data
      volumes:
        - name: data
          emptyDir: {}

The changes I made were:

image name has been changed to bitnami/cassandra:latest and then replaced the env CASSANDRA_AUTHENTICATOR with CASSANDRA_PASSWORD .

After you deploy the above artifact then I could authenticate as shown below

• Trying to exec into pod

   fedora@dhcp35-42:~/tmp/cassandra$ oc exec -it cassandra-2750650372-g8l9s bash root@cassandra-2750650372-g8l9s:/# 

• Once inside the pod trying to authenticate with the server

   root@cassandra-2750650372-g8l9s:/# cqlsh 127.0.0.1 9042 -p pass123 -u cassandra Connected to Cassandra at 127.0.0.1:9042. [cqlsh 5.0.1 | Cassandra 3.11.0 | CQL spec 3.4.4 | Native protocol v4] Use HELP for help. cassandra@cqlsh> 

This image documentation can be found at https://hub.docker.com/r/bitnami/cassandra/

If you are not comfortable using the third party image and wanna use the image that upstream community manages then look for following solution, which is more DIY but also is more flexible.

---

To setup the password you were trying to use the env CASSANDRA_AUTHENTICATOR but this is not merged proposal yet for the image cassandra . You can see the open PRs here .

Right now the upstream suggest doing the mount of file cassandra.yaml at /etc/cassandra/cassandra.yaml , so that people can set whatever settings they want.

So follow the steps to do it:

• Download the cassandra.yaml

I have made following changes to the file:

$ diff cassandra.yaml mycassandra.yaml 
103c103
< authenticator: AllowAllAuthenticator
---
> authenticator: PasswordAuthenticator

• Create configmap with that file

We have to create Kubernetes Configmap which then we will mount inside the container, we cannot do host mount similar to docker.

    $ cp mycassandra.yaml cassandra.yaml
    $ k create configmap cassandraconfig --from-file ./cassandra.yaml

The name of configmap is cassandraconfig .

• Now edit the deployment to use this config and mount it in right place

   apiVersion: extensions/v1beta1 kind: Deployment metadata: name: cassandra spec: replicas: 1 template: metadata: labels: app: cassandra spec: containers: - name: cassandra image: cassandra env: - name: CASSANDRA_CLUSTER_NAME value: Cassandra ports: - containerPort: 7000 name: intra-node - containerPort: 7001 name: tls-intra-node - containerPort: 7199 name: jmx - containerPort: 9042 name: cql volumeMounts: - mountPath: /var/lib/cassandra/data name: data - mountPath: /etc/cassandra/ name: cassandraconfig volumes: - name: data emptyDir: {} - name: cassandraconfig configMap: name: cassandraconfig 

Once you create this deployment.

• Now exec in the pod

   $ k exec -it cassandra-1663662957-6tcj6 bash root@cassandra-1663662957-6tcj6:/# 

• Try using the client

   root@cassandra-1663662957-6tcj6:/# cqlsh 127.0.0.1 9042 Connection error: ('Unable to connect to any servers', {'127.0.0.1': AuthenticationFailed('Remote end requires authentication.',)}) 

For more information on creating configMap and using it by mounting inside container you can read this doc , which helped me for this answer.