Page MenuHomePhabricator

Credentials needed for session storage Cassandra cluster
Closed, ResolvedPublic

Description

@application_username and @application_password, and @super_username and @super_password are templated into /etc/cassandra-{instance}/adduser.cql and /etc/cassandra-{instance}/cqlshrc respectively, from values in private.git. We need someone with access to that repository to create the user and superuser credentials.

Please use sessions for @application_username, cassandra for @super_username, and set the passwords to something suitably random and of good length.

Event Timeline

Eevans created this task.Mar 28 2019, 8:45 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 28 2019, 8:45 PM
Eevans added a project: Cassandra.
Eevans added a subscriber: fgiunchedi.
Dzahn claimed this task.Apr 5 2019, 8:06 AM
Dzahn added a comment.Apr 5 2019, 8:29 AM

@Eevans Done. I added:

$application_username = 'sessions'
$application_password = '<redacted>'
$super_username = 'cassandra'
$super_password = '<redacted>'

Actual passwords generated with pwgen.

Change 501521 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[labs/private@master] add fake passwords for cassandra session store

https://gerrit.wikimedia.org/r/501521

Change 501521 merged by Dzahn:
[labs/private@master] add fake passwords for cassandra session store

https://gerrit.wikimedia.org/r/501521

Eevans added a comment.Apr 5 2019, 2:41 PM

@Dzahn I think this was just for labs/private.git, could you do the same for production as well? Thanks!

Dzahn added a comment.Apr 5 2019, 2:42 PM

@Eevans I did both, the private repo part just doesn't show up on ticket.

Eevans added a comment.Apr 5 2019, 2:43 PM

@Eevans I did both, the private repo part just doesn't show up on ticket.

Oh, then for some reason it's not being applied to the production cluster (sessionstore[1-2]00[1-3].(eqiad|codfw).wmnet)

Dzahn added a comment.Apr 5 2019, 2:44 PM

@Eevans Yep, i noticed that too and couldn't find the puppet code that would use the requested names, then figured you were going to add them after they exist to avoid puppet failure.

Change 501591 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] sessionstore: include cassandra passwords

https://gerrit.wikimedia.org/r/501591

Change 501591 merged by Dzahn:
[operations/puppet@production] sessionstore: include cassandra passwords

https://gerrit.wikimedia.org/r/501591

Change 502240 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] cassandra: set super_user, super_password explicitly

https://gerrit.wikimedia.org/r/502240

Change 502890 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] cassandra: pass super_user,super_password to Hiera sessionstore role

https://gerrit.wikimedia.org/r/502890

Change 502240 abandoned by Dzahn:
cassandra: no default for super_user, super_password

Reason:
https://gerrit.wikimedia.org/r/c/operations/puppet/ /502890 fixes it

https://gerrit.wikimedia.org/r/502240

Change 502890 merged by Dzahn:
[operations/puppet@production] sessionstore: add super_username,super_password to Hiera

https://gerrit.wikimedia.org/r/502890

Change 502890 merged by Dzahn:
[operations/puppet@production] sessionstore: add super_username,super_password to Hiera

https://gerrit.wikimedia.org/r/502890

FYI, this didn't fix the templating:

eevans@sessionstore1001:~$ cat /etc/cassandra-a/adduser.cql 

CREATE USER IF NOT EXISTS sessions WITH PASSWORD '';

GRANT CREATE ON ALL KEYSPACES TO 'sessions';
GRANT ALTER  ON ALL KEYSPACES TO 'sessions';
GRANT DROP   ON ALL KEYSPACES TO 'sessions';
GRANT SELECT ON ALL KEYSPACES TO 'sessions';
GRANT MODIFY ON ALL KEYSPACES TO 'sessions';
eevans@sessionstore1001:~$ sudo cat /etc/cassandra-a/cqlshrc 
[authentication]
username = cassandra
password = 

[connection]
factory = cqlshlib.ssl.ssl_transport_factory

[ssl]
certfile = /etc/cassandra-a/tls/rootCa.crt
eevans@sessionstore1001:~$

Change 502912 had a related patch set uploaded (by Dzahn; owner: Dzahn):
[operations/puppet@production] sessionstore: create profile class to fix password lookups

https://gerrit.wikimedia.org/r/502912

Change 502912 merged by Dzahn:
[operations/puppet@production] sessionstore: create profile class to fix password lookups

https://gerrit.wikimedia.org/r/502912

FYI, this didn't fix the templating:

Fixed now for real, finally, by the change above. Puppet added the real secret passwords now.

Dzahn closed this task as Resolved.Apr 11 2019, 11:24 PM
Dzahn triaged this task as High priority.