Support for Redis and Cassandra authentication has been added with this version of Sysdig Monitor on-premises. Redis and Cassandra authentication is supported for both Sysdig Monitor managed as well as external installations of Redis/Cassandra. One exception is that Cassandra authentication is supported for just external installations for Replicated installations.
Steps to enable Cassandra/Redis authentication
Create users on Cassandra. This step should be skipped for users who are using external Cassandra installations. Instead the customer should configure the correct users and setup authentication by consulting official Cassandra documentation.
To do so:
kubectl --namespace=sysdigcloud exec -it <cassandra-pod-name> bash
Once within the context of the pod, run the script from the draios/infrastructure repo:
This should create 2 users:
Once you have those 2 users verify that you can use the sysdig user to connect to Cassandra successfully
Notice the highlighted keyspaces system_auth. This should not have been present before running this script
Please also note that this step is not required for enabling Redis authentication. This is done automatically by the custom Sysdigcloud Redis image.
Once Cassandra users have been created the configmap object needs to be updated. In order to do so:
Get the current configuration (you can use also a versioned one if you have it):
#kubectl get configmap sysdigcloud-config --namespace sysdigcloud -o yaml > current_config.yaml
#cp current_config.yaml new_config.yaml
Or edit config map inline
kubectl edit configmap/sysdigcloud-config --namespace sysdigcloud
Edit new_config.yaml or use inline edit and add the new parameters for the Cassandra and Redis Authentication alongside existing config under “data”:
# Optional: enable or disable cassandra authentication and authorization in sysdigcloud cassandra image, if you want to enable it, make sure to follow the support guide in the official sysdigcloud documentation
# Optional: Cassandra user
# Optional: Cassandra password
# Optional: Redis password
Note that these are the defaults that can be set if authentication is not desired on either repository. It is mandatory that the user must set each of these configuration parameters regardless of whether authentication is desired or not.
cassandra.password: <Output of create-cassandra-user script>
redis.password: <configure redis password for Sysdigcloud here>
Please note that unlike Cassandra the Redis image will pick up the password specified here and configure itself automatically with the right password.
Finally apply the new config file with:
kubectl replace -f new_config.yaml --namespace sysdigcloud
In order to check if Cassandra authentication is successfully working, you can look at the backend logs for any of the relevant components (API, worker or collector) and look for the following message
com.draios.conf.CassandraConfig : Cassandra session initialisation...
2017-03-27 23:32:34.999 INFO 96 --- [ main] c.datastax.driver.core.FrameCompressor : Using LZ4Factory:JavaUnsafe
com.datastax.driver.core.Cluster : New Cassandra host sysdigcloud-cassandra/10.80.0.10:9042 added
2017-03-27 23:32:37.079 INFO 96 --- [ main] com.draios.storage.cassandra.AutoSchema : Redis lock not acquired
2017-03-27 23:32:37.107 INFO 96 --- [ main] com.draios.storage.cassandra.AutoSchema : Redis lock will expire in 264899
2017-03-27 23:32:37.416 INFO 96 --- [ main] com.draios.conf.CassandraConfig : ...done: new Cassandra session built com.datastax.driver.core.SessionManager@60e5272
Failed messages will look like
2017-03-27 23:30:13.643 WARN 90 --- [ main] com.draios.conf.CassandraConfig : Cassandra connection failure (Authentication error on host sysdigcloud-cassandra/10.80.0.10:9042: Username and/or password are incorrect), retrying (1/60)