Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authentication with Security Bundle for Cassandra Scaler #6277

Open
n0rm4l-me opened this issue Oct 27, 2024 · 13 comments
Open

Authentication with Security Bundle for Cassandra Scaler #6277

n0rm4l-me opened this issue Oct 27, 2024 · 13 comments
Assignees
Labels
auth good first issue Good for newcomers help wanted Looking for support from community

Comments

@n0rm4l-me
Copy link

Proposal

Some managed solutions for Apache Cassandra are using bundle-based authentication.
It would be nice if Cassandra Scaler can support that too.

Use-Case

KEDA + Apache Astra support.

Is this a feature you are interested in implementing yourself?

No

Anything else?

No response

@n0rm4l-me n0rm4l-me added feature-request All issues for new features that have not been committed to needs-discussion labels Oct 27, 2024
@yampml
Copy link

yampml commented Oct 30, 2024

It would be nice to have this function!

@JorTurFer JorTurFer added help wanted Looking for support from community good first issue Good for newcomers auth and removed needs-discussion feature-request All issues for new features that have not been committed to labels Oct 30, 2024
@JorTurFer
Copy link
Member

JorTurFer commented Oct 30, 2024

I think that this makes sense totally. Are you willing to open a PR with this functionality?

@rahulmansharamani14
Copy link

Hi @JorTurFer, Is there anyone working on this? If not, I'd like to give it a try.

@JorTurFer
Copy link
Member

There isn't anybody working on this AFAIK, so feel free to tackle it 😄

@rahulmansharamani14
Copy link

Hi @JorTurFer @n0rm4l-me,
I’ve been exploring the Cassandra scaler to understand the changes required to implement support for security bundle-based authentication as described in this issue. I have a few clarifying questions to ensure alignment with the expectations:

  1. Security Bundle Details: Could you provide an example or documentation reference for the type of security bundle (e.g., Apache Astra’s bundle) that needs to be supported? Does the bundle include all necessary credentials and connection details, such as certificates, keys, and endpoints?

  2. Backward Compatibility: Should the existing authentication methods (e.g., username and password) remain functional alongside the new security bundle option?

  3. Parameter Addition: Would adding a new metadata field like securityBundlePath for the bundle’s file location be acceptable, or do you foresee another approach?

  4. Testing Expectations: Are there any specific scenarios or configurations you’d like tested, particularly for compatibility with existing authentication methods?

I’d appreciate any additional guidance or pointers, especially regarding how you see this feature fitting into KEDA’s overall architecture and contribution standards.

Thank you, and I look forward to your insights!

@n0rm4l-me
Copy link
Author

Hi @rahulmansharamani14, thanks for checking on this.

I've created a demo Astra database and generated a Token which you can use for testing, please see the attached files. Bundle contains contact points and certificates, while token is used for authorization.

I've tried to use the information from the bundle to configure scaler, but I didn't found a way to configure certificates.

github-test-token.json
secure-connect-github-test.zip

Let me know if you need more details.

@rahulmansharamani14
Copy link

Hi @n0rm4l-me @JorTurFer, thanks for the files for testing. I wanted to roughly share my implementation plan with you for feedback before proceeding.

Proposed Implementation Plan

  • Metadata Parsing: Add a new field, securityBundlePath, to accept the bundle file location. Ensure backward compatibility with existing authentication methods.

  • Security Bundle Parsing: Implement logic to parse the bundle (e.g., JSON format) and extract required details: username, password, hosts, and TLS configuration.

  • Connection Setup: Update createCassandraSession to use bundle-based credentials if provided, while retaining existing logic for other authentication methods.

End-User Workflow:

Here’s how the end-user workflow would look after this feature is implemented:

  1. The user will store the security bundle file securely in a Kubernetes Secret.
  2. The user will Reference the bundle in the ScaledObject and TriggerAuthentication resources.
  3. The scaler retrieves the bundle, parses it, and establishes a secure connection to Cassandra.
  4. The scaler executes the query and triggers scaling decisions based on the results.

Let me know if this approach is in the right direction. I'm happy to refine the plan further and raise a draft PR based on your feedback.

@n0rm4l-me
Copy link
Author

@rahulmansharamani14
I believe the correct implementation should allow the user to provide the bundle itself. As for the username and password, the user can input them manually - there's no need to parse the token file. You can try providing the username and password in the usual way. This is how it is implemented in any Apache Cassandra driver.

@rahulmansharamani14
Copy link

@n0rm4l-me
I see. So you are saying user will extract this secure-connect-github-test.zip file and manually enter all necessary credentials and connection details such as certificates, keys, and endpoints as part of as part of the spec?

@n0rm4l-me
Copy link
Author

@rahulmansharamani14 No, usually Cassandra driver pick ups all the necessary information from secure-connect-github-test.zip, but user extracts token and secret from github-test-token.json as username / password.

@JorTurFer
Copy link
Member

There is a constraint to follow related with the files, we shouldn't read the file system to get any external information. This is because there are users with >3k ScaledObjects, imagine the issues rotating these secrets if they need a restart.
Allowing user/password sounds to generate the bundle internally sound good, or even recovering the bundle from a secret, but in case of needing to read the file from the filesystem, the scaler should generate a temporal file and delete it at the end.
You can check an example in the usage of kerberos for kafka -> https://github.com/kedacore/keda/blob/main/pkg/scalers/kafka_scaler.go

@n0rm4l-me
Copy link
Author

For sure we can use secrets instead of file parsing, no problems with that:

{
  "host": "42a21a1a-d1f9-48ef-b404-9e04d69abec9-us-east1.db.astra.datastax.com",
  "port": 29080,
  "cql_port": 29042,
  "keyspace": "github",
  "localDC": "us-east1",
  "caCertLocation": "./ca.crt",
  "keyLocation": "./key",
  "certLocation": "./cert",
  "keyStoreLocation": "./identity.jks",
  "keyStorePassword": "zzzzzzz",
  "trustStoreLocation": "./trustStore.jks",
  "trustStorePassword": "yyyyyy",
  "csvLocation": "./data",
  "pfxCertPassword": "xxxxxx"
}

And then put following files into secrets:

cert
ca.crt
cert.pfx
cqlshrc
identity.jks
key
trustStore.jks

@zroubalik
Copy link
Member

There is a constraint to follow related with the files, we shouldn't read the file system to get any external information. This is because there are users with >3k ScaledObjects, imagine the issues rotating these secrets if they need a restart. Allowing user/password sounds to generate the bundle internally sound good, or even recovering the bundle from a secret, but in case of needing to read the file from the filesystem, the scaler should generate a temporal file and delete it at the end. You can check an example in the usage of kerberos for kafka -> https://github.com/kedacore/keda/blob/main/pkg/scalers/kafka_scaler.go

^ this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
auth good first issue Good for newcomers help wanted Looking for support from community
Projects
Status: To Triage
Development

No branches or pull requests

5 participants