Add password authentication (#32)

* add options to command line

* minor fix

* add authentication option to cassandra

* remove cqlshrc file and use default credentials instead

* add readme and change naming

* aff indent

* remove mod files

---------

Co-authored-by: victorr <victor.romanov@nuvocares.com>
Co-authored-by: aharonh <aharon.haravon@gmail.com>

Author: 3 people

.gitignore

@@ -14,3 +14,6 @@
 # dep/glide
 vendor/
 bin/
+rebuild.sh
+go.mod
+go.sum

Makefile

@@ -11,14 +11,14 @@ TRAVIS := $(shell printenv TRAVIS)
 all: bootstrap build docker push
 
 fmt:
-	go fmt ./pkg/... ./cmd/...
+	go fmt -mod=mod ./pkg/... ./cmd/...
 
 vet:
-	go vet ./pkg/... ./cmd/...
+	go vet -mod=mod  ./pkg/... ./cmd/...
 
 # Build cain binary
 build: fmt vet
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags $(LDFLAGS) -o bin/cain cmd/cain.go
+	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -mod=mod -ldflags $(LDFLAGS) -o bin/cain cmd/cain.go
 
 # Build cain docker image
 docker: fmt vet

README.md

@@ -55,14 +55,18 @@ Usage:
   cain backup [flags]
 
 Flags:
-  -b, --buffer-size float           in memory buffer size (MB) to use for files copy (buffer per file). Overrides $CAIN_BUFFER_SIZE (default 6.75)
-      --cassandra-data-dir string   cassandra data directory. Overrides $CAIN_CASSANDRA_DATA_DIR (default "/var/lib/cassandra/data")
-  -c, --container string            container name to act on. Overrides $CAIN_CONTAINER (default "cassandra")
-      --dst string                  destination to backup to. Example: s3://bucket/cassandra. Overrides $CAIN_DST
-  -k, --keyspace string             keyspace to act on. Overrides $CAIN_KEYSPACE
-  -n, --namespace string            namespace to find cassandra cluster. Overrides $CAIN_NAMESPACE (default "default")
-  -p, --parallel int                number of files to copy in parallel. set this flag to 0 for full parallelism. Overrides $CAIN_PARALLEL (default 1)
-  -l, --selector string             selector to filter on. Overrides $CAIN_SELECTOR (default "app=cassandra")
+  -a, --authentication                     use authentication for nodetool and clqsh. Overrides $CAIN_AUTHENTICATION
+  -b, --buffer-size float                  in memory buffer size (MB) to use for files copy (buffer per file). Overrides $CAIN_BUFFER_SIZE (default 6.75)
+      --cassandra-data-dir string          cassandra data directory. Overrides $CAIN_CASSANDRA_DATA_DIR (default "/var/lib/cassandra/data")
+  -u, --cassandra-username string          cassandra username. Overrides $CAIN_CASSANDRA_USERNAME (default "cain")
+  -c, --container string                   container name to act on. Overrides $CAIN_CONTAINER (default "cassandra")
+      --dst string                         destination to backup to. Example: s3://bucket/cassandra. Overrides $CAIN_DST
+  -h, --help                               help for backup
+  -k, --keyspace string                    keyspace to act on. Overrides $CAIN_KEYSPACE
+  -n, --namespace string                   namespace to find cassandra cluster. Overrides $CAIN_NAMESPACE (default "default")
+      --nodetool-credentials-file string   path to nodetool credentials file. Overrides $CAIN_NODETOOL_CREDENTIALS_FILE (default "/home/cassandra/.nodetool/credentials")
+  -p, --parallel int                       number of files to copy in parallel. set this flag to 0 for full parallelism. Overrides $CAIN_PARALLEL (default 1)
+  -l, --selector string     
 ```
 
 #### Examples
@@ -77,6 +81,19 @@ cain backup \
     --dst s3://db-backup/cassandra
 ```
 
+Backup to AWS S3 with Cassandra authentication enabled
+
+```
+cain backup \
+    -n default \
+    -l release=cassandra \
+    -k keyspace \
+    --dst s3://db-backup/cassandra
+    -a
+    -u cain
+    --nodetool-credentials-file /home/cassandra/.nodetool/credentials
+```
+
 Backup to Azure Blob Storage
 
 ```
@@ -105,17 +122,21 @@ Usage:
   cain restore [flags]
 
 Flags:
-  -b, --buffer-size float           in memory buffer size (MB) to use for files copy (buffer per file). Overrides $CAIN_BUFFER_SIZE (default 6.75)
-      --cassandra-data-dir string   cassandra data directory. Overrides $CAIN_CASSANDRA_DATA_DIR (default "/var/lib/cassandra/data")
-  -c, --container string            container name to act on. Overrides $CAIN_CONTAINER (default "cassandra")
-  -k, --keyspace string             keyspace to act on. Overrides $CAIN_KEYSPACE
-  -n, --namespace string            namespace to find cassandra cluster. Overrides $CAIN_NAMESPACE (default "default")
-  -p, --parallel int                number of files to copy in parallel. set this flag to 0 for full parallelism. Overrides $CAIN_PARALLEL (default 1)
-  -s, --schema string               schema version to restore (optional). Overrides $CAIN_SCHEMA
-  -l, --selector string             selector to filter on. Overrides $CAIN_SELECTOR (default "app=cassandra")
-      --src string                  source to restore from. Example: s3://bucket/cassandra/namespace/cluster-name. Overrides $CAIN_SRC
-  -t, --tag string                  tag to restore. Overrides $CAIN_TAG
-      --user-group string           user and group who should own restored files. Overrides $CAIN_USER_GROUP (default "cassandra:cassandra")
+  -a, --authentication                     use authentication for nodetool and clqsh. Overrides $CAIN_AUTHENTICATION
+  -b, --buffer-size float                  in memory buffer size (MB) to use for files copy (buffer per file). Overrides $CAIN_BUFFER_SIZE (default 6.75)
+      --cassandra-data-dir string          cassandra data directory. Overrides $CAIN_CASSANDRA_DATA_DIR (default "/var/lib/cassandra/data")
+  -u, --cassandra-username string          cassandra username. Overrides $CAIN_CASSANDRA_USERNAME (default "cain")
+  -c, --container string                   container name to act on. Overrides $CAIN_CONTAINER (default "cassandra")
+  -h, --help                               help for restore
+  -k, --keyspace string                    keyspace to act on. Overrides $CAIN_KEYSPACE
+  -n, --namespace string                   namespace to find cassandra cluster. Overrides $CAIN_NAMESPACE (default "default")
+  -f, --nodetool-credentials-file string   path to nodetool credentials file. Overrides $CAIN_NODETOOL_CREDENTIALS_FILE (default "/home/cassandra/.nodetool/credentials")
+  -p, --parallel int                       number of files to copy in parallel. set this flag to 0 for full parallelism. Overrides $CAIN_PARALLEL (default 1)
+  -s, --schema string                      schema version to restore (optional). Overrides $CAIN_SCHEMA
+  -l, --selector string                    selector to filter on. Overrides $CAIN_SELECTOR (default "app=cassandra")
+      --src string                         source to restore from. Example: s3://bucket/cassandra/namespace/cluster-name. Overrides $CAIN_SRC
+  -t, --tag string                         tag to restore. Overrides $CAIN_TAG
+      --user-group string                  user and group who should own restored files. Overrides $CAIN_USER_GROUP (default "cassandra:cassandra")
 ```
 
 #### Examples
@@ -211,6 +232,7 @@ Since Cain uses [Skbn](https://github.com/nuvo/skbn), adding support for additio
 
 | Cain version | Skbn version |
 |--------------|--------------|
+| 0.5.2        | 0.4.2        |
 | 0.5.1        | 0.4.2        |
 | 0.5.0        | 0.4.1        |
 | 0.4.2        | 0.4.1        |
@@ -239,6 +261,18 @@ Skbn uses the default AWS [credentials chain](https://docs.aws.amazon.com/sdk-fo
 
 Skbn uses `AZURE_STORAGE_ACCOUNT` and `AZURE_STORAGE_ACCESS_KEY` environment variables for authentication.
 
+### Cassandra Credentials
+When Authentication is enabled Cain will look for default credentials   
+for `cqlsh` in `/home/cassandra/.cassandra/credentials`   
+if you use authentication please make sure the cassandra   
+container has this file and the username and password are correct.   
+     
+For `nodetool` authentications default credentials are in:   
+`/home/cassandra/.nodetool/credentials` can be overridden by    
+setting the `--nodetool-credentials-file` flag.    
+When this flag is used, the username for the nodetool    
+authentication must be provided as well .   
+
 ## Examples
 
 1. [Helm example](/examples/helm)

cmd/cain.go

@@ -39,14 +39,17 @@ func NewRootCmd(args []string) *cobra.Command {
 }
 
 type backupCmd struct {
-	namespace        string
-	selector         string
-	container        string
-	keyspace         string
-	dst              string
-	parallel         int
-	bufferSize       float64
-	cassandraDataDir string
+	namespace               string
+	selector                string
+	container               string
+	keyspace                string
+	dst                     string
+	parallel                int
+	bufferSize              float64
+	cassandraDataDir        string
+	authentication          bool
+	cassandraUsername       string
+	nodetoolCredentialsFile string
 
 	out io.Writer
 }
@@ -73,14 +76,17 @@ func NewBackupCmd(out io.Writer) *cobra.Command {
 		},
 		Run: func(cmd *cobra.Command, args []string) {
 			options := cain.BackupOptions{
-				Namespace:        b.namespace,
-				Selector:         b.selector,
-				Container:        b.container,
-				Keyspace:         b.keyspace,
-				Dst:              b.dst,
-				Parallel:         b.parallel,
-				BufferSize:       b.bufferSize,
-				CassandraDataDir: b.cassandraDataDir,
+				Namespace:               b.namespace,
+				Selector:                b.selector,
+				Container:               b.container,
+				Keyspace:                b.keyspace,
+				Dst:                     b.dst,
+				Parallel:                b.parallel,
+				BufferSize:              b.bufferSize,
+				CassandraDataDir:        b.cassandraDataDir,
+				Authentication:          b.authentication,
+				CassandraUsername:       b.cassandraUsername,
+				NodetoolCredentialsFile: b.nodetoolCredentialsFile,
 			}
 			if _, err := cain.Backup(options); err != nil {
 				log.Fatal(err)
@@ -97,22 +103,27 @@ func NewBackupCmd(out io.Writer) *cobra.Command {
 	f.IntVarP(&b.parallel, "parallel", "p", utils.GetIntEnvVar("CAIN_PARALLEL", 1), "number of files to copy in parallel. set this flag to 0 for full parallelism. Overrides $CAIN_PARALLEL")
 	f.Float64VarP(&b.bufferSize, "buffer-size", "b", utils.GetFloat64EnvVar("CAIN_BUFFER_SIZE", 6.75), "in memory buffer size (MB) to use for files copy (buffer per file). Overrides $CAIN_BUFFER_SIZE")
 	f.StringVar(&b.cassandraDataDir, "cassandra-data-dir", utils.GetStringEnvVar("CAIN_CASSANDRA_DATA_DIR", "/var/lib/cassandra/data"), "cassandra data directory. Overrides $CAIN_CASSANDRA_DATA_DIR")
-
+	f.BoolVarP(&b.authentication, "authentication", "a", utils.GetBoolEnvVar("CAIN_AUTHENTICATION", false), "use authentication for nodetool and clqsh. Overrides $CAIN_AUTHENTICATION")
+	f.StringVarP(&b.cassandraUsername, "cassandra-username", "u", utils.GetStringEnvVar("CAIN_CASSANDRA_USERNAME", "cain"), "cassandra username. Overrides $CAIN_CASSANDRA_USERNAME")
+	f.StringVar(&b.nodetoolCredentialsFile, "nodetool-credentials-file", utils.GetStringEnvVar("CAIN_NODETOOL_CREDENTIALS_FILE", "/home/cassandra/.nodetool/credentials"), "path to nodetool credentials file. Overrides $CAIN_NODETOOL_CREDENTIALS_FILE")
 	return cmd
 }
 
 type restoreCmd struct {
-	src              string
-	keyspace         string
-	tag              string
-	schema           string
-	namespace        string
-	selector         string
-	container        string
-	parallel         int
-	bufferSize       float64
-	userGroup        string
-	cassandraDataDir string
+	src                     string
+	keyspace                string
+	tag                     string
+	schema                  string
+	namespace               string
+	selector                string
+	container               string
+	parallel                int
+	bufferSize              float64
+	userGroup               string
+	cassandraDataDir        string
+	authentication          bool
+	cassandraUsername       string
+	nodetoolCredentialsFile string
 
 	out io.Writer
 }
@@ -142,17 +153,20 @@ func NewRestoreCmd(out io.Writer) *cobra.Command {
 		},
 		Run: func(cmd *cobra.Command, args []string) {
 			options := cain.RestoreOptions{
-				Src:              r.src,
-				Keyspace:         r.keyspace,
-				Tag:              r.tag,
-				Schema:           r.schema,
-				Namespace:        r.namespace,
-				Selector:         r.selector,
-				Container:        r.container,
-				Parallel:         r.parallel,
-				BufferSize:       r.bufferSize,
-				UserGroup:        r.userGroup,
-				CassandraDataDir: r.cassandraDataDir,
+				Src:                     r.src,
+				Keyspace:                r.keyspace,
+				Tag:                     r.tag,
+				Schema:                  r.schema,
+				Namespace:               r.namespace,
+				Selector:                r.selector,
+				Container:               r.container,
+				Parallel:                r.parallel,
+				BufferSize:              r.bufferSize,
+				UserGroup:               r.userGroup,
+				CassandraDataDir:        r.cassandraDataDir,
+				Authentication:          r.authentication,
+				CassandraUsername:       r.cassandraUsername,
+				NodetoolCredentialsFile: r.nodetoolCredentialsFile,
 			}
 			if err := cain.Restore(options); err != nil {
 				log.Fatal(err)
@@ -172,7 +186,9 @@ func NewRestoreCmd(out io.Writer) *cobra.Command {
 	f.Float64VarP(&r.bufferSize, "buffer-size", "b", utils.GetFloat64EnvVar("CAIN_BUFFER_SIZE", 6.75), "in memory buffer size (MB) to use for files copy (buffer per file). Overrides $CAIN_BUFFER_SIZE")
 	f.StringVar(&r.userGroup, "user-group", utils.GetStringEnvVar("CAIN_USER_GROUP", "cassandra:cassandra"), "user and group who should own restored files. Overrides $CAIN_USER_GROUP")
 	f.StringVar(&r.cassandraDataDir, "cassandra-data-dir", utils.GetStringEnvVar("CAIN_CASSANDRA_DATA_DIR", "/var/lib/cassandra/data"), "cassandra data directory. Overrides $CAIN_CASSANDRA_DATA_DIR")
-
+	f.BoolVarP(&r.authentication, "authentication", "a", utils.GetBoolEnvVar("CAIN_AUTHENTICATION", false), "use authentication for nodetool and clqsh. Overrides $CAIN_AUTHENTICATION")
+	f.StringVarP(&r.cassandraUsername, "cassandra-username", "u", utils.GetStringEnvVar("CAIN_CASSANDRA_USERNAME", "cain"), "cassandra username. Overrides $CAIN_CASSANDRA_USERNAME")
+	f.StringVarP(&r.nodetoolCredentialsFile, "nodetool-credentials-file", "f", utils.GetStringEnvVar("CAIN_NODETOOL_CREDENTIALS_FILE", "/home/cassandra/.nodetool/credentials"), "path to nodetool credentials file. Overrides $CAIN_NODETOOL_CREDENTIALS_FILE")
 	return cmd
 }
 

pkg/cain/cain.go

@@ -9,16 +9,26 @@ import (
 	"github.com/nuvo/skbn/pkg/skbn"
 )
 
+// Authentication options if cassandra cluster uses authentication
+type Credentials struct {
+	enabled                 bool
+	username                string
+	nodetoolCredentialsFile string
+}
+
 // BackupOptions are the options to pass to Backup
 type BackupOptions struct {
-	Namespace        string
-	Selector         string
-	Container        string
-	Keyspace         string
-	Dst              string
-	Parallel         int
-	BufferSize       float64
-	CassandraDataDir string
+	Namespace               string
+	Selector                string
+	Container               string
+	Keyspace                string
+	Dst                     string
+	Parallel                int
+	BufferSize              float64
+	CassandraDataDir        string
+	Authentication          bool
+	CassandraUsername       string
+	NodetoolCredentialsFile string
 }
 
 // Backup performs backup
@@ -46,15 +56,26 @@ func Backup(o BackupOptions) (string, error) {
 	if err := utils.TestK8sDirectory(k8sClient, pods, o.Namespace, o.Container, o.CassandraDataDir); err != nil {
 		return "", err
 	}
+	creds := Credentials{
+		enabled:                 o.Authentication,
+		username:                o.CassandraUsername,
+		nodetoolCredentialsFile: o.NodetoolCredentialsFile,
+	}
+	if o.Authentication {
+		log.Println("Testing existence of nodetool credentials file")
+		if err := utils.TestK8sDirectory(k8sClient, pods, o.Namespace, o.Container, o.NodetoolCredentialsFile); err != nil {
+			return "", err
+		}
+	}
 
 	log.Println("Backing up schema")
-	dstBasePath, err := BackupKeyspaceSchema(k8sClient, dstClient, o.Namespace, pods[0], o.Container, o.Keyspace, dstPrefix, dstPath)
+	dstBasePath, err := BackupKeyspaceSchema(k8sClient, dstClient, o.Namespace, pods[0], o.Container, o.Keyspace, dstPrefix, dstPath, creds)
 	if err != nil {
 		return "", err
 	}
 
 	log.Println("Taking snapshots")
-	tag := TakeSnapshots(k8sClient, pods, o.Namespace, o.Container, o.Keyspace)
+	tag := TakeSnapshots(k8sClient, pods, o.Namespace, o.Container, o.Keyspace, creds)
 
 	log.Println("Calculating paths. This may take a while...")
 	fromToPathsAllPods, err := utils.GetFromAndToPathsFromK8s(k8sClient, pods, o.Namespace, o.Container, o.Keyspace, tag, dstBasePath, o.CassandraDataDir)
@@ -68,25 +89,28 @@ func Backup(o BackupOptions) (string, error) {
 	}
 
 	log.Println("Clearing snapshots")
-	ClearSnapshots(k8sClient, pods, o.Namespace, o.Container, o.Keyspace, tag)
+	ClearSnapshots(k8sClient, pods, o.Namespace, o.Container, o.Keyspace, tag, creds)
 
 	log.Println("All done!")
 	return tag, nil
 }
 
 // RestoreOptions are the options to pass to Restore
 type RestoreOptions struct {
-	Src              string
-	Keyspace         string
-	Tag              string
-	Schema           string
-	Namespace        string
-	Selector         string
-	Container        string
-	Parallel         int
-	BufferSize       float64
-	UserGroup        string
-	CassandraDataDir string
+	Src                     string
+	Keyspace                string
+	Tag                     string
+	Schema                  string
+	Namespace               string
+	Selector                string
+	Container               string
+	Parallel                int
+	BufferSize              float64
+	UserGroup               string
+	CassandraDataDir        string
+	Authentication          bool
+	CassandraUsername       string
+	NodetoolCredentialsFile string
 }
 
 // Restore performs restore
@@ -110,7 +134,17 @@ func Restore(o RestoreOptions) error {
 	if err := utils.TestK8sDirectory(k8sClient, existingPods, o.Namespace, o.Container, o.CassandraDataDir); err != nil {
 		return err
 	}
-
+	creds := Credentials{
+		enabled:                 o.Authentication,
+		username:                o.CassandraUsername,
+		nodetoolCredentialsFile: o.NodetoolCredentialsFile,
+	}
+	if o.Authentication {
+		log.Println("Testing existence of nodetool credentials file")
+		if err := utils.TestK8sDirectory(k8sClient, existingPods, o.Namespace, o.Container, o.NodetoolCredentialsFile); err != nil {
+			return err
+		}
+	}
 	log.Println("Getting current schema")
 	_, sum, err := DescribeKeyspaceSchema(k8sClient, o.Namespace, existingPods[0], o.Container, o.Keyspace)
 	if err != nil {
@@ -163,7 +197,7 @@ func Restore(o RestoreOptions) error {
 	}
 
 	log.Println("Refreshing tables")
-	RefreshTables(k8sClient, o.Namespace, o.Container, o.Keyspace, podsToBeRestored, tablesToRefresh)
+	RefreshTables(k8sClient, o.Namespace, o.Container, o.Keyspace, podsToBeRestored, tablesToRefresh, creds)
 
 	log.Println("All done!")
 	return nil