Initial authentication work.

Zvirovyi · Zvirovyi · commit 1b831fa91ec8 · 2025-07-03T18:05:00.000+03:00
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -14,6 +14,7 @@ pydantic = "^2.11.4"
 cassandra-driver = "^3.29.2"
 tenacity = "^9.1.2"
 charmlibs-pathops = "^1.0.1"
+bcrypt = "^4.3.0"
 
 [tool.poetry.group.format]
 optional = true
diff --git a/src/common/cassandra_client.py b/src/common/cassandra_client.py
@@ -8,6 +8,7 @@
 from contextlib import contextmanager
 from typing import Generator
 
+from bcrypt import gensalt, hashpw
 from cassandra.auth import PlainTextAuthProvider
 from cassandra.cluster import EXEC_PROFILE_DEFAULT, Cluster, ExecutionProfile, Session
 from cassandra.policies import DCAwareRoundRobinPolicy, TokenAwarePolicy
@@ -31,6 +32,22 @@ def __init__(self, hosts: list[str], user: str | None = None, password: str | No
 
         return
 
+    def change_superuser_password(self, user: str, password: str) -> None:
+        """TODO."""
+        with self._session() as session:
+            session.execute(
+                "UPDATE system_auth.roles SET salted_hash = %s WHERE role = %s",
+                [
+                    hashpw(password.encode(), gensalt(prefix=b"2a")).decode(),
+                    user,
+                ],
+            )
+
+    def change_user_password(self, user: str, password: str) -> None:
+        """TODO."""
+        with self._session() as session:
+            session.execute("ALTER USER %s WITH PASSWORD %s", [user, password])
+
     @contextmanager
     def _session(self, keyspace: str | None = None) -> Generator[Session, None, None]:
         cluster = Cluster(
diff --git a/src/core/state.py b/src/core/state.py
@@ -38,6 +38,8 @@ class UnitWorkloadState(StrEnum):
     """Cassandra is installing."""
     WAITING_FOR_START = "waiting_for_start"
     """Subordinate unit is waiting for leader to initialize cluster before it starts workload."""
+    CHANGING_PASSWORD = "changing_password"
+    """Leader unit executes password change sequence before cluster is announced as ready."""
     STARTING = "starting"
     """Cassandra is starting."""
     ACTIVE = "active"
@@ -176,6 +178,16 @@ def is_active(self) -> bool:
         """Whether Cassandra cluster state is `ACTIVE`."""
         return self.state == ClusterState.ACTIVE
 
+    @property
+    def cassandra_password_secret(self) -> str:
+        """TODO."""
+        return self.relation_data.get("cassandra-password", "")
+
+    @cassandra_password_secret.setter
+    def cassandra_password_secret(self, value: str) -> None:
+        """TODO."""
+        self._field_setter_wrapper("cassandra-password", value)
+
 
 class ApplicationState(Object):
     """Mappings for the charm relations that forms global application state."""
@@ -185,6 +197,7 @@ def __init__(self, charm: CharmBase):
         self.peer_app_interface = DataPeerData(
             self.model,
             relation_name=PEER_RELATION,
+            additional_secret_fields=["cassandra-password"],
         )
         self.peer_unit_interface = DataPeerUnitData(self.model, relation_name=PEER_RELATION)
 
diff --git a/src/core/statuses.py b/src/core/statuses.py
@@ -16,4 +16,5 @@ class Status(Enum):
     INSTALLING = MaintenanceStatus("installing Cassandra")
     STARTING = MaintenanceStatus("waiting for Cassandra to start")
     WAITING_FOR_CLUSTER = WaitingStatus("waiting for cluster to start")
+    CHANGING_PASSWORD = MaintenanceStatus("initializing authentication")
     INVALID_CONFIG = BlockedStatus("invalid config")
diff --git a/src/core/workload.py b/src/core/workload.py
@@ -4,6 +4,8 @@
 
 """Workload definition."""
 
+import secrets
+import string
 from abc import ABC, abstractmethod
 from typing import Literal
 
@@ -95,3 +97,12 @@ def path_exists(self, path: str) -> bool:
     def exec(self, command: list[str], suppress_error_log: bool = False) -> tuple[str, str]:
         """Execute command."""
         pass
+
+    @staticmethod
+    def generate_password() -> str:
+        """Create randomized string for use as app passwords.
+
+        Returns:
+            String of 32 randomized letter+digit characters
+        """
+        return "".join([secrets.choice(string.ascii_letters + string.digits) for _ in range(32)])
diff --git a/src/events/cassandra.py b/src/events/cassandra.py
@@ -17,6 +17,7 @@
 )
 from pydantic import ValidationError
 
+from common.cassandra_client import CassandraClient
 from core.config import CharmConfig
 from core.state import ApplicationState, ClusterState, UnitWorkloadState
 from core.statuses import Status
@@ -56,35 +57,91 @@ def _on_install(self, _: InstallEvent) -> None:
         self.workload.install()
 
     def _on_start(self, event: StartEvent) -> None:
-        self.state.unit.workload_state = UnitWorkloadState.WAITING_FOR_START
         self._update_network_address()
 
-        if not self.charm.unit.is_leader() and not self.state.cluster.is_active:
-            logger.debug("Deferring on_start for unit due to cluster isn't initialized yet")
-            event.defer()
-            return
-
-        if self.charm.unit.is_leader():
-            self.state.cluster.seeds = [self.state.unit.peer_url]
-
         try:
             self.config_manager.render_env(
                 cassandra_limit_memory_mb=1024 if self.charm.config.profile == "testing" else None
             )
-            self.config_manager.render_cassandra_config(
-                cluster_name=self.charm.config.cluster_name,
-                listen_address=self.state.unit.ip,
-                seeds=self.state.cluster.seeds,
-            )
         except ValidationError as e:
             logger.debug(f"Config haven't passed validation: {e}")
             event.defer()
             return
 
+        if not self.charm.unit.is_leader():
+            self._start_subordinate(event)
+            return
+
+        self.state.cluster.seeds = [self.state.unit.peer_url]
+
+        if self.state.unit.workload_state == UnitWorkloadState.CHANGING_PASSWORD:
+            self._finalize_password_change(event)
+            return
+
+        if not self.state.unit.workload_state:
+            if self.state.cluster.cassandra_password_secret:
+                self._start_leader()
+            else:
+                self._start_password_change(event)
+
+    def _start_subordinate(self, event: StartEvent) -> None:
+        if not self.state.cluster.is_active:
+            self.state.unit.workload_state = UnitWorkloadState.WAITING_FOR_START
+            logger.debug("Deferring on_start for unit due to cluster isn't initialized yet")
+            event.defer()
+            return
+        self.config_manager.render_cassandra_config(
+            cluster_name=self.charm.config.cluster_name,
+            listen_address=self.state.unit.ip,
+            seeds=self.state.cluster.seeds,
+            authentication=True,
+        )
         self.workload.start()
         self.state.unit.workload_state = UnitWorkloadState.STARTING
 
+    def _start_leader(self) -> None:
+        self.config_manager.render_cassandra_config(
+            cluster_name=self.charm.config.cluster_name,
+            listen_address=self.state.unit.ip,
+            seeds=self.state.cluster.seeds,
+            authentication=True,
+        )
+        self.workload.start()
+        self.state.unit.workload_state = UnitWorkloadState.STARTING
+
+    def _start_password_change(self, event: StartEvent) -> None:
+        self.config_manager.render_cassandra_config(
+            cluster_name=self.charm.config.cluster_name,
+            listen_address="127.0.0.1",
+            seeds=["127.0.0.1:7000"],
+            authentication=False,
+        )
+        self.workload.start()
+        self.state.unit.workload_state = UnitWorkloadState.CHANGING_PASSWORD
+        event.defer()
+
+    def _finalize_password_change(self, event: StartEvent) -> None:
+        if not self.cluster_manager.is_healthy:
+            event.defer()
+            return
+        password = self.workload.generate_password()
+        self._cassandra.change_superuser_password("cassandra", password)
+        self.state.cluster.cassandra_password_secret = password
+        self.config_manager.render_cassandra_config(
+            cluster_name=self.charm.config.cluster_name,
+            listen_address=self.state.unit.ip,
+            seeds=self.state.cluster.seeds,
+            authentication=True,
+        )
+        self.workload.restart()
+        self.state.unit.workload_state = UnitWorkloadState.STARTING
+
     def _on_config_changed(self, _: ConfigChangedEvent) -> None:
+        if self.state.unit.workload_state not in [
+            UnitWorkloadState.STARTING,
+            UnitWorkloadState.ACTIVE,
+        ]:
+            return
         try:
             self.config_manager.render_env(
                 cassandra_limit_memory_mb=1024 if self.charm.config.profile == "testing" else None
@@ -93,14 +150,14 @@ def _on_config_changed(self, _: ConfigChangedEvent) -> None:
                 cluster_name=self.charm.config.cluster_name,
                 listen_address=self.state.unit.ip,
                 seeds=self.state.cluster.seeds,
+                authentication=True,
             )
         except ValidationError as e:
             logger.debug(f"Config haven't passed validation: {e}")
             return
-        if not self.state.unit.workload_state == UnitWorkloadState.ACTIVE:
-            return
         self.workload.restart()
-        self.state.unit.workload_state = UnitWorkloadState.STARTING
+        if self.state.unit.workload_state == UnitWorkloadState.ACTIVE:
+            self.state.unit.workload_state = UnitWorkloadState.STARTING
 
     def _on_update_status(self, _: UpdateStatusEvent) -> None:
         if (
@@ -141,6 +198,9 @@ def _on_collect_unit_status(self, event: CollectStatusEvent) -> None:
         ] and (self.charm.unit.is_leader() or self.state.cluster.is_active):
             event.add_status(Status.STARTING.value)
 
+        if self.state.unit.workload_state == UnitWorkloadState.CHANGING_PASSWORD:
+            event.add_status(Status.CHANGING_PASSWORD.value)
+
         event.add_status(Status.ACTIVE.value)
 
     def _on_collect_app_status(self, event: CollectStatusEvent) -> None:
@@ -165,3 +225,11 @@ def _update_network_address(self) -> bool:
             and old_hostname is not None
             and (old_ip != self.state.unit.ip or old_hostname != self.state.unit.hostname)
         )
+
+    @property
+    def _cassandra(self) -> CassandraClient:
+        return CassandraClient(
+            [self.state.unit.ip if self.state.cluster.cassandra_password_secret else "127.0.0.1"],
+            "cassandra",
+            self.state.cluster.cassandra_password_secret or None,
+        )
diff --git a/src/managers/config.py b/src/managers/config.py
