Authentication support for datastores used by Sysdig Monitor on-premise installations


Support for Redis and Cassandra authentication has been added with this version of Sysdig Monitor on-premises. Redis and Cassandra authentication is supported for both Sysdig Monitor managed as well as external installations of Redis/Cassandra. One exception is that Cassandra authentication is supported for just external installations for Replicated installations. 

Steps to enable Cassandra/Redis authentication

Step 1:

Create users on Cassandra. This step should be skipped for users who are using external Cassandra installations. Instead the customer should configure the correct users and setup authentication by consulting official Cassandra documentation.

To do so:

kubectl --namespace=sysdigcloud exec -it <cassandra-pod-name> bash

Once within the context of the pod, run the script from the draios/infrastructure repo:


This should create 2 users:

Once you have those 2 users verify that you can use the sysdig user to connect to Cassandra successfully

Notice the highlighted keyspaces system_auth. This should not have been present before running this script

Please also note that this step is not required for enabling Redis authentication. This is done automatically by the custom Sysdigcloud Redis image. 

Step 2:

Once Cassandra users have been created the configmap object needs to be updated. In order to do so:

Get the current configuration (you can use also a versioned one if you have it):

#kubectl get configmap sysdigcloud-config --namespace sysdigcloud -o yaml > current_config.yaml
#cp current_config.yaml new_config.yaml

Or edit config map inline

kubectl edit configmap/sysdigcloud-config --namespace sysdigcloud

Edit new_config.yaml or use inline edit and add the new parameters for the Cassandra and Redis Authentication alongside existing config under “data”:

# Optional: enable or disable cassandra authentication and authorization in sysdigcloud cassandra image, if you want to enable it, make sure to follow the support guide in the official sysdigcloud documentation "false"
# Optional: Cassandra user
cassandra.user: ""
# Optional: Cassandra password
cassandra.password: ""
# Optional: Redis password
redis.password: ""

Note that these are the defaults that can be set if authentication is not desired on either repository. It is mandatory that the user must set each of these configuration parameters regardless of whether authentication is desired or not.

Cassandra authentication "true"
cassandra.user: "sysdig"
cassandra.password: <Output of create-cassandra-user script>

Redis authentication

redis.password: <configure redis password for Sysdigcloud here>

Please note that unlike Cassandra the Redis image will pick up the password specified here and configure itself automatically with the right password.

Finally apply the new config file with:

kubectl replace -f new_config.yaml --namespace sysdigcloud

Debugging steps

In order to check if Cassandra authentication is successfully working, you can look at the backend logs for any of the relevant components (API, worker or collector) and look for the following message 

com.draios.conf.CassandraConfig          : Cassandra session initialisation...
2017-03-27 23:32:34.999  INFO 96 --- [           main] c.datastax.driver.core.FrameCompressor   : Using LZ4Factory:JavaUnsafe
com.datastax.driver.core.Cluster         : New Cassandra host sysdigcloud-cassandra/ added
2017-03-27 23:32:37.079  INFO 96 --- [           main]  : Redis lock not acquired
2017-03-27 23:32:37.107  INFO 96 --- [           main]  : Redis lock will expire in 264899
2017-03-27 23:32:37.416  INFO 96 --- [           main] com.draios.conf.CassandraConfig          : ...done: new Cassandra session built com.datastax.driver.core.SessionManager@60e5272


Failed messages will look like

2017-03-27 23:30:13.643  WARN 90 --- [           main] com.draios.conf.CassandraConfig          : Cassandra connection failure (Authentication error on host sysdigcloud-cassandra/ Username and/or password are incorrect), retrying (1/60)



Have more questions? Submit a request