Initial authentication work.

Zvirovyi · Zvirovyi · commit 3300905c1174 · 2025-07-16T13:48:36.000+03:00
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -14,6 +14,7 @@ pydantic = "^2.11.4"
 cassandra-driver = "^3.29.2"
 tenacity = "^9.1.2"
 charmlibs-pathops = "^1.0.1"
+bcrypt = "^4.3.0"
 
 [tool.poetry.group.format]
 optional = true
diff --git a/src/charm.py b/src/charm.py
@@ -38,6 +38,7 @@ def __init__(self, *args):
             cluster_name=self.state.cluster.cluster_name,
             listen_address=self.state.unit.ip,
             seeds=self.state.cluster.seeds,
+            authentication=bool(self.state.cluster.cassandra_password_secret),
         )
         bootstrap_manager = RollingOpsManager(
             charm=self, relation="bootstrap", callback=self.bootstrap
diff --git a/src/common/cassandra_client.py b/src/common/cassandra_client.py
@@ -8,6 +8,7 @@
 from contextlib import contextmanager
 from typing import Generator
 
+from bcrypt import gensalt, hashpw
 from cassandra.auth import PlainTextAuthProvider
 from cassandra.cluster import EXEC_PROFILE_DEFAULT, Cluster, ExecutionProfile, Session
 from cassandra.policies import DCAwareRoundRobinPolicy, TokenAwarePolicy
@@ -31,6 +32,22 @@ def __init__(self, hosts: list[str], user: str | None = None, password: str | No
 
         return
 
+    def change_superuser_password(self, user: str, password: str) -> None:
+        """TODO."""
+        with self._session() as session:
+            session.execute(
+                "UPDATE system_auth.roles SET salted_hash = %s WHERE role = %s",
+                [
+                    hashpw(password.encode(), gensalt(prefix=b"2a")).decode(),
+                    user,
+                ],
+            )
+
+    def change_user_password(self, user: str, password: str) -> None:
+        """TODO."""
+        with self._session() as session:
+            session.execute("ALTER USER %s WITH PASSWORD %s", [user, password])
+
     @contextmanager
     def _session(self, keyspace: str | None = None) -> Generator[Session, None, None]:
         cluster = Cluster(
diff --git a/src/core/state.py b/src/core/state.py
@@ -38,6 +38,8 @@ class UnitWorkloadState(StrEnum):
     """Cassandra is installing."""
     WAITING_FOR_START = "waiting_for_start"
     """Subordinate unit is waiting for leader to initialize cluster before it starts workload."""
+    CHANGING_PASSWORD = "changing_password"
+    """Leader unit executes password change sequence before cluster is announced as ready."""
     STARTING = "starting"
     """Cassandra is starting."""
     ACTIVE = "active"
@@ -185,6 +187,16 @@ def is_active(self) -> bool:
         """Whether Cassandra cluster state is `ACTIVE`."""
         return self.state == ClusterState.ACTIVE
 
+    @property
+    def cassandra_password_secret(self) -> str:
+        """TODO."""
+        return self.relation_data.get("cassandra-password", "")
+
+    @cassandra_password_secret.setter
+    def cassandra_password_secret(self, value: str) -> None:
+        """TODO."""
+        self._field_setter_wrapper("cassandra-password", value)
+
 
 class ApplicationState(Object):
     """Mappings for the charm relations that forms global application state."""
@@ -194,6 +206,7 @@ def __init__(self, charm: CharmBase):
         self.peer_app_interface = DataPeerData(
             self.model,
             relation_name=PEER_RELATION,
+            additional_secret_fields=["cassandra-password"],
         )
         self.peer_unit_interface = DataPeerUnitData(self.model, relation_name=PEER_RELATION)
 
diff --git a/src/core/statuses.py b/src/core/statuses.py
@@ -16,4 +16,5 @@ class Status(Enum):
     INSTALLING = MaintenanceStatus("installing Cassandra")
     STARTING = MaintenanceStatus("waiting for Cassandra to start")
     WAITING_FOR_CLUSTER = WaitingStatus("waiting for cluster to start")
+    CHANGING_PASSWORD = MaintenanceStatus("initializing authentication")
     INVALID_CONFIG = BlockedStatus("invalid config")
diff --git a/src/core/workload.py b/src/core/workload.py
@@ -4,6 +4,8 @@
 
 """Workload definition."""
 
+import secrets
+import string
 from abc import ABC, abstractmethod
 from typing import Literal
 
@@ -95,3 +97,12 @@ def path_exists(self, path: str) -> bool:
     def exec(self, command: list[str], suppress_error_log: bool = False) -> tuple[str, str]:
         """Execute command."""
         pass
+
+    @staticmethod
+    def generate_password() -> str:
+        """Create randomized string for use as app passwords.
+
+        Returns:
+            String of 32 randomized letter+digit characters
+        """
+        return "".join([secrets.choice(string.ascii_letters + string.digits) for _ in range(32)])
diff --git a/src/events/cassandra.py b/src/events/cassandra.py
@@ -18,6 +18,7 @@
 )
 from pydantic import ValidationError
 
+from common.cassandra_client import CassandraClient
 from core.config import CharmConfig
 from core.state import ApplicationState, UnitWorkloadState
 from core.statuses import Status
@@ -67,6 +68,10 @@ def _on_start(self, event: StartEvent) -> None:
             event.defer()
             return
 
+        if self.state.unit.workload_state == UnitWorkloadState.CHANGING_PASSWORD:
+            self._finalize_password_change(event)
+            return
+
         try:
             if self.charm.unit.is_leader():
                 self.state.cluster.cluster_name = self.charm.config.cluster_name
@@ -79,20 +84,57 @@ def _on_start(self, event: StartEvent) -> None:
             event.defer()
             return
 
+        if not self.state.cluster.cassandra_password_secret:
+            self._start_password_change(event)
+            return
+
         self.config_manager.render_cassandra_config(
             cluster_name=self.state.cluster.cluster_name,
             listen_address=self.state.unit.ip,
             seeds=self.state.cluster.seeds,
+            authentication=True,
+        )
+        self.charm.on[str(self.bootstrap_manager.name)].acquire_lock.emit()
+
+    def _start_password_change(self, event: StartEvent) -> None:
+        self.config_manager.render_cassandra_config(
+            cluster_name=self.charm.config.cluster_name,
+            listen_address="127.0.0.1",
+            seeds=["127.0.0.1:7000"],
+            authentication=False,
         )
+        self.workload.start()
+        self.state.unit.workload_state = UnitWorkloadState.CHANGING_PASSWORD
+        event.defer()
 
+    def _finalize_password_change(self, event: StartEvent) -> None:
+        if not self.cluster_manager.is_healthy:
+            event.defer()
+            return
+        password = self.workload.generate_password()
+        self._cassandra.change_superuser_password("cassandra", password)
+        self.state.cluster.cassandra_password_secret = password
+        self.cluster_manager.flush_tables("system_auth", ["roles"])
+        self.config_manager.render_cassandra_config(
+            cluster_name=self.charm.config.cluster_name,
+            listen_address=self.state.unit.ip,
+            seeds=self.state.cluster.seeds,
+            authentication=True,
+        )
         self.charm.on[str(self.bootstrap_manager.name)].acquire_lock.emit()
 
     def _on_config_changed(self, _: ConfigChangedEvent) -> None:
+        if self.state.unit.workload_state not in [
+            UnitWorkloadState.STARTING,
+            UnitWorkloadState.ACTIVE,
+        ]:
+            return
         try:
             # TODO: cluster_name change
             self.config_manager.render_env(
                 cassandra_limit_memory_mb=1024 if self.charm.config.profile == "testing" else None
             )
+            self.config_manager.render_cassandra_config()
         except ValidationError as e:
             logger.debug(f"Config haven't passed validation: {e}")
             return
@@ -136,6 +178,9 @@ def _on_collect_unit_status(self, event: CollectStatusEvent) -> None:
         ] and (self.charm.unit.is_leader() or self.state.cluster.is_active):
             event.add_status(Status.STARTING.value)
 
+        if self.state.unit.workload_state == UnitWorkloadState.CHANGING_PASSWORD:
+            event.add_status(Status.CHANGING_PASSWORD.value)
+
         event.add_status(Status.ACTIVE.value)
 
     def _on_collect_app_status(self, event: CollectStatusEvent) -> None:
@@ -160,3 +205,11 @@ def _update_network_address(self) -> bool:
             and old_hostname is not None
             and (old_ip != self.state.unit.ip or old_hostname != self.state.unit.hostname)
         )
+
+    @property
+    def _cassandra(self) -> CassandraClient:
+        return CassandraClient(
+            [self.state.unit.ip if self.state.cluster.cassandra_password_secret else "127.0.0.1"],
+            "cassandra",
+            self.state.cluster.cassandra_password_secret or None,
+        )
diff --git a/src/managers/cluster.py b/src/managers/cluster.py
@@ -35,3 +35,7 @@ def network_address(self) -> tuple[str, str]:
         """Get hostname and IP of this unit."""
         hostname = socket.gethostname()
         return socket.gethostbyname(hostname), hostname
+
+    def flush_tables(self, keyspace: str, tables: list[str]) -> None:
+        """TODO."""
+        self._workload.exec(["charmed-cassandra.nodetool", "flush", keyspace, *tables])
diff --git a/src/managers/config.py b/src/managers/config.py

Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,7 @@ def __init__(self, *args):`
`38`	`38`	`cluster_name=self.state.cluster.cluster_name,`
`39`	`39`	`listen_address=self.state.unit.ip,`
`40`	`40`	`seeds=self.state.cluster.seeds,`
	`41`	`+ authentication=bool(self.state.cluster.cassandra_password_secret),`
`41`	`42`	`)`
`42`	`43`	`bootstrap_manager = RollingOpsManager(`
`43`	`44`	`charm=self, relation="bootstrap", callback=self.bootstrap`