I was assigned to a task to setup a cassandra cluster to do a POC. After a lot of trial and error, reading tens of stackoverflow answers. I got it right.
When you google for an article to setup cassandra. You will most probably find the below digital ocean article.
https://www.digitalocean.com/community/tutorials/how-to-install-cassandra-and-run-a-multi-node-cluster-on-ubuntu-22-04
The article is great but it doesn’t talk about configurations required to enable authentication . I will be discussing that and changes in configuration for ec2 instances.
Accessing remote cassandra node from jumphost
We need to install cassandra client - cqlsh to connect with cassandra DB
- check the version of python
python3 --version # it should be 3.7 or above
if you have the the specific version go to next step else install it.
-
Install pip3
-
Once pip3 is installed use the below command to install cqlsh
pip3 install cqlsh
- Command to connect to remote node is
cqlsh <ip-address-of-node> <port>in general port is 9042
note - the ip address it the rpc_address you mentioned . If the rpc_address is 0.0.0.0 then then the ip address is the broadcast_rpc_address you gave in cassandra.yaml file.
Now if you see there is no authentication so who ever access the cluster will have admin privileges.
To enable authentication and authorisation
we need to edit cassandra.yaml to enable authentication and authorisation.
-
Set authenticator property to PasswordAuthenticator:
-
Set authorizer property to CassandraAuthorizer:
-
Set password_encryption_options property:
password_encryption_options:
enabled: true
keystore: conf/.keystore
keystore_password: cassandra
cipher_algorithm: AES/ECB/PKCS5Padding
This specifies the encryption options for passwords. In this case, passwords are encrypted using the AES/ECB/PKCS5Padding algorithm and stored in a keystore.
Once this is done restart the cassandra cluster
systemctl restart cassandra
Now you should be able to connect to cassandra nodes using
cqlsh <ip-address> <port> -u cassandra -p cassandra
These are the default username and password .
note - these are admin credentials and should be removed once new credentials are created.
Create a super user with the following command
CREATE ROLE <username> WITH PASSWORD = 'mypassword' AND LOGIN = true AND SUPERUSER = true;
Changes required for cassandra in Ec2 instances: There is a minor changes to be made in cassandra.yaml . It is to update the enpoint_snitch value . This will help the cassandra understand the network topoly and route requests efficiently.
endpoint_snitch: Ec2Snitch # change to this from SimpleSnitch
Once this is done you need to make few more changes in cassandra-env.sh Add the below lines in cassandra-env.sh
JVM_OPTS="$JVM_OPTS -Djava.rmi.server.hostname=localhost"
JVM_OPTS="$JVM_OPTS -Dcassandra.ignore_rack=true"
JVM_OPTS="$JVM_OPTS -Dcassandra.ignore_dc=true"
If you run into error then please look at the logs and search for that error. log path - /var/log/cassandra/ file name - system.log ( cassandra related logs)
If you ever get connection refused it means cassandra is not up and running properly even though it shows active in systemctl status cassandra. look into the logs.
Finally some stackoverflow resources that I found useful