Skip to content

Commit bd2cb92

Browse files
committed
Revise operator docs for Cassandra 6 onboarding
1 parent a100911 commit bd2cb92

25 files changed

Lines changed: 545 additions & 758 deletions

doc/modules/cassandra/nav.adoc

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -98,7 +98,6 @@
9898
**** xref:cassandra:managing/operating/hints.adoc[Hints]
9999
**** xref:cassandra:managing/operating/logging.adoc[Logging]
100100
***** xref:cassandra:managing/operating/auditlogging.adoc[Audit logging]
101-
***** xref:cassandra:managing/operating/audit_logging.adoc[Audit logging 2]
102101
***** xref:cassandra:managing/operating/fqllogging.adoc[Full query logging]
103102
**** xref:cassandra:managing/operating/metrics.adoc[Monitoring metrics]
104103
**** xref:cassandra:managing/operating/repair.adoc[Repair]
Lines changed: 46 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -1,32 +1,34 @@
1-
= Cassandra Quickstart
1+
= Cassandra Quickstart
22

33
== STEP 1: GET CASSANDRA USING DOCKER
44

5-
You'll need to have Docker Desktop for Mac, Docker Desktop for Windows, or similar software installed on your computer.
5+
You'll need Docker Desktop for Mac, Docker Desktop for Windows, or an
6+
equivalent Docker installation on Linux.
67

7-
Apache Cassandra is also available as a tarball or package xref:_/download.adoc[download].
8+
Apache Cassandra is also available as a tarball or package; see the
9+
xref:installing/installing.adoc[installation guide].
810

9-
[source, console]
11+
[source,console]
1012
----
1113
include::cassandra:example$BASH/docker_pull.sh[]
1214
----
1315

1416
== STEP 2: START CASSANDRA
1517

16-
A Docker network allows us to access the container's ports without exposing them on the host.
18+
A Docker network lets you reach the container ports without publishing
19+
them on the host.
1720

18-
[source, console]
21+
[source,console]
1922
----
2023
include::cassandra:example$BASH/docker-network-run.sh[]
2124
----
2225

2326
== STEP 3: CREATE FILES
2427

25-
The Cassandra Query Language (CQL) is very similar to SQL but suited for the JOINless structure of Cassandra.
28+
Create a file named `data.cql` and paste the following CQL script in it.
29+
The script creates a keyspace, a table, and sample rows:
2630

27-
Create a file named data.cql and paste the following CQL script in it. This script will create a keyspace, the layer at which Cassandra replicates its data, a table to hold the data, and insert some data into that table:
28-
29-
[source, cql]
31+
[source,cql]
3032
----
3133
include::cassandra:example$CQL/create-keyspace-store.cql[]
3234
@@ -37,66 +39,76 @@ include::cassandra:example$CQL/insert-shopping-cart-data.cql[]
3739

3840
== STEP 4: LOAD DATA WITH CQLSH
3941

40-
The CQL shell, or `cqlsh`, is one tool to use in interacting with the database.
41-
We'll use it to load some data into the database using the script you just saved.
42+
Use `cqlsh` to load the script into the running container.
4243

43-
[source, console]
44+
[source,console]
4445
----
45-
include::cassandra:example$BASH/docker-run-cqlsh-load-data.sh[]
46+
include::cassandra:example$BASH/docker-run-cqlsh-load-data.sh[]
4647
----
4748

4849
[NOTE]
4950
====
50-
The cassandra server itself (the first docker run command you ran) takes a few seconds to start up.
51-
The above command will throw an error if the server hasn't finished its init sequence yet, so give it a few seconds to spin up.
51+
The Cassandra server can take a few seconds to finish starting. If the
52+
load step fails immediately, wait for the node to finish init and retry.
5253
====
5354

5455
== STEP 5: INTERACTIVE CQLSH
5556

56-
Much like an SQL shell, you can also of course use `cqlsh` to run CQL commands interactively.
57+
You can also use `cqlsh` interactively:
5758

58-
[source, console]
59+
[source,console]
5960
----
6061
include::cassandra:example$BASH/docker-run-cqlsh-quickstart.sh[]
6162
----
6263

63-
This should get you a prompt like so:
64+
This should get you a prompt like this:
6465

65-
[source, console]
66+
[source,console]
6667
----
6768
include::cassandra:example$RESULTS/docker-run-cqlsh-quickstart.result[]
6869
----
6970

7071
== STEP 6: READ SOME DATA
7172

72-
[source, cql]
73+
[source,cql]
7374
----
74-
include::cassandra:example$CQL/select-data-from-shopping-cart.cql[]
75+
include::cassandra:example$CQL/select-data-from-shopping-cart.cql[]
7576
----
7677

7778
== STEP 7: WRITE SOME MORE DATA
7879

79-
[source, cql]
80+
[source,cql]
8081
----
8182
include::cassandra:example$CQL/insert-more-data-shopping-cart.cql[]
8283
----
8384

84-
== STEP 8: CLEAN UP
85+
== STEP 8: CHECK STATUS
86+
87+
Before you clean up, confirm the node is healthy. `nodetool status`
88+
should show the node as `UN`:
8589

86-
[source, console]
90+
[source,console]
8791
----
88-
include::cassandra:example$BASH/docker-kill-and-remove.sh[]
92+
$ nodetool status
93+
Datacenter: dc1
94+
=======================
95+
Status=Up/Down
96+
|/ State=Normal/Leaving/Joining/Moving
97+
-- Address Load Tokens Owns (effective) Host ID Rack
98+
UN 127.0.0.1 123.45 KiB 1 100.0% 01234567-89ab-cdef-0123-456789abcdef rack1
8999
----
90100

91-
== CONGRATULATIONS!
92-
93-
Hey, that wasn't so hard, was it?
94-
95-
To learn more, we suggest the following next steps:
96-
97-
* Read through the xref:master@_:ROOT:cassandra-basics.adoc[Cassandra Basics] to learn main concepts and how Cassandra works at a high level.
98-
* Browse through the xref:master@_:ROOT:case-studies.adoc[Case Studies] to learn how other users in our worldwide community are getting value out of Cassandra.
101+
== STEP 9: CLEAN UP
99102

103+
[source,console]
104+
----
105+
include::cassandra:example$BASH/docker-kill-and-remove.sh[]
106+
----
100107

108+
This removes the container and the `cassandra` Docker network created
109+
for the quickstart.
101110

111+
== CONGRATULATIONS!
102112

113+
To learn more, read the xref:master@_:ROOT:cassandra-basics.adoc[Cassandra
114+
Basics] and xref:master@_:ROOT:case-studies.adoc[Case Studies].
Lines changed: 81 additions & 49 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,27 @@
11
= Getting started with mTLS authenticators
22

3-
When a certificate based authentication protocol like TLS is used for client and
4-
Internode connections, `MutualTlsAuthenticator` & `MutualTlsInternodeAuthenticator`
5-
can be used for the authentication by leveraging the client certificates from the
6-
SSL handshake.
3+
When certificate-based authentication such as TLS is used for client and
4+
internode connections, `MutualTlsAuthenticator` and
5+
`MutualTlsInternodeAuthenticator` can authenticate clients by using the
6+
client certificate from the SSL handshake.
77

8-
After SSL handshake, identity from the client certificates is extracted and only
9-
authorized users will be granted access.
8+
After the SSL handshake, the identity from the client certificate is
9+
extracted and only authorized users are granted access.
10+
11+
== Certificate prerequisites
12+
13+
Before enabling either authenticator, generate the certificate material
14+
you intend to use:
15+
16+
* one CA certificate that issues the node and client certificates
17+
* one server certificate and key for each node
18+
* one client certificate and key for each user or service account
19+
* a truststore that contains the issuing CA
20+
* a keystore for each node
21+
22+
If you use the default SPIFFE validator, the SPIFFE ID must be present
23+
in the certificate SAN. If you use a custom CN-based validator, the
24+
subject CN must match the identity you want to map to a role.
1025

1126
== What is an Identity
1227

@@ -18,7 +33,7 @@ certificate conventions used in the deployment environment.
1833

1934
There is a default implementation of `MutualTlsCertificateValidator` with
2035
https://spiffe.io/docs/latest/spiffe-about/spiffe-concepts/[SPIFFE] as the identity
21-
of the certificates.This requires spiffe to be present in the SAN of the certificate.
36+
of the certificates. This requires SPIFFE to be present in the SAN of the certificate.
2237

2338
Instead of using `SPIFFE` based validator, a custom `CN` based validator that implements `MutualTlsCertificateValidator`
2439
could be configured by the operator if required.
@@ -28,18 +43,18 @@ could be configured by the operator if required.
2843
Note that the following steps uses SPIFFE identity as an example, If you are using
2944
a custom validator, use appropriate identity in place of `spiffe://testdomain.com/testIdentifier/testValue`.
3045

31-
*STEP 1: Add authorized users to system_auth.identity_to_roles table*
46+
*STEP 1: Add authorized users to `system_auth.identity_to_roles` table*
3247

3348
Note that only users with permissions to create/modify roles can add/remove identities.
34-
Client certificates with the identities in this table will be trusted by C*.
49+
Client certificates with the identities in this table will be trusted by Cassandra.
3550
[source, plaintext]
3651
----
3752
ADD IDENTITY 'spiffe://testdomain.com/testIdentifier/testValue' TO ROLE 'read_only_user'
3853
----
3954

4055
*STEP 2: Configure Cassandra.yaml with right properties*
4156

42-
`client_encryption_options` configuration for mTLS connections
57+
Configure `client_encryption_options` for mTLS connections.
4358
[source, plaintext]
4459
----
4560
client_encryption_options:
@@ -51,8 +66,9 @@ client_encryption_options:
5166
truststore_password: cassandra
5267
require_client_auth: true // to enable mTLS
5368
----
54-
Configure mTLS authenticator and the validator for client connections . If you are
55-
implementing a custom validator, use that instead of Spiffe validator
69+
Configure the mTLS authenticator and validator for client connections.
70+
If you are implementing a custom validator, use that instead of the
71+
SPIFFE validator.
5672
[source, plaintext]
5773
----
5874
authenticator:
@@ -63,35 +79,46 @@ authenticator:
6379

6480
*STEP 3: Bounce the cluster*
6581

66-
After the bounce, C* will accept mTLS connections from the clients and if their
67-
identity is present in the `identity_to_roles` table, access will be granted.
82+
After the bounce, Cassandra accepts mTLS connections from clients. If
83+
the identity is present in the `identity_to_roles` table, access is
84+
granted.
85+
86+
== Verifying mTLS
87+
88+
Verify the setup with the same client toolchain you will use in
89+
production. Connect with the client certificate and key, run a simple
90+
query, and confirm that the mapped role can access the cluster. Repeat
91+
the connection attempt with a certificate whose identity is not present
92+
in `identity_to_roles`; the connection should be rejected.
6893

6994
== Configuring mTLS with password fallback authenticator for client connections
7095

71-
Operators that wish to migrate cannot immediately change the configuration to require
72-
mTLS authentication as it will break existing non-mTLS based clients of the cluster.
73-
In order to make a smooth transition from non-mTLS based authentication to mTLS authentication,
74-
the operator can run Cassandra in optional mTLS mode and configure authenticator to be
75-
`MutualTlsWithPasswordFallbackAuthenticator` which can accept both certificate based
76-
and password based connections.
96+
Operators that want to migrate cannot immediately require mTLS
97+
authentication because that would break existing non-mTLS clients. To
98+
make a smooth transition, run Cassandra in optional mTLS mode and
99+
configure the authenticator to be
100+
`MutualTlsWithPasswordFallbackAuthenticator`, which accepts both
101+
certificate-based and password-based connections.
77102

78-
Below are the steps to configure C* in optional mTLS mode with fallback authenticator.
79-
Note that the following steps uses SPIFFE identity as an example, If you are using
80-
a custom validator, use appropriate identity in place of `spiffe://testdomain.com/testIdentifier/testValue`.
103+
Below are the steps to configure Cassandra in optional mTLS mode with
104+
the fallback authenticator. Note that the following steps use SPIFFE
105+
identity as an example. If you are using a custom validator, use the
106+
appropriate identity in place of
107+
`spiffe://testdomain.com/testIdentifier/testValue`.
81108

82-
*STEP 1: Add authorized users to system_auth.identity_to_roles table*
109+
*STEP 1: Add authorized users to `system_auth.identity_to_roles` table*
83110

84111
Note that only users with permissions to create/modify roles can add/remove identities.
85-
Client certificates with the identities in this table will be trusted by C*.
112+
Client certificates with the identities in this table will be trusted by Cassandra.
86113
[source, plaintext]
87114
----
88115
ADD IDENTITY 'spiffe://testdomain.com/testIdentifier/testValue' TO ROLE 'read_only_user'
89116
----
90117

91118
*STEP 2: Configure Cassandra.yaml with right properties*
92119

93-
`client_encryption_options` configuration for mTLS connections, Note that require_client_auth configuration
94-
is optional.
120+
Configure `client_encryption_options` for mTLS connections. Note that
121+
`require_client_auth` is optional here.
95122
[source, plaintext]
96123
----
97124
client_encryption_options:
@@ -103,8 +130,9 @@ client_encryption_options:
103130
truststore_password: cassandra
104131
require_client_auth: optional // to enable mTLS in optional mode
105132
----
106-
Configure fallback authenticator and the validator for client connections . If you are
107-
implementing a custom validator, use that instead of Spiffe validator
133+
Configure the fallback authenticator and validator for client
134+
connections. If you are implementing a custom validator, use that
135+
instead of the SPIFFE validator.
108136
[source, plaintext]
109137
----
110138
authenticator:
@@ -115,13 +143,13 @@ authenticator:
115143

116144
*STEP 3: Bounce the cluster*
117145

118-
After the bounce, C* will accept both mTLS connections and password based connections from
119-
the clients. This configuration should be used during transition phase and the require_client_auth
120-
configuration should be set to true when all the clients start making mTLS connections to the cluster.
146+
After the bounce, Cassandra accepts both mTLS and password-based
147+
connections. Use this configuration only during the transition phase.
148+
Set `require_client_auth` to `true` after all clients use mTLS.
121149

122150
== Configuring mTLS authenticator for Internode connections
123151

124-
Internode authenticator trusts certificates whose identities are present in
152+
The internode authenticator trusts certificates whose identities are present in
125153
`internode_authenticator.parameters.trusted_peer_identities` if configured.
126154

127155
Otherwise, it trusts connections which have the same identity as the node.
@@ -132,13 +160,13 @@ connections from other nodes who have the same identity will be trusted if
132160
`trusted_peer_identities` is not configured.
133161

134162
For example, if a node has `testIdentity` embedded in the certificate in
135-
outbound keystore, It trusts connections from other nodes when their certificates
136-
have `testIdentity` embedded in them.
163+
the outbound keystore, it trusts connections from other nodes when
164+
their certificates have `testIdentity` embedded in them.
137165

138166
There is an optional configuration `node_identity` that can be used to verify identity
139167
extracted from the keystore to avoid any configuration errors.
140168

141-
*STEP 1: Configure server_encryption_options in cassandra.yaml*
169+
*STEP 1: Configure `server_encryption_options` in `cassandra.yaml`*
142170

143171
[source, plaintext]
144172
----
@@ -156,8 +184,9 @@ server_encryption_options:
156184

157185
*STEP 2: Configure Internode Authenticator and Validator*
158186

159-
Configure mTLS Internode authenticator and validator. If you are
160-
implementing a custom validator, use that instead of Spiffe validator
187+
Configure the mTLS internode authenticator and validator. If you are
188+
implementing a custom validator, use that instead of the SPIFFE
189+
validator.
161190
[source, plaintext]
162191
----
163192
internode_authenticator:
@@ -168,19 +197,22 @@ internode_authenticator:
168197
----
169198

170199
*STEP 3: Bounce the cluster*
171-
Once all nodes in the cluster are restarted, all internode communications will be authenticated by mTLS.
200+
Once all nodes in the cluster are restarted, all internode
201+
communications are authenticated by mTLS.
172202

173203
== Migration from existing password based authentication
174204
* For client connections, since the migration will not happen overnight,
175-
the operators can run cassandra in optional mTLS mode and use
176-
`MutualTlsWithPasswordFallbackAuthenticator` which will accept both mTLS & password
177-
based connections, based on the type of connection client is making. These settings
178-
can be configured in `cassandra.yaml`. Once all the clients migrate to using mTLS,
179-
turn off optional mode and set the authenticator to be `MutualTlsAuthenticator`. From
180-
that point only mTLS client connections will be accepted.
205+
operators can run Cassandra in optional mTLS mode and use
206+
`MutualTlsWithPasswordFallbackAuthenticator`, which accepts both mTLS
207+
and password-based connections. Configure the settings in
208+
`cassandra.yaml`. Once all clients migrate to mTLS, turn off optional
209+
mode and set the authenticator to `MutualTlsAuthenticator`. From that
210+
point only mTLS client connections are accepted.
181211

182212
* For Internode connections, while doing rolling upgrades from non-mTLS based configuration
183-
to mTLS based configuration, set `server_encryption_options.optional:true` for the new nodes to
184-
be able to connect to old nodes which are still using non-mTLS based configuration during upgrade.
185-
After this, change the internode authenticator to be `MutualTlsInternodeAuthenticator` and turn off the optional
186-
mode by setting `server_encryption_options.optional:false`.
213+
to mTLS based configuration, set `server_encryption_options.optional: true`
214+
for the new nodes so they can connect to old nodes that are still
215+
using non-mTLS based configuration during upgrade. After this, change
216+
the internode authenticator to `MutualTlsInternodeAuthenticator` and
217+
turn off the optional mode by setting
218+
`server_encryption_options.optional: false`.

0 commit comments

Comments
 (0)