From 1171460bf1f4d90faa74e690ca16461d3b901ab4 Mon Sep 17 00:00:00 2001 From: Mark Paluch Date: Mon, 4 Apr 2016 14:16:09 +0200 Subject: [PATCH] Add support for the mysql, postgresql and cassandra secret backends. We now support credential generation for MySQL, PostgreSQL and Apache Cassandra databases. Credential generation can be turned on using properties and stores username/password in properties according to Spring Boot's auto configuration. Fixes gh-2. --- .gitignore | 4 +- .travis.yml | 23 +- docs/src/main/asciidoc/quickstart.adoc | 57 -- .../asciidoc/spring-cloud-vault-config.adoc | 222 +++++ pom.xml | 28 + .../cloud/vault/AppIdUserIdMechanism.java | 2 + .../cloud/vault/MyUserIdMechanism.java | 29 + .../cloud/vault/SecureBackendAccessor.java | 41 + .../cloud/vault/SecureBackendAccessors.java | 99 ++ .../cloud/vault/VaultClient.java | 10 +- .../cloud/vault/VaultProperties.java | 132 +++ .../cloud/vault/VaultPropertySource.java | 63 +- .../cloud/vault/VaultCassandraTests.java | 129 +++ .../cloud/vault/VaultMySqlTests.java | 117 +++ .../cloud/vault/VaultPostgreSqlTests.java | 121 +++ .../CassandraSecretIntegrationTests.java | 100 ++ .../GenericSecretIntegrationTests.java | 8 +- .../MySqlSecretIntegrationTests.java | 90 ++ .../PostgreSqlSecretIntegrationTests.java | 96 ++ .../cloud/vault/util/CanConnect.java | 57 ++ .../cloud/vault/util/PrepareVault.java | 86 +- src/test/resources/cassandra.yaml | 876 ++++++++++++++++++ 22 files changed, 2297 insertions(+), 93 deletions(-) create mode 100644 docs/src/main/asciidoc/spring-cloud-vault-config.adoc create mode 100644 src/main/java/org/springframework/cloud/vault/MyUserIdMechanism.java create mode 100644 src/main/java/org/springframework/cloud/vault/SecureBackendAccessor.java create mode 100644 src/main/java/org/springframework/cloud/vault/SecureBackendAccessors.java create mode 100644 src/test/java/org/springframework/cloud/vault/VaultCassandraTests.java create mode 100644 src/test/java/org/springframework/cloud/vault/VaultMySqlTests.java create mode 100644 src/test/java/org/springframework/cloud/vault/VaultPostgreSqlTests.java create mode 100644 src/test/java/org/springframework/cloud/vault/integration/CassandraSecretIntegrationTests.java create mode 100644 src/test/java/org/springframework/cloud/vault/integration/MySqlSecretIntegrationTests.java create mode 100644 src/test/java/org/springframework/cloud/vault/integration/PostgreSqlSecretIntegrationTests.java create mode 100644 src/test/java/org/springframework/cloud/vault/util/CanConnect.java create mode 100644 src/test/resources/cassandra.yaml diff --git a/.gitignore b/.gitignore index 1ef387f1..57c5e02c 100644 --- a/.gitignore +++ b/.gitignore @@ -14,4 +14,6 @@ _site/ *.ipr *.iws .factorypath -vault/ +download/ +vault/download +vault/vault diff --git a/.travis.yml b/.travis.yml index abbd42f3..41bc8b54 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,12 +1,33 @@ language: java + +services: + - mysql + - postgresql + jdk: - oraclejdk8 + +before_script: + - mysql -e "CREATE USER 'spring' IDENTIFIED by 'vault';" + - mysql -uroot -e "GRANT ALL PRIVILEGES ON *.* TO 'spring'@'%' WITH GRANT OPTION;"; + - psql -U postgres -c "CREATE ROLE spring WITH LOGIN PASSWORD 'vault' CREATEROLE CREATEUSER;" + - sleep 30 # wait until Cassandra is up + - apache-cassandra-2.2.6/bin/cqlsh 127.0.0.1 -u cassandra -p cassandra -e "CREATE USER 'spring' WITH PASSWORD 'vault' SUPERUSER" + install: + - mkdir -p download + - test -f download/apache-cassandra-2.2.6-bin.tar.gz || wget http://www-eu.apache.org/dist/cassandra/2.2.6/apache-cassandra-2.2.6-bin.tar.gz -O download/apache-cassandra-2.2.6-bin.tar.gz + - tar xzf download/apache-cassandra-2.2.6-bin.tar.gz + - cp -f src/test/resources/cassandra.yaml apache-cassandra-2.2.6/conf + - apache-cassandra-2.2.6/bin/cassandra - src/test/bash/install_vault.sh - src/test/bash/local_run_vault.sh & + after_script: pkill vault script: mvn clean verify + cache: directories: - '$HOME/.m2/repository' - - '$HOME/vault/download' \ No newline at end of file + - '$HOME/vault/download' + - '$HOME/download' \ No newline at end of file diff --git a/docs/src/main/asciidoc/quickstart.adoc b/docs/src/main/asciidoc/quickstart.adoc index 9cff8424..2f898224 100644 --- a/docs/src/main/asciidoc/quickstart.adoc +++ b/docs/src/main/asciidoc/quickstart.adoc @@ -141,60 +141,3 @@ spring.cloud.vault: token: vault-token ---- -=== AppId authentication - -Vault supports https://www.vaultproject.io/docs/auth/app-id.html[AppId] -authentication that consists of two hard to guess tokens. The AppId -defaults to `spring.application.name` that is statically configured. -The second token is the UserId which is a part determined by the application, -usually related to the runtime environment. IP address, Mac address or a -Docker container name are good examples. Spring Cloud Vault Config supports -IP address, Mac address and static UserId's (e.g. supplied via System properties). -The IP and Mac address are represented as Hex-encoded SHA256 hash. - -IP address-based UserId's use the local host's IP address. - -[source,yaml] -.bootstrap.yml using SHA256 IP-Address UserId's ----- -spring.cloud.vault: - enabled: true - authentication: APPID - app-id: - user-id: IP_ADDRESS ----- - -The corresponding command to generate the IP address UserId from a command line is: - ----- -$ echo -n 192.168.99.1 | sha256sum ----- -NOTE: Including the line break of `echo` leads to a different hash value -so make sure to include the `-n` flag. - -Mac address-based UserId's obtain their network device from the -localhost-bound device. The configuration also allows specifying -a `network-interface` hint to pick the right device. The value of -`network-interface` is optional and can be either an interface -name or interface index (0-based). - -[source,yaml] -.bootstrap.yml using SHA256 Mac-Address UserId's ----- -spring.cloud.vault: - enabled: true - authentication: APPID - app-id: - user-id: MAC_ADDRESS - network-interface: eth0 ----- - -The corresponding command to generate the IP address UserId from a command line is: - ----- -$ echo -n 0AFEDE1234AC | sha256sum ----- - -NOTE: The Mac address is specified uppercase and without colons. -Including the line break of `echo` leads to a different hash value -so make sure to include the `-n` flag. diff --git a/docs/src/main/asciidoc/spring-cloud-vault-config.adoc b/docs/src/main/asciidoc/spring-cloud-vault-config.adoc new file mode 100644 index 00000000..d8eca96b --- /dev/null +++ b/docs/src/main/asciidoc/spring-cloud-vault-config.adoc @@ -0,0 +1,222 @@ += Spring Cloud Vault +:github: https://github.com/spring-cloud-incubator/spring-cloud-vault-config +:githubmaster: {github}/tree/master +:docslink: {githubmaster}/docs/src/main/asciidoc +:toc: + +include::intro.adoc[] + +== Quick Start + +include::quickstart.adoc[] + +== Authentication methods + +Different organizations have different requirements for security +and authentication. Vault reflects that need by shipping multiple authentication +methods. Spring Cloud Vault supports token and AppId authentication. + +=== Token authentication + +Tokens are the core method for authentication within Vault. +Token authentication requires a static token to be provided using the +https://github.com/spring-cloud/spring-cloud-commons/blob/master/docs/src/main/asciidoc/spring-cloud-commons.adoc#the-bootstrap-application-context[Bootstrap Application Context]. + + +.bootstrap.yml +---- +spring.cloud.vault: + enabled: true + token: 00000000-0000-0000-0000-000000000000 +---- + +See also: https://www.vaultproject.io/docs/concepts/tokens.html[Vault Documentation: Tokens] + +=== AppId authentication + +Vault supports https://www.vaultproject.io/docs/auth/app-id.html[AppId] +authentication that consists of two hard to guess tokens. The AppId +defaults to `spring.application.name` that is statically configured. +The second token is the UserId which is a part determined by the application, +usually related to the runtime environment. IP address, Mac address or a +Docker container name are good examples. Spring Cloud Vault Config supports +IP address, Mac address and static UserId's (e.g. supplied via System properties). +The IP and Mac address are represented as Hex-encoded SHA256 hash. + +IP address-based UserId's use the local host's IP address. + +[source,yaml] +.bootstrap.yml using SHA256 IP-Address UserId's +---- +spring.cloud.vault: + enabled: true + authentication: APPID + app-id: + user-id: IP_ADDRESS +---- + +The corresponding command to generate the IP address UserId from a command line is: + +---- +$ echo -n 192.168.99.1 | sha256sum +---- +NOTE: Including the line break of `echo` leads to a different hash value +so make sure to include the `-n` flag. + +Mac address-based UserId's obtain their network device from the +localhost-bound device. The configuration also allows specifying +a `network-interface` hint to pick the right device. The value of +`network-interface` is optional and can be either an interface +name or interface index (0-based). + +[source,yaml] +.bootstrap.yml using SHA256 Mac-Address UserId's +---- +spring.cloud.vault: + enabled: true + authentication: APPID + app-id: + user-id: MAC_ADDRESS + network-interface: eth0 +---- + +The corresponding command to generate the IP address UserId from a command line is: + +---- +$ echo -n 0AFEDE1234AC | sha256sum +---- + +NOTE: The Mac address is specified uppercase and without colons. +Including the line break of `echo` leads to a different hash value +so make sure to include the `-n` flag. + +==== Custom UserId + +The UserId generation is an open mechanism. You can set `spring.cloud.vault.app-id.user-id` +to any string and the configured value will be used as static UserId. + +A more advanced approach lets you set `spring.cloud.vault.app-id.user-id` to a +classname. This class must be on your classpath and must implement +the `org.springframework.cloud.vault.AppIdUserIdMechanism` interface +and the `createUserId` method. Spring Cloud Vault will obtain the UserId +by calling `createUserId` each time it authenticates using AppId to +obtain a token. + +[source,yaml] +.bootstrap.yml +---- +spring.cloud.vault: + enabled: true + authentication: APPID + app-id: + user-id: com.examlple.MyUserIdMechanism +---- + +[source,yaml] +MyUserIdMechanism.java +---- +public class MyUserIdMechanism implements AppIdUserIdMechanism { + + @Override + public String createUserId() { + String userId = ... + return userId; + } +} +---- + +[[vault-client-database-backends]] +== Database backends + +Vault supports several database secret backends to generate database +credentials dynamically based on configured roles. This means, +services that need to access a database no longer need to configure +credentials: they can request them from Vault, and use Vault's leasing +mechanism to more easily roll keys. + +Spring Cloud Vault integrates with these backends: + +* <> +* <> +* <> + +Using a database secret backend requires to enable the backend in the configuration. + +NOTE: Enabling multiple JDBC-compliant databases will generate credentials +and store them by default in the same property keys hence property names for +JDBC secrets need to be configured separately. + +[[vault-client-database-cassandra]] +=== Apache Cassandra + +Spring Cloud Vault allows to obtain credentials for Apache Cassandra. +The integration can be enabled by setting `spring.cloud.vault.cassandra.enabled=true` +(default "false"). Username and password are stored in `spring.data.cassandra.username` +and `spring.data.cassandra.password` so using Spring Boot will pick up the generated +credentials without further configuration. You can configure the property names +by setting `spring.cloud.vault.cassandra.username-property` and +`spring.cloud.vault.cassandra.password-property`. + +[source,yaml] +---- +spring.cloud.vault: + enabled: true + ... + cassandra: + enabled: true +---- + +See also: https://www.vaultproject.io/docs/secrets/cassandra/index.html[Vault Documentation: Setting up Apache Cassandra with Vault] + +[[vault-client-database-mysql]] +=== MySQL + +Spring Cloud Vault allows to obtain credentials for MySQL. +The integration can be enabled by setting `spring.cloud.vault.mysql.enabled=true` +(default "false"). Username and password are stored in `spring.datasource.username` +and `spring.datasource.password` so using Spring Boot will pick up the generated +credentials without further configuration. You can configure the property names +by setting `spring.cloud.vault.mysql.username-property` and +`spring.cloud.vault.mysql.password-property`. + +[source,yaml] +---- +spring.cloud.vault: + enabled: true + ... + mysql: + enabled: true +---- + +See also: https://www.vaultproject.io/docs/secrets/mysql/index.html[Vault Documentation: Setting up MySQL with Vault] + +[[vault-client-database-postgresql]] +=== PostgreSQL + +Spring Cloud Vault allows to obtain credentials for PostgreSQL. +The integration can be enabled by setting `spring.cloud.vault.postgresql.enabled=true` +(default "false"). Username and password are stored in `spring.datasource.username` +and `spring.datasource.password` so using Spring Boot will pick up the generated +credentials without further configuration. You can configure the property names +by setting `spring.cloud.vault.postgresql.username-property` and +`spring.cloud.vault.postgresql.password-property`. + +[source,yaml] +---- +spring.cloud.vault: + enabled: true + ... + postgresql: + enabled: true +---- + +See also: https://www.vaultproject.io/docs/secrets/postgresql/index.html[Vault Documentation: Setting up PostgreSQL with Vault] + +[[vault-client-fail-fast]] +== Vault Client Fail Fast + +In some cases, it may be desirable to fail startup of a service if +it cannot connect to the Vault Server. If this is the desired +behavior, set the bootstrap configuration property +`spring.cloud.vault.failFast=true` and the client will halt with +an Exception. diff --git a/pom.xml b/pom.xml index bfd59fdd..84a140f0 100644 --- a/pom.xml +++ b/pom.xml @@ -49,12 +49,40 @@ spring-boot-starter-test test + + org.springframework.boot + spring-boot-starter-jdbc + test + + + com.h2database + h2 + test + org.assertj assertj-core 3.3.0 test + + mysql + mysql-connector-java + 5.1.38 + test + + + org.postgresql + postgresql + 9.4.1208.jre7 + test + + + com.datastax.cassandra + cassandra-driver-core + 2.1.10 + test + diff --git a/src/main/java/org/springframework/cloud/vault/AppIdUserIdMechanism.java b/src/main/java/org/springframework/cloud/vault/AppIdUserIdMechanism.java index ac3fd2f7..211c3e0d 100644 --- a/src/main/java/org/springframework/cloud/vault/AppIdUserIdMechanism.java +++ b/src/main/java/org/springframework/cloud/vault/AppIdUserIdMechanism.java @@ -17,6 +17,8 @@ package org.springframework.cloud.vault; /** + * Interface to obtain a UserId for AppId authentication. + * * @author Mark Paluch */ public interface AppIdUserIdMechanism { diff --git a/src/main/java/org/springframework/cloud/vault/MyUserIdMechanism.java b/src/main/java/org/springframework/cloud/vault/MyUserIdMechanism.java new file mode 100644 index 00000000..5d287cb2 --- /dev/null +++ b/src/main/java/org/springframework/cloud/vault/MyUserIdMechanism.java @@ -0,0 +1,29 @@ +/* + * Copyright 2016 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.cloud.vault; + +/** + * @author Mark Paluch + */ +public class MyUserIdMechanism implements AppIdUserIdMechanism { + + @Override + public String createUserId() { + String userId = ""; + return userId; + } +} diff --git a/src/main/java/org/springframework/cloud/vault/SecureBackendAccessor.java b/src/main/java/org/springframework/cloud/vault/SecureBackendAccessor.java new file mode 100644 index 00000000..718afc04 --- /dev/null +++ b/src/main/java/org/springframework/cloud/vault/SecureBackendAccessor.java @@ -0,0 +1,41 @@ +/* + * Copyright 2016 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.cloud.vault; + +import java.util.Map; + +/** + * Accessor for a secure backend. Provides URL path variables and can transform + * properties. + * @author Mark Paluch + */ +public interface SecureBackendAccessor { + + /** + * + * @return URL template variables. + */ + Map variables(); + + /** + * + * @param input must not be {@literal null}. + * @return transformed properties. + */ + Map transformProperties(Map input); + +} diff --git a/src/main/java/org/springframework/cloud/vault/SecureBackendAccessors.java b/src/main/java/org/springframework/cloud/vault/SecureBackendAccessors.java new file mode 100644 index 00000000..380ba161 --- /dev/null +++ b/src/main/java/org/springframework/cloud/vault/SecureBackendAccessors.java @@ -0,0 +1,99 @@ +/* + * Copyright 2016 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.cloud.vault; + +import java.util.HashMap; +import java.util.Map; + +/** + * Collection of common used {@link SecureBackendAccessor accessors} to access secure + * backends. + * @author Mark Paluch + */ +public class SecureBackendAccessors { + + /** + * Creates a {@link SecureBackendAccessor} for the {@code generic} secure backend. + * + * @param vaultProperties + * @param key + * @return + */ + public static SecureBackendAccessor generic(VaultProperties vaultProperties, + String key) { + return generic(vaultProperties.getBackend(), key); + } + + /** + * Creates a {@link SecureBackendAccessor} for the {@code generic} secure backend. + * + * @param secretBackendPath + * @param key + * @return + */ + public static SecureBackendAccessor generic(final String secretBackendPath, + final String key) { + return new SecureBackendAccessor() { + + @Override + public Map variables() { + Map variables = new HashMap<>(); + variables.put("backend", secretBackendPath); + variables.put("key", key); + return variables; + } + + @Override + public Map transformProperties(Map input) { + return input; + } + }; + } + + /** + * Creates a {@link SecureBackendAccessor} for a secure backend using {@link org.springframework.cloud.vault.VaultProperties.DatabaseSecretProperties}. This + * accessor transforms Vault's username/password property names to names provided with + * {@link VaultProperties.DatabaseSecretProperties#getUsernameProperty()} and + * {@link VaultProperties.DatabaseSecretProperties#getUsernameProperty()}. + * + * @param properties + * @return + */ + public static SecureBackendAccessor database(final VaultProperties.DatabaseSecretProperties properties) { + return new SecureBackendAccessor() { + + @Override + public Map variables() { + Map variables = new HashMap<>(); + variables.put("backend", properties.getBackend()); + variables.put("key", String.format("creds/%s", properties.getRole())); + return variables; + } + + @Override + public Map transformProperties(Map input) { + + Map result = new HashMap(); + result.put(properties.getUsernameProperty(), input.get("username")); + result.put(properties.getPasswordProperty(), input.get("password")); + + return result; + } + }; + } + +} diff --git a/src/main/java/org/springframework/cloud/vault/VaultClient.java b/src/main/java/org/springframework/cloud/vault/VaultClient.java index f0047220..b8c27c5f 100644 --- a/src/main/java/org/springframework/cloud/vault/VaultClient.java +++ b/src/main/java/org/springframework/cloud/vault/VaultClient.java @@ -53,9 +53,9 @@ public class VaultClient { private final VaultProperties properties; - public Map read(String key, VaultToken vaultToken) { + public Map read(SecureBackendAccessor secureBackendAccessor, VaultToken vaultToken) { - Assert.hasText(key, "Key must not be empty!"); + Assert.notNull(secureBackendAccessor, "SecureBackendAccessor must not be empty!"); Assert.notNull(vaultToken, "VaultToken must not be null!"); String url = buildUrl(); @@ -64,11 +64,13 @@ public class VaultClient { try { ResponseEntity response = this.rest.exchange(url, HttpMethod.GET, new HttpEntity<>(headers), VaultResponse.class, - this.properties.getBackend(), key); + secureBackendAccessor.variables()); HttpStatus status = response.getStatusCode(); if (status == HttpStatus.OK) { - return response.getBody().getData(); + if(response.getBody().getData() != null){ + return secureBackendAccessor.transformProperties(response.getBody().getData()); + } } } catch (HttpStatusCodeException e) { if (e.getStatusCode() == HttpStatus.NOT_FOUND) { diff --git a/src/main/java/org/springframework/cloud/vault/VaultProperties.java b/src/main/java/org/springframework/cloud/vault/VaultProperties.java index f6f081e3..31d2d3a7 100644 --- a/src/main/java/org/springframework/cloud/vault/VaultProperties.java +++ b/src/main/java/org/springframework/cloud/vault/VaultProperties.java @@ -77,6 +77,12 @@ public class VaultProperties { private AppIdProperties appId = new AppIdProperties(); + private final MySql mysql = new MySql(); + + private final PostgreSql postgresql = new PostgreSql(); + + private final Cassandra cassandra = new Cassandra(); + /** * Application name for AppId authentication. */ @@ -117,6 +123,132 @@ public class VaultProperties { private String userId = MAC_ADDRESS; } + @Data + public static class MySql implements DatabaseSecretProperties { + + /** + * Enable mysql backend usage. + */ + private boolean enabled = false; + + /** + * Role name for credentials. + */ + private String role; + + /** + * mysql backend path. + */ + @NotEmpty + private String backend = "mysql"; + + /** + * Target property for the obtained username. + */ + @NotEmpty + private String usernameProperty = "spring.datasource.username"; + + /** + * Target property for the obtained username. + */ + @NotEmpty + private String passwordProperty = "spring.datasource.password"; + } + + @Data + public static class PostgreSql implements DatabaseSecretProperties { + + /** + * Enable postgresql backend usage. + */ + private boolean enabled = false; + + /** + * Role name for credentials. + */ + private String role; + + /** + * postgresql backend path. + */ + @NotEmpty + private String backend = "postgresql"; + + /** + * Target property for the obtained username. + */ + @NotEmpty + private String usernameProperty = "spring.datasource.username"; + + /** + * Target property for the obtained username. + */ + @NotEmpty + private String passwordProperty = "spring.datasource.password"; + } + + @Data + public static class Cassandra implements DatabaseSecretProperties { + + /** + * Enable cassandra backend usage. + */ + private boolean enabled = false; + + /** + * Role name for credentials. + */ + private String role; + + /** + * Cassandra backend path. + */ + @NotEmpty + private String backend = "cassandra"; + + /** + * Target property for the obtained username. + */ + @NotEmpty + private String usernameProperty = "spring.data.cassandra.username"; + + /** + * Target property for the obtained password. + */ + @NotEmpty + private String passwordProperty = "spring.data.cassandra.password"; + } + + /** + * Configuration properties for database secrets. + */ + public interface DatabaseSecretProperties { + + /** + * Role name. + * + * @return + */ + String getRole(); + + /** + * Backend path. + * + * @return + */ + String getBackend(); + + /** + * Name of the target property for the obtained username. + */ + String getUsernameProperty(); + + /** + * Name of the target property for the obtained password. + */ + String getPasswordProperty(); + } + public enum AuthenticationMethod { TOKEN, APPID, } diff --git a/src/main/java/org/springframework/cloud/vault/VaultPropertySource.java b/src/main/java/org/springframework/cloud/vault/VaultPropertySource.java index 4777073d..edb25c97 100644 --- a/src/main/java/org/springframework/cloud/vault/VaultPropertySource.java +++ b/src/main/java/org/springframework/cloud/vault/VaultPropertySource.java @@ -16,9 +16,7 @@ package org.springframework.cloud.vault; -import java.util.LinkedHashMap; -import java.util.Map; -import java.util.Set; +import java.util.*; import lombok.extern.apachecommons.CommonsLog; @@ -35,7 +33,7 @@ import org.springframework.util.Assert; public class VaultPropertySource extends EnumerablePropertySource { private final VaultProperties vaultProperties; - + private String context; private Map properties = new LinkedHashMap<>(); @@ -49,18 +47,51 @@ public class VaultPropertySource extends EnumerablePropertySource { } public void init() { - - try { - Map values = this.source.read(this.context, obtainToken()); - if (values != null) { - this.properties.putAll(values); + Assert.hasText(vaultProperties.getBackend(), + "No generic secret backend configured (spring.cloud.vault.backend)"); + + List accessors = getSecureBackendAccessors(); + + for (SecureBackendAccessor accessor : accessors) { + try { + Map values = this.source.read(accessor, obtainToken()); + + if (values != null) { + this.properties.putAll(values); + } + } + catch (Exception e) { + log.error(String.format("Unable to read properties from vault for %s ", + accessor.variables()), e); } - } catch (Exception e) { - log.error("Unable to read properties from vault for key " + this.context, e); } } + private List getSecureBackendAccessors() { + + List accessors = new ArrayList<>(); + + accessors.add(SecureBackendAccessors.generic(vaultProperties.getBackend(), + this.context)); + + VaultProperties.MySql mySql = vaultProperties.getMysql(); + if(mySql.isEnabled()){ + accessors.add(SecureBackendAccessors.database(mySql)); + } + + VaultProperties.PostgreSql postgreSql = vaultProperties.getPostgresql(); + if(postgreSql.isEnabled()){ + accessors.add(SecureBackendAccessors.database(postgreSql)); + } + + VaultProperties.Cassandra cassandra = vaultProperties.getCassandra(); + if(cassandra.isEnabled()){ + accessors.add(SecureBackendAccessors.database(cassandra)); + } + return accessors; + } + private VaultToken obtainToken() { if (vaultState.getToken() != null) { @@ -77,16 +108,18 @@ public class VaultPropertySource extends EnumerablePropertySource { if (vaultProperties.getAuthentication() == AuthenticationMethod.APPID) { - AppIdProperties appId = vaultProperties.getAppId(); - Assert.hasText(vaultProperties.getApplicationName(), "AppId must not be empty"); - Assert.hasText(appId.getAppIdPath(), "AppIdPath must not be empty"); + AppIdProperties appIdProperties = vaultProperties.getAppId(); + Assert.hasText(vaultProperties.getApplicationName(), + "AppId must not be empty"); + Assert.hasText(appIdProperties.getAppIdPath(), "AppIdPath must not be empty"); vaultState.setToken(source.createToken()); return vaultState.getToken(); } throw new IllegalStateException( - String.format("Authentication method %s not supported", vaultProperties.getAuthentication())); + String.format("Authentication method %s not supported", + vaultProperties.getAuthentication())); } @Override diff --git a/src/test/java/org/springframework/cloud/vault/VaultCassandraTests.java b/src/test/java/org/springframework/cloud/vault/VaultCassandraTests.java new file mode 100644 index 00000000..0586a3f9 --- /dev/null +++ b/src/test/java/org/springframework/cloud/vault/VaultCassandraTests.java @@ -0,0 +1,129 @@ +/* + * Copyright 2016 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.cloud.vault; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.junit.Assume.*; + +import java.net.InetSocketAddress; +import java.sql.SQLException; +import java.util.Collections; +import java.util.HashMap; +import java.util.Map; + +import org.junit.BeforeClass; +import org.junit.Ignore; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; +import org.springframework.boot.test.IntegrationTest; +import org.springframework.boot.test.SpringApplicationConfiguration; +import org.springframework.cloud.vault.util.CanConnect; +import org.springframework.cloud.vault.util.VaultRule; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; + +import com.datastax.driver.core.Cluster; +import com.datastax.driver.core.PlainTextAuthProvider; +import com.datastax.driver.core.Session; + +/** + * Integration tests using the cassandra secret backend. + */ +@RunWith(SpringJUnit4ClassRunner.class) +@SpringApplicationConfiguration(classes = VaultCassandraTests.TestApplication.class) +@IntegrationTest({ "spring.cloud.vault.cassandra.enabled=true", + "spring.cloud.vault.cassandra.role=readonly" }) +public class VaultCassandraTests { + + private final static String CASSANDRA_HOST = "localhost"; + private final static int CASSANDRA_PORT = 9042; + + private final static String CASSANDRA_USERNAME = "cassandra"; + private final static String CASSANDRA_PASSWORD = "cassandra"; + + private final static String CREATE_USER_AND_GRANT_CQL = "CREATE USER '{{username}}' WITH PASSWORD '{{password}}' NOSUPERUSER;" + + "GRANT SELECT ON ALL KEYSPACES TO {{username}};"; + + /** + * Initialize the cassandra secret backend. + * + * @throws Exception + */ + @BeforeClass + public static void beforeClass() throws Exception { + + assumeTrue(CanConnect.to(new InetSocketAddress(CASSANDRA_HOST, CASSANDRA_PORT))); + + VaultRule vaultRule = new VaultRule(); + vaultRule.before(); + + if (!vaultRule.prepare().hasSecret("cassandra")) { + vaultRule.prepare().mountSecret("cassandra"); + } + + Map connection = new HashMap<>(); + connection.put("hosts", CASSANDRA_HOST); + connection.put("username", CASSANDRA_USERNAME); + connection.put("password", CASSANDRA_PASSWORD); + + vaultRule.prepare().write(String.format("%s/config/connection", "cassandra"), + connection); + + vaultRule.prepare().write("cassandra/roles/readonly", + Collections.singletonMap("creation_cql", CREATE_USER_AND_GRANT_CQL)); + } + + @Value("${spring.data.cassandra.username}") + String username; + + @Value("${spring.data.cassandra.password}") + String password; + + @Autowired + Cluster cluster; + + @Test + public void shouldConnectUsingCluster() throws SQLException { + cluster.connect().close(); + } + + @Test + public void shouldUseAuthenticationSet() throws SQLException { + assertThat(cluster.getConfiguration().getProtocolOptions().getAuthProvider()).isInstanceOf(PlainTextAuthProvider.class); + } + + @Test + public void shouldConnectUsingCassandraClient() throws SQLException { + + Cluster cluster = Cluster.builder().addContactPoint(CASSANDRA_HOST) + .withAuthProvider(new PlainTextAuthProvider(username, password)).build(); + Session session = cluster.connect(); + session.close(); + cluster.close(); + } + + @SpringBootApplication + public static class TestApplication { + + public static void main(String[] args) { + SpringApplication.run(TestApplication.class, args); + } + } +} diff --git a/src/test/java/org/springframework/cloud/vault/VaultMySqlTests.java b/src/test/java/org/springframework/cloud/vault/VaultMySqlTests.java new file mode 100644 index 00000000..4e710eb5 --- /dev/null +++ b/src/test/java/org/springframework/cloud/vault/VaultMySqlTests.java @@ -0,0 +1,117 @@ +/* + * Copyright 2016 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.cloud.vault; + +import static org.assertj.core.api.Assertions.*; +import static org.junit.Assume.*; + +import java.net.InetSocketAddress; +import java.sql.Connection; +import java.sql.DriverManager; +import java.sql.SQLException; +import java.util.Collections; + +import javax.sql.DataSource; + +import com.mysql.jdbc.MySQLConnection; +import org.junit.BeforeClass; +import org.junit.Ignore; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; +import org.springframework.boot.test.IntegrationTest; +import org.springframework.boot.test.SpringApplicationConfiguration; +import org.springframework.cloud.vault.util.CanConnect; +import org.springframework.cloud.vault.util.VaultRule; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; + +import static org.junit.Assume.assumeTrue; + +/** + * Integration tests using the mysql secret backend. + */ +@RunWith(SpringJUnit4ClassRunner.class) +@SpringApplicationConfiguration(classes = VaultMySqlTests.TestApplication.class) +@IntegrationTest({ "spring.cloud.vault.mysql.enabled=true", + "spring.cloud.vault.mysql.role=readonly", + "spring.datasource.url=jdbc:mysql://localhost:3306/mysql?useSSL=false" }) +public class VaultMySqlTests { + + private final static int MYSQL_PORT = 3306; + private final static String MYSQL_HOST = "localhost"; + private final static String ROOT_CREDENTIALS = String + .format("spring:vault@tcp(%s:%d)/", MYSQL_HOST, MYSQL_PORT); + private final static String CREATE_USER_AND_GRANT_SQL = "CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';" + + "GRANT SELECT ON *.* TO '{{name}}'@'%';"; + + /** + * Initialize the mysql secret backend. + * + * @throws Exception + */ + @BeforeClass + public static void beforeClass() throws Exception { + + assumeTrue(CanConnect.to(new InetSocketAddress(MYSQL_HOST, MYSQL_PORT))); + + VaultRule vaultRule = new VaultRule(); + vaultRule.before(); + + if (!vaultRule.prepare().hasSecret("mysql")) { + vaultRule.prepare().mountSecret("mysql"); + } + + vaultRule.prepare().write("mysql/config/connection", + Collections.singletonMap("connection_url", ROOT_CREDENTIALS)); + + vaultRule.prepare().write("mysql/roles/readonly", + Collections.singletonMap("sql", CREATE_USER_AND_GRANT_SQL)); + } + + @Value("${spring.datasource.username}") + String username; + + @Value("${spring.datasource.password}") + String password; + + @Autowired + DataSource dataSource; + + @Test + public void shouldConnectUsingDataSource() throws SQLException { + + dataSource.getConnection().close(); + } + + @Test + public void shouldConnectUsingJdbcUrlConnection() throws SQLException { + + String url = String.format("jdbc:mysql://%s?useSSL=false", MYSQL_HOST); + DriverManager.getConnection(url, username, password).close(); + } + + @SpringBootApplication + public static class TestApplication { + + public static void main(String[] args) { + SpringApplication.run(TestApplication.class, args); + } + } +} diff --git a/src/test/java/org/springframework/cloud/vault/VaultPostgreSqlTests.java b/src/test/java/org/springframework/cloud/vault/VaultPostgreSqlTests.java new file mode 100644 index 00000000..1b042836 --- /dev/null +++ b/src/test/java/org/springframework/cloud/vault/VaultPostgreSqlTests.java @@ -0,0 +1,121 @@ +/* + * Copyright 2016 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.cloud.vault; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.junit.Assume.*; + +import javax.sql.DataSource; +import java.net.InetSocketAddress; +import java.sql.Connection; +import java.sql.DriverManager; +import java.sql.SQLException; +import java.util.Collections; + +import org.junit.BeforeClass; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.postgresql.jdbc.PgConnection; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; +import org.springframework.boot.test.IntegrationTest; +import org.springframework.boot.test.SpringApplicationConfiguration; +import org.springframework.cglib.proxy.Proxy; +import org.springframework.cloud.vault.util.CanConnect; +import org.springframework.cloud.vault.util.VaultRule; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; + +/** + * Integration tests using the postgresql secret backend. + */ +@RunWith(SpringJUnit4ClassRunner.class) +@SpringApplicationConfiguration(classes = VaultPostgreSqlTests.TestApplication.class) +@IntegrationTest({ "spring.cloud.vault.postgresql.enabled=true", + "spring.cloud.vault.postgresql.role=readonly", "spring.datasource.url=jdbc:postgresql://localhost:5432/postgres?ssl=false" }) +public class VaultPostgreSqlTests { + + private final static String POSTGRES_HOST = "localhost"; + private final static int POSTGRES_PORT = 5432; + + private final static String CONNECTION_URL = String.format( + "postgresql://spring:vault@%s:%d/postgres?sslmode=disable", POSTGRES_HOST, + POSTGRES_PORT); + + private final static String CREATE_USER_AND_GRANT_SQL = "CREATE ROLE \"{{name}}\" WITH " + + "LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';\n" + + "GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"; + + /** + * Initialize the postgresql secret backend. + * + * @throws Exception + */ + @BeforeClass + public static void beforeClass() throws Exception { + + assumeTrue(CanConnect.to(new InetSocketAddress(POSTGRES_HOST, POSTGRES_PORT))); + + VaultRule vaultRule = new VaultRule(); + vaultRule.before(); + + if (!vaultRule.prepare().hasSecret("postgresql")) { + vaultRule.prepare().mountSecret("postgresql"); + } + + vaultRule.prepare().write("postgresql/config/connection", + Collections.singletonMap("connection_url", CONNECTION_URL)); + + vaultRule.prepare().write("postgresql/roles/readonly", + Collections.singletonMap("sql", CREATE_USER_AND_GRANT_SQL)); + } + + @Value("${spring.datasource.username}") + String username; + + @Value("${spring.datasource.password}") + String password; + + @Autowired + DataSource dataSource; + + @Test + public void shouldConnectUsingDataSource() throws SQLException { + + Connection connection = dataSource.getConnection(); + + assertThat(connection.getSchema()).isEqualTo("public"); + connection.close(); + } + + @Test + public void shouldConnectUsingJdbcUrlConnection() throws SQLException { + + String url = String.format("jdbc:postgresql://%s:%d/postgres?ssl=false", + POSTGRES_HOST, POSTGRES_PORT); + DriverManager.getConnection(url, username, password).close(); + } + + @SpringBootApplication + public static class TestApplication { + + public static void main(String[] args) { + SpringApplication.run(TestApplication.class, args); + } + } +} diff --git a/src/test/java/org/springframework/cloud/vault/integration/CassandraSecretIntegrationTests.java b/src/test/java/org/springframework/cloud/vault/integration/CassandraSecretIntegrationTests.java new file mode 100644 index 00000000..904d983d --- /dev/null +++ b/src/test/java/org/springframework/cloud/vault/integration/CassandraSecretIntegrationTests.java @@ -0,0 +1,100 @@ +/* + * Copyright 2016 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.cloud.vault.integration; + +import static org.assertj.core.api.Assertions.*; +import static org.junit.Assume.assumeTrue; +import static org.springframework.cloud.vault.SecureBackendAccessors.*; + +import java.net.InetSocketAddress; +import java.util.Collections; +import java.util.HashMap; +import java.util.Map; + +import org.junit.Before; +import org.junit.Ignore; +import org.junit.Test; +import org.springframework.cloud.vault.VaultClient; +import org.springframework.cloud.vault.VaultProperties; +import org.springframework.cloud.vault.util.CanConnect; +import org.springframework.cloud.vault.util.Settings; +import org.springframework.web.client.RestTemplate; + +/** + * Integration tests for {@link VaultClient} using the cassandra secret backend. This test + * requires a running Cassandra instance, see {@link #CASSANDRA_HOST} and other + * {@code CASSANDRA_*} properties. + * + * @author Mark Paluch + */ +public class CassandraSecretIntegrationTests extends AbstractIntegrationTests { + + private final static String CASSANDRA_HOST = "localhost"; + private final static int CASSANDRA_PORT = 9042; + + private final static String CASSANDRA_USERNAME = "cassandra"; + private final static String CASSANDRA_PASSWORD = "cassandra"; + + private final static String CREATE_USER_AND_GRANT_CQL = "CREATE USER '{{username}}' WITH PASSWORD '{{password}}' NOSUPERUSER;" + + "GRANT SELECT ON ALL KEYSPACES TO {{username}};"; + + private VaultProperties vaultProperties = Settings.createVaultProperties(); + private VaultClient vaultClient = new VaultClient(vaultProperties); + private VaultProperties.Cassandra cassandra = vaultProperties.getCassandra(); + + /** + * Initialize cassandra secret backend. + * + * @throws Exception + */ + @Before + public void setUp() throws Exception { + + assumeTrue(CanConnect.to(new InetSocketAddress(CASSANDRA_HOST, CASSANDRA_PORT))); + + cassandra.setEnabled(true); + cassandra.setRole("readonly"); + + if (!prepare().hasSecret(cassandra.getBackend())) { + prepare().mountSecret(cassandra.getBackend()); + } + + Map connection = new HashMap<>(); + connection.put("hosts", CASSANDRA_HOST); + connection.put("username", CASSANDRA_USERNAME); + connection.put("password", CASSANDRA_PASSWORD); + + prepare().write(String.format("%s/config/connection", cassandra.getBackend()), + connection); + + prepare().write( + String.format("%s/roles/%s", cassandra.getBackend(), cassandra.getRole()), + Collections.singletonMap("creation_cql", CREATE_USER_AND_GRANT_CQL)); + + vaultClient.setRest(new RestTemplate()); + } + + @Test + public void shouldCreateCredentialsCorrectly() throws Exception { + + Map secretProperties = vaultClient.read(database(cassandra), + Settings.token()); + + assertThat(secretProperties).containsKeys("spring.data.cassandra.username", + "spring.data.cassandra.password"); + } +} diff --git a/src/test/java/org/springframework/cloud/vault/integration/GenericSecretIntegrationTests.java b/src/test/java/org/springframework/cloud/vault/integration/GenericSecretIntegrationTests.java index 373f8dc9..94654470 100644 --- a/src/test/java/org/springframework/cloud/vault/integration/GenericSecretIntegrationTests.java +++ b/src/test/java/org/springframework/cloud/vault/integration/GenericSecretIntegrationTests.java @@ -16,13 +16,15 @@ package org.springframework.cloud.vault.integration; -import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.*; +import static org.springframework.cloud.vault.SecureBackendAccessors.generic; import java.util.HashMap; import java.util.Map; import org.junit.Before; import org.junit.Test; +import org.springframework.cloud.vault.SecureBackendAccessors; import org.springframework.cloud.vault.VaultClient; import org.springframework.cloud.vault.VaultProperties; import org.springframework.cloud.vault.VaultToken; @@ -48,7 +50,7 @@ public class GenericSecretIntegrationTests extends AbstractIntegrationTests { @Test public void shouldReturnSecretsCorrectly() throws Exception { - Map secretProperties = vaultClient.read("app-name", + Map secretProperties = vaultClient.read(generic(vaultProperties, "app-name"), createToken()); assertThat(secretProperties).containsAllEntriesOf(createExpectedMap()); @@ -57,7 +59,7 @@ public class GenericSecretIntegrationTests extends AbstractIntegrationTests { @Test public void shouldReturnNullIfNotFound() throws Exception { - Map secretProperties = vaultClient.read("missing", createToken()); + Map secretProperties = vaultClient.read(generic(vaultProperties, "missing"), createToken()); assertThat(secretProperties).isNull(); } diff --git a/src/test/java/org/springframework/cloud/vault/integration/MySqlSecretIntegrationTests.java b/src/test/java/org/springframework/cloud/vault/integration/MySqlSecretIntegrationTests.java new file mode 100644 index 00000000..c30148bb --- /dev/null +++ b/src/test/java/org/springframework/cloud/vault/integration/MySqlSecretIntegrationTests.java @@ -0,0 +1,90 @@ +/* + * Copyright 2016 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.cloud.vault.integration; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.junit.Assume.assumeTrue; +import static org.springframework.cloud.vault.SecureBackendAccessors.database; + +import java.net.InetSocketAddress; +import java.util.Collections; +import java.util.Map; + +import org.junit.Before; +import org.junit.Test; +import org.springframework.cloud.vault.VaultClient; +import org.springframework.cloud.vault.VaultProperties; +import org.springframework.cloud.vault.util.CanConnect; +import org.springframework.cloud.vault.util.Settings; +import org.springframework.web.client.RestTemplate; + +/** + * Integration tests for {@link VaultClient} using the mysql secret backend. This test + * requires a running MySQL instance, see {@link #ROOT_CREDENTIALS}. + * + * @author Mark Paluch + */ +public class MySqlSecretIntegrationTests extends AbstractIntegrationTests { + + private final static int MYSQL_PORT = 3306; + private final static String MYSQL_HOST = "localhost"; + private final static String ROOT_CREDENTIALS = String + .format("spring:vault@tcp(%s:%d)/", MYSQL_HOST, MYSQL_PORT); + private final static String CREATE_USER_AND_GRANT_SQL = "CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';" + + "GRANT SELECT ON *.* TO '{{name}}'@'%';"; + + private VaultProperties vaultProperties = Settings.createVaultProperties(); + private VaultClient vaultClient = new VaultClient(vaultProperties); + private VaultProperties.MySql mySql = vaultProperties.getMysql(); + + /** + * Initialize the mysql secret backend. + * + * @throws Exception + */ + @Before + public void setUp() throws Exception { + + assumeTrue(CanConnect.to(new InetSocketAddress(MYSQL_HOST, MYSQL_PORT))); + + mySql.setEnabled(true); + mySql.setRole("readonly"); + + if (!prepare().hasSecret(mySql.getBackend())) { + prepare().mountSecret(mySql.getBackend()); + } + + prepare().write(String.format("%s/config/connection", mySql.getBackend()), + Collections.singletonMap("connection_url", ROOT_CREDENTIALS)); + + prepare().write(String.format("%s/roles/%s", mySql.getBackend(), mySql.getRole()), + Collections.singletonMap("sql", CREATE_USER_AND_GRANT_SQL)); + + vaultClient.setRest(new RestTemplate()); + } + + @Test + public void shouldCreateCredentialsCorrectly() throws Exception { + + Map secretProperties = vaultClient.read(database(mySql), + Settings.token()); + + assertThat(secretProperties).containsKeys("spring.datasource.username", + "spring.datasource.password"); + } + +} diff --git a/src/test/java/org/springframework/cloud/vault/integration/PostgreSqlSecretIntegrationTests.java b/src/test/java/org/springframework/cloud/vault/integration/PostgreSqlSecretIntegrationTests.java new file mode 100644 index 00000000..3a340b59 --- /dev/null +++ b/src/test/java/org/springframework/cloud/vault/integration/PostgreSqlSecretIntegrationTests.java @@ -0,0 +1,96 @@ +/* + * Copyright 2016 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.cloud.vault.integration; + +import static org.assertj.core.api.Assertions.*; +import static org.junit.Assume.*; +import static org.springframework.cloud.vault.SecureBackendAccessors.*; + +import java.net.InetSocketAddress; +import java.util.Collections; +import java.util.Map; + +import org.junit.Before; +import org.junit.Test; +import org.springframework.cloud.vault.VaultClient; +import org.springframework.cloud.vault.VaultProperties; +import org.springframework.cloud.vault.util.CanConnect; +import org.springframework.cloud.vault.util.Settings; +import org.springframework.web.client.RestTemplate; + +/** + * Integration tests for {@link VaultClient} using the postgresql secret backend. This + * test requires a running PostgreSQL instance, see {@link #CONNECTION_URL}. + * + * @author Mark Paluch + */ +public class PostgreSqlSecretIntegrationTests extends AbstractIntegrationTests { + + private final static String POSTGRES_HOST = "localhost"; + private final static int POSTGRES_PORT = 5432; + + private final static String CONNECTION_URL = String.format( + "postgresql://spring:vault@%s:%d/postgres?sslmode=disable", POSTGRES_HOST, + POSTGRES_PORT); + + private final static String CREATE_USER_AND_GRANT_SQL = "CREATE ROLE \"{{name}}\" WITH " + + "LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';\n" + + "GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"; + + private VaultProperties vaultProperties = Settings.createVaultProperties(); + private VaultClient vaultClient = new VaultClient(vaultProperties); + private VaultProperties.PostgreSql postgreSql = vaultProperties.getPostgresql(); + + /** + * Initialize the postgresql secret backend. + * + * @throws Exception + */ + @Before + public void setUp() throws Exception { + + assumeTrue(CanConnect.to(new InetSocketAddress(POSTGRES_HOST, POSTGRES_PORT))); + + postgreSql.setEnabled(true); + postgreSql.setRole("readonly"); + + if (!prepare().hasSecret(postgreSql.getBackend())) { + prepare().mountSecret(postgreSql.getBackend()); + } + + prepare().write(String.format("%s/config/connection", postgreSql.getBackend()), + Collections.singletonMap("connection_url", CONNECTION_URL)); + + prepare().write( + String.format("%s/roles/%s", postgreSql.getBackend(), + postgreSql.getRole()), + Collections.singletonMap("sql", CREATE_USER_AND_GRANT_SQL)); + + vaultClient.setRest(new RestTemplate()); + } + + @Test + public void shouldCreateCredentialsCorrectly() throws Exception { + + Map secretProperties = vaultClient.read(database(postgreSql), + Settings.token()); + + assertThat(secretProperties).containsKeys("spring.datasource.username", + "spring.datasource.password"); + } + +} diff --git a/src/test/java/org/springframework/cloud/vault/util/CanConnect.java b/src/test/java/org/springframework/cloud/vault/util/CanConnect.java new file mode 100644 index 00000000..34eecd88 --- /dev/null +++ b/src/test/java/org/springframework/cloud/vault/util/CanConnect.java @@ -0,0 +1,57 @@ +/* + * Copyright 2016 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.cloud.vault.util; + +import java.io.IOException; +import java.net.Socket; +import java.net.SocketAddress; +import java.util.concurrent.TimeUnit; + +/** + * Helper to check whether a TCP connection can be established. + * + * @author Mark Paluch + */ +public class CanConnect { + + /** + * Performs a check whether a connection can be established to the + * {@code socketAddress}. + * + * @param socketAddress the address to test, must not be {@literal null}. + * @return {@literal true}, if a connection can be established + */ + public static boolean to(SocketAddress socketAddress) { + + Socket socket = new Socket(); + try { + + socket.connect(socketAddress, (int) TimeUnit.SECONDS.toMillis(1)); + return true; + } + catch (IOException e) { + return false; + } + finally { + try { + socket.close(); + } + catch (IOException o_O) { + } + } + } +} diff --git a/src/test/java/org/springframework/cloud/vault/util/PrepareVault.java b/src/test/java/org/springframework/cloud/vault/util/PrepareVault.java index b52a622b..22c0f1d5 100644 --- a/src/test/java/org/springframework/cloud/vault/util/PrepareVault.java +++ b/src/test/java/org/springframework/cloud/vault/util/PrepareVault.java @@ -50,11 +50,13 @@ public class PrepareVault { public final static String INITIALIZE_URL_TEMPLATE = "{baseuri}/sys/init"; public final static String MOUNT_AUTH_URL_TEMPLATE = "{baseuri}/sys/auth/{authBackend}"; public final static String SYS_AUTH_URL_TEMPLATE = "{baseuri}/sys/auth"; + public final static String MOUNT_SECRET_URL_TEMPLATE = "{baseuri}/sys/mounts/{type}"; + public final static String SYS_MOUNTS_URL_TEMPLATE = "{baseuri}/sys/mounts"; public final static String SEAL_STATUS_URL_TEMPLATE = "{baseuri}/sys/seal-status"; public final static String UNSEAL_URL_TEMPLATE = "{baseuri}/sys/unseal"; public final static String CREATE_TOKEN_URL_TEMPLATE = "{baseuri}/auth/token/create-orphan"; public final static String WRITE_URL_TEMPLATE = "{baseuri}/{path}"; - public static final ParameterizedTypeReference>> MAP_OF_MAPS_TYPE = new ParameterizedTypeReference>>() { + public static final ParameterizedTypeReference> MAP_OF_MAPS_TYPE = new ParameterizedTypeReference>() { }; @@ -211,27 +213,75 @@ public class PrepareVault { public boolean hasAuth(String authBackend) { Assert.hasText(authBackend, "AuthBackend must not be empty"); + return hasMount(SYS_AUTH_URL_TEMPLATE, authBackend); + } + + /** + * Mount an secret backend. + * + * @param secretBackend + */ + public void mountSecret(String secretBackend) { + + Assert.hasText(secretBackend, "SecretBackend must not be empty"); Map parameters = parameters(vaultProperties); - parameters.put("authBackend", authBackend); + parameters.put("type", secretBackend); - HttpEntity> entity = new HttpEntity<>(authenticatedHeaders()); + Map requestEntity = Collections.singletonMap("type", + secretBackend); - ResponseEntity>> responseEntity = restTemplate - .exchange(SYS_AUTH_URL_TEMPLATE, HttpMethod.GET, entity, MAP_OF_MAPS_TYPE, - parameters); + HttpEntity> entity = new HttpEntity<>(requestEntity, + authenticatedHeaders()); + + ResponseEntity responseEntity = restTemplate.exchange( + MOUNT_SECRET_URL_TEMPLATE, HttpMethod.POST, entity, String.class, + parameters); if (!responseEntity.getStatusCode().is2xxSuccessful()) { throw new IllegalStateException( - "Cannot create mount auth backend: " + responseEntity.toString()); + "Cannot create mount secret backend: " + responseEntity.toString()); } - Map> body = responseEntity.getBody(); - for (Entry> entry : body.entrySet()) { - if (entry.getKey().contains(authBackend) - && authBackend.equals(entry.getValue().get("type"))) { - return true; + responseEntity.getBody(); + } + + /** + * Check whether a auth-backend is enabled. + * + * @param secretBackend + * @return + */ + public boolean hasSecret(String secretBackend) { + + Assert.hasText(secretBackend, "SecretBackend must not be empty"); + return hasMount(SYS_MOUNTS_URL_TEMPLATE, secretBackend); + } + + private boolean hasMount(String urlTemplate, String type) { + Map parameters = parameters(vaultProperties); + + HttpEntity> entity = new HttpEntity<>(authenticatedHeaders()); + + ResponseEntity> responseEntity = restTemplate.exchange( + urlTemplate, HttpMethod.GET, entity, MAP_OF_MAPS_TYPE, parameters); + + if (!responseEntity.getStatusCode().is2xxSuccessful()) { + throw new IllegalStateException( + "Cannot enumerate mounts: " + responseEntity.toString()); + } + + Map body = responseEntity.getBody(); + for (Entry entry : body.entrySet()) { + + if (entry.getValue() instanceof Map) { + Map nested = (Map) entry.getValue(); + + if (entry.getKey().contains(type) && type.equals(nested.get("type"))) { + return true; + } } + } return false; @@ -256,7 +306,19 @@ public class PrepareVault { * @param data */ public void write(String path, Map data) { + write(HttpMethod.POST, path, data); + } + /** + * Write key-value data to a path in Vault. + * + * @param httpMethod + * @param path + * @param data + */ + public void write(HttpMethod httpMethod, String path, Map data) { + + Assert.notNull(httpMethod, "HttpMethod must not be null"); Assert.hasText(path, "Path must not be empty"); Assert.notNull(data, "Data must not be null"); diff --git a/src/test/resources/cassandra.yaml b/src/test/resources/cassandra.yaml new file mode 100644 index 00000000..0a1ccf88 --- /dev/null +++ b/src/test/resources/cassandra.yaml @@ -0,0 +1,876 @@ +# Cassandra storage config YAML + +# NOTE: +# See http://wiki.apache.org/cassandra/StorageConfiguration for +# full explanations of configuration directives +# /NOTE + +# The name of the cluster. This is mainly used to prevent machines in +# one logical cluster from joining another. +cluster_name: 'Test Cluster' + +# This defines the number of tokens randomly assigned to this node on the ring +# The more tokens, relative to other nodes, the larger the proportion of data +# that this node will store. You probably want all nodes to have the same number +# of tokens assuming they have equal hardware capability. +# +# If you leave this unspecified, Cassandra will use the default of 1 token for legacy compatibility, +# and will use the initial_token as described below. +# +# Specifying initial_token will override this setting on the node's initial start, +# on subsequent starts, this setting will apply even if initial token is set. +# +# If you already have a cluster with 1 token per node, and wish to migrate to +# multiple tokens per node, see http://wiki.apache.org/cassandra/Operations +num_tokens: 256 + +# initial_token allows you to specify tokens manually. While you can use # it with +# vnodes (num_tokens > 1, above) -- in which case you should provide a +# comma-separated list -- it's primarily used when adding nodes # to legacy clusters +# that do not have vnodes enabled. +# initial_token: + +# See http://wiki.apache.org/cassandra/HintedHandoff +# May either be "true" or "false" to enable globally, or contain a list +# of data centers to enable per-datacenter. +# hinted_handoff_enabled: DC1,DC2 +hinted_handoff_enabled: true +# this defines the maximum amount of time a dead host will have hints +# generated. After it has been dead this long, new hints for it will not be +# created until it has been seen alive and gone down again. +max_hint_window_in_ms: 10800000 # 3 hours +# Maximum throttle in KBs per second, per delivery thread. This will be +# reduced proportionally to the number of nodes in the cluster. (If there +# are two nodes in the cluster, each delivery thread will use the maximum +# rate; if there are three, each will throttle to half of the maximum, +# since we expect two nodes to be delivering hints simultaneously.) +hinted_handoff_throttle_in_kb: 1024 +# Number of threads with which to deliver hints; +# Consider increasing this number when you have multi-dc deployments, since +# cross-dc handoff tends to be slower +max_hints_delivery_threads: 2 + +# Maximum throttle in KBs per second, total. This will be +# reduced proportionally to the number of nodes in the cluster. +batchlog_replay_throttle_in_kb: 1024 + +# Authentication backend, implementing IAuthenticator; used to identify users +# Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllAuthenticator, +# PasswordAuthenticator}. +# +# - AllowAllAuthenticator performs no checks - set it to disable authentication. +# - PasswordAuthenticator relies on username/password pairs to authenticate +# users. It keeps usernames and hashed passwords in system_auth.credentials table. +# Please increase system_auth keyspace replication factor if you use this authenticator. +# If using PasswordAuthenticator, CassandraRoleManager must also be used (see below) +#authenticator: PasswordAuthenticator +authenticator: PasswordAuthenticator + +# Authorization backend, implementing IAuthorizer; used to limit access/provide permissions +# Out of the box, Cassandra provides org.apache.cassandra.auth.{AllowAllAuthorizer, +# CassandraAuthorizer}. +# +# - AllowAllAuthorizer allows any action to any user - set it to disable authorization. +# - CassandraAuthorizer stores permissions in system_auth.permissions table. Please +# increase system_auth keyspace replication factor if you use this authorizer. +#authorizer: CassandraAuthorizer +authorizer: CassandraAuthorizer + +# Part of the Authentication & Authorization backend, implementing IRoleManager; used +# to maintain grants and memberships between roles. +# Out of the box, Cassandra provides org.apache.cassandra.auth.CassandraRoleManager, +# which stores role information in the system_auth keyspace. Most functions of the +# IRoleManager require an authenticated login, so unless the configured IAuthenticator +# actually implements authentication, most of this functionality will be unavailable. +# +# - CassandraRoleManager stores role data in the system_auth keyspace. Please +# increase system_auth keyspace replication factor if you use this role manager. +role_manager: CassandraRoleManager + +# Validity period for roles cache (fetching permissions can be an +# expensive operation depending on the authorizer). Granted roles are cached for +# authenticated sessions in AuthenticatedUser and after the period specified +# here, become eligible for (async) reload. +# Defaults to 2000, set to 0 to disable. +# Will be disabled automatically for AllowAllAuthenticator. +roles_validity_in_ms: 2000 + +# Refresh interval for roles cache (if enabled). +# After this interval, cache entries become eligible for refresh. Upon next +# access, an async reload is scheduled and the old value returned until it +# completes. If roles_validity_in_ms is non-zero, then this must be +# also. +# Defaults to the same value as roles_validity_in_ms. +# roles_update_interval_in_ms: 1000 + +# Validity period for permissions cache (fetching permissions can be an +# expensive operation depending on the authorizer, CassandraAuthorizer is +# one example). Defaults to 2000, set to 0 to disable. +# Will be disabled automatically for AllowAllAuthorizer. +permissions_validity_in_ms: 2000 + +# Refresh interval for permissions cache (if enabled). +# After this interval, cache entries become eligible for refresh. Upon next +# access, an async reload is scheduled and the old value returned until it +# completes. If permissions_validity_in_ms is non-zero, then this must be +# also. +# Defaults to the same value as permissions_validity_in_ms. +# permissions_update_interval_in_ms: 1000 + +# The partitioner is responsible for distributing groups of rows (by +# partition key) across nodes in the cluster. You should leave this +# alone for new clusters. The partitioner can NOT be changed without +# reloading all data, so when upgrading you should set this to the +# same partitioner you were already using. +# +# Besides Murmur3Partitioner, partitioners included for backwards +# compatibility include RandomPartitioner, ByteOrderedPartitioner, and +# OrderPreservingPartitioner. +# +partitioner: org.apache.cassandra.dht.Murmur3Partitioner + +# Directories where Cassandra should store data on disk. Cassandra +# will spread data evenly across them, subject to the granularity of +# the configured compaction strategy. +# If not set, the default directory is $CASSANDRA_HOME/data/data. +# data_file_directories: +# - /var/lib/cassandra/data + +# commit log. when running on magnetic HDD, this should be a +# separate spindle than the data directories. +# If not set, the default directory is $CASSANDRA_HOME/data/commitlog. +# commitlog_directory: /var/lib/cassandra/commitlog + +# policy for data disk failures: +# die: shut down gossip and client transports and kill the JVM for any fs errors or +# single-sstable errors, so the node can be replaced. +# stop_paranoid: shut down gossip and client transports even for single-sstable errors, +# kill the JVM for errors during startup. +# stop: shut down gossip and client transports, leaving the node effectively dead, but +# can still be inspected via JMX, kill the JVM for errors during startup. +# best_effort: stop using the failed disk and respond to requests based on +# remaining available sstables. This means you WILL see obsolete +# data at CL.ONE! +# ignore: ignore fatal errors and let requests fail, as in pre-1.2 Cassandra +disk_failure_policy: stop + +# policy for commit disk failures: +# die: shut down gossip and Thrift and kill the JVM, so the node can be replaced. +# stop: shut down gossip and Thrift, leaving the node effectively dead, but +# can still be inspected via JMX. +# stop_commit: shutdown the commit log, letting writes collect but +# continuing to service reads, as in pre-2.0.5 Cassandra +# ignore: ignore fatal errors and let the batches fail +commit_failure_policy: stop + +# Maximum size of the key cache in memory. +# +# Each key cache hit saves 1 seek and each row cache hit saves 2 seeks at the +# minimum, sometimes more. The key cache is fairly tiny for the amount of +# time it saves, so it's worthwhile to use it at large numbers. +# The row cache saves even more time, but must contain the entire row, +# so it is extremely space-intensive. It's best to only use the +# row cache if you have hot rows or static rows. +# +# NOTE: if you reduce the size, you may not get you hottest keys loaded on startup. +# +# Default value is empty to make it "auto" (min(5% of Heap (in MB), 100MB)). Set to 0 to disable key cache. +key_cache_size_in_mb: + +# Duration in seconds after which Cassandra should +# save the key cache. Caches are saved to saved_caches_directory as +# specified in this configuration file. +# +# Saved caches greatly improve cold-start speeds, and is relatively cheap in +# terms of I/O for the key cache. Row cache saving is much more expensive and +# has limited use. +# +# Default is 14400 or 4 hours. +key_cache_save_period: 14400 + +# Number of keys from the key cache to save +# Disabled by default, meaning all keys are going to be saved +# key_cache_keys_to_save: 100 + +# Row cache implementation class name. +# Available implementations: +# org.apache.cassandra.cache.OHCProvider Fully off-heap row cache implementation (default). +# org.apache.cassandra.cache.SerializingCacheProvider This is the row cache implementation availabile +# in previous releases of Cassandra. +# row_cache_class_name: org.apache.cassandra.cache.OHCProvider + +# Maximum size of the row cache in memory. +# Please note that OHC cache implementation requires some additional off-heap memory to manage +# the map structures and some in-flight memory during operations before/after cache entries can be +# accounted against the cache capacity. This overhead is usually small compared to the whole capacity. +# Do not specify more memory that the system can afford in the worst usual situation and leave some +# headroom for OS block level cache. Do never allow your system to swap. +# +# Default value is 0, to disable row caching. +row_cache_size_in_mb: 0 + +# Duration in seconds after which Cassandra should save the row cache. +# Caches are saved to saved_caches_directory as specified in this configuration file. +# +# Saved caches greatly improve cold-start speeds, and is relatively cheap in +# terms of I/O for the key cache. Row cache saving is much more expensive and +# has limited use. +# +# Default is 0 to disable saving the row cache. +row_cache_save_period: 0 + +# Number of keys from the row cache to save. +# Specify 0 (which is the default), meaning all keys are going to be saved +# row_cache_keys_to_save: 100 + +# Maximum size of the counter cache in memory. +# +# Counter cache helps to reduce counter locks' contention for hot counter cells. +# In case of RF = 1 a counter cache hit will cause Cassandra to skip the read before +# write entirely. With RF > 1 a counter cache hit will still help to reduce the duration +# of the lock hold, helping with hot counter cell updates, but will not allow skipping +# the read entirely. Only the local (clock, count) tuple of a counter cell is kept +# in memory, not the whole counter, so it's relatively cheap. +# +# NOTE: if you reduce the size, you may not get you hottest keys loaded on startup. +# +# Default value is empty to make it "auto" (min(2.5% of Heap (in MB), 50MB)). Set to 0 to disable counter cache. +# NOTE: if you perform counter deletes and rely on low gcgs, you should disable the counter cache. +counter_cache_size_in_mb: + +# Duration in seconds after which Cassandra should +# save the counter cache (keys only). Caches are saved to saved_caches_directory as +# specified in this configuration file. +# +# Default is 7200 or 2 hours. +counter_cache_save_period: 7200 + +# Number of keys from the counter cache to save +# Disabled by default, meaning all keys are going to be saved +# counter_cache_keys_to_save: 100 + +# saved caches +# If not set, the default directory is $CASSANDRA_HOME/data/saved_caches. +# saved_caches_directory: /var/lib/cassandra/saved_caches + +# commitlog_sync may be either "periodic" or "batch." +# +# When in batch mode, Cassandra won't ack writes until the commit log +# has been fsynced to disk. It will wait +# commitlog_sync_batch_window_in_ms milliseconds between fsyncs. +# This window should be kept short because the writer threads will +# be unable to do extra work while waiting. (You may need to increase +# concurrent_writes for the same reason.) +# +# commitlog_sync: batch +# commitlog_sync_batch_window_in_ms: 2 +# +# the other option is "periodic" where writes may be acked immediately +# and the CommitLog is simply synced every commitlog_sync_period_in_ms +# milliseconds. +commitlog_sync: periodic +commitlog_sync_period_in_ms: 10000 + +# The size of the individual commitlog file segments. A commitlog +# segment may be archived, deleted, or recycled once all the data +# in it (potentially from each columnfamily in the system) has been +# flushed to sstables. +# +# The default size is 32, which is almost always fine, but if you are +# archiving commitlog segments (see commitlog_archiving.properties), +# then you probably want a finer granularity of archiving; 8 or 16 MB +# is reasonable. +commitlog_segment_size_in_mb: 32 + +# Compression to apply to the commit log. If omitted, the commit log +# will be written uncompressed. LZ4, Snappy, and Deflate compressors +# are supported. +#commitlog_compression: +# - class_name: LZ4Compressor +# parameters: +# - + +# any class that implements the SeedProvider interface and has a +# constructor that takes a Map of parameters will do. +seed_provider: + # Addresses of hosts that are deemed contact points. + # Cassandra nodes use this list of hosts to find each other and learn + # the topology of the ring. You must change this if you are running + # multiple nodes! + - class_name: org.apache.cassandra.locator.SimpleSeedProvider + parameters: + # seeds is actually a comma-delimited list of addresses. + # Ex: ",," + - seeds: "127.0.0.1" + +# For workloads with more data than can fit in memory, Cassandra's +# bottleneck will be reads that need to fetch data from +# disk. "concurrent_reads" should be set to (16 * number_of_drives) in +# order to allow the operations to enqueue low enough in the stack +# that the OS and drives can reorder them. Same applies to +# "concurrent_counter_writes", since counter writes read the current +# values before incrementing and writing them back. +# +# On the other hand, since writes are almost never IO bound, the ideal +# number of "concurrent_writes" is dependent on the number of cores in +# your system; (8 * number_of_cores) is a good rule of thumb. +concurrent_reads: 32 +concurrent_writes: 32 +concurrent_counter_writes: 32 + +# Total memory to use for sstable-reading buffers. Defaults to +# the smaller of 1/4 of heap or 512MB. +# file_cache_size_in_mb: 512 + +# Total permitted memory to use for memtables. Cassandra will stop +# accepting writes when the limit is exceeded until a flush completes, +# and will trigger a flush based on memtable_cleanup_threshold +# If omitted, Cassandra will set both to 1/4 the size of the heap. +# memtable_heap_space_in_mb: 2048 +# memtable_offheap_space_in_mb: 2048 + +# Ratio of occupied non-flushing memtable size to total permitted size +# that will trigger a flush of the largest memtable. Larger mct will +# mean larger flushes and hence less compaction, but also less concurrent +# flush activity which can make it difficult to keep your disks fed +# under heavy write load. +# +# memtable_cleanup_threshold defaults to 1 / (memtable_flush_writers + 1) +# memtable_cleanup_threshold: 0.11 + +# Specify the way Cassandra allocates and manages memtable memory. +# Options are: +# heap_buffers: on heap nio buffers +# offheap_buffers: off heap (direct) nio buffers +# offheap_objects: native memory, eliminating nio buffer heap overhead +memtable_allocation_type: heap_buffers + +# Total space to use for commit logs on disk. +# +# If space gets above this value, Cassandra will flush every dirty CF +# in the oldest segment and remove it. So a small total commitlog space +# will tend to cause more flush activity on less-active columnfamilies. +# +# The default value is the smaller of 8192, and 1/4 of the total space +# of the commitlog volume. +# +# commitlog_total_space_in_mb: 8192 + +# This sets the amount of memtable flush writer threads. These will +# be blocked by disk io, and each one will hold a memtable in memory +# while blocked. +# +# memtable_flush_writers defaults to the smaller of (number of disks, +# number of cores), with a minimum of 2 and a maximum of 8. +# +# If your data directories are backed by SSD, you should increase this +# to the number of cores. +#memtable_flush_writers: 8 + +# A fixed memory pool size in MB for for SSTable index summaries. If left +# empty, this will default to 5% of the heap size. If the memory usage of +# all index summaries exceeds this limit, SSTables with low read rates will +# shrink their index summaries in order to meet this limit. However, this +# is a best-effort process. In extreme conditions Cassandra may need to use +# more than this amount of memory. +index_summary_capacity_in_mb: + +# How frequently index summaries should be resampled. This is done +# periodically to redistribute memory from the fixed-size pool to sstables +# proportional their recent read rates. Setting to -1 will disable this +# process, leaving existing index summaries at their current sampling level. +index_summary_resize_interval_in_minutes: 60 + +# Whether to, when doing sequential writing, fsync() at intervals in +# order to force the operating system to flush the dirty +# buffers. Enable this to avoid sudden dirty buffer flushing from +# impacting read latencies. Almost always a good idea on SSDs; not +# necessarily on platters. +trickle_fsync: false +trickle_fsync_interval_in_kb: 10240 + +# TCP port, for commands and data +# For security reasons, you should not expose this port to the internet. Firewall it if needed. +storage_port: 7000 + +# SSL port, for encrypted communication. Unused unless enabled in +# encryption_options +# For security reasons, you should not expose this port to the internet. Firewall it if needed. +ssl_storage_port: 7001 + +# Address or interface to bind to and tell other Cassandra nodes to connect to. +# You _must_ change this if you want multiple nodes to be able to communicate! +# +# Set listen_address OR listen_interface, not both. Interfaces must correspond +# to a single address, IP aliasing is not supported. +# +# Leaving it blank leaves it up to InetAddress.getLocalHost(). This +# will always do the Right Thing _if_ the node is properly configured +# (hostname, name resolution, etc), and the Right Thing is to use the +# address associated with the hostname (it might not be). +# +# Setting listen_address to 0.0.0.0 is always wrong. +# +# If you choose to specify the interface by name and the interface has an ipv4 and an ipv6 address +# you can specify which should be chosen using listen_interface_prefer_ipv6. If false the first ipv4 +# address will be used. If true the first ipv6 address will be used. Defaults to false preferring +# ipv4. If there is only one address it will be selected regardless of ipv4/ipv6. +listen_address: localhost +# listen_interface: eth0 +# listen_interface_prefer_ipv6: false + +# Address to broadcast to other Cassandra nodes +# Leaving this blank will set it to the same value as listen_address +# broadcast_address: 1.2.3.4 + +# When using multiple physical network interfaces, set this +# to true to listen on broadcast_address in addition to +# the listen_address, allowing nodes to communicate in both +# interfaces. +# Ignore this property if the network configuration automatically +# routes between the public and private networks such as EC2. +# listen_on_broadcast_address: false + +# Internode authentication backend, implementing IInternodeAuthenticator; +# used to allow/disallow connections from peer nodes. +# internode_authenticator: org.apache.cassandra.auth.AllowAllInternodeAuthenticator + +# Whether to start the native transport server. +# Please note that the address on which the native transport is bound is the +# same as the rpc_address. The port however is different and specified below. +start_native_transport: true +# port for the CQL native transport to listen for clients on +# For security reasons, you should not expose this port to the internet. Firewall it if needed. +native_transport_port: 9042 +# The maximum threads for handling requests when the native transport is used. +# This is similar to rpc_max_threads though the default differs slightly (and +# there is no native_transport_min_threads, idle threads will always be stopped +# after 30 seconds). +# native_transport_max_threads: 128 +# +# The maximum size of allowed frame. Frame (requests) larger than this will +# be rejected as invalid. The default is 256MB. +# native_transport_max_frame_size_in_mb: 256 + +# The maximum number of concurrent client connections. +# The default is -1, which means unlimited. +# native_transport_max_concurrent_connections: -1 + +# The maximum number of concurrent client connections per source ip. +# The default is -1, which means unlimited. +# native_transport_max_concurrent_connections_per_ip: -1 + +# Whether to start the thrift rpc server. +start_rpc: false + +# The address or interface to bind the Thrift RPC service and native transport +# server to. +# +# Set rpc_address OR rpc_interface, not both. Interfaces must correspond +# to a single address, IP aliasing is not supported. +# +# Leaving rpc_address blank has the same effect as on listen_address +# (i.e. it will be based on the configured hostname of the node). +# +# Note that unlike listen_address, you can specify 0.0.0.0, but you must also +# set broadcast_rpc_address to a value other than 0.0.0.0. +# +# For security reasons, you should not expose this port to the internet. Firewall it if needed. +# +# If you choose to specify the interface by name and the interface has an ipv4 and an ipv6 address +# you can specify which should be chosen using rpc_interface_prefer_ipv6. If false the first ipv4 +# address will be used. If true the first ipv6 address will be used. Defaults to false preferring +# ipv4. If there is only one address it will be selected regardless of ipv4/ipv6. +rpc_address: localhost +# rpc_interface: eth1 +# rpc_interface_prefer_ipv6: false + +# port for Thrift to listen for clients on +rpc_port: 9160 + +# RPC address to broadcast to drivers and other Cassandra nodes. This cannot +# be set to 0.0.0.0. If left blank, this will be set to the value of +# rpc_address. If rpc_address is set to 0.0.0.0, broadcast_rpc_address must +# be set. +# broadcast_rpc_address: 1.2.3.4 + +# enable or disable keepalive on rpc/native connections +rpc_keepalive: true + +# Cassandra provides two out-of-the-box options for the RPC Server: +# +# sync -> One thread per thrift connection. For a very large number of clients, memory +# will be your limiting factor. On a 64 bit JVM, 180KB is the minimum stack size +# per thread, and that will correspond to your use of virtual memory (but physical memory +# may be limited depending on use of stack space). +# +# hsha -> Stands for "half synchronous, half asynchronous." All thrift clients are handled +# asynchronously using a small number of threads that does not vary with the amount +# of thrift clients (and thus scales well to many clients). The rpc requests are still +# synchronous (one thread per active request). If hsha is selected then it is essential +# that rpc_max_threads is changed from the default value of unlimited. +# +# The default is sync because on Windows hsha is about 30% slower. On Linux, +# sync/hsha performance is about the same, with hsha of course using less memory. +# +# Alternatively, can provide your own RPC server by providing the fully-qualified class name +# of an o.a.c.t.TServerFactory that can create an instance of it. +rpc_server_type: sync + +# Uncomment rpc_min|max_thread to set request pool size limits. +# +# Regardless of your choice of RPC server (see above), the number of maximum requests in the +# RPC thread pool dictates how many concurrent requests are possible (but if you are using the sync +# RPC server, it also dictates the number of clients that can be connected at all). +# +# The default is unlimited and thus provides no protection against clients overwhelming the server. You are +# encouraged to set a maximum that makes sense for you in production, but do keep in mind that +# rpc_max_threads represents the maximum number of client requests this server may execute concurrently. +# +# rpc_min_threads: 16 +# rpc_max_threads: 2048 + +# uncomment to set socket buffer sizes on rpc connections +# rpc_send_buff_size_in_bytes: +# rpc_recv_buff_size_in_bytes: + +# Uncomment to set socket buffer size for internode communication +# Note that when setting this, the buffer size is limited by net.core.wmem_max +# and when not setting it it is defined by net.ipv4.tcp_wmem +# See: +# /proc/sys/net/core/wmem_max +# /proc/sys/net/core/rmem_max +# /proc/sys/net/ipv4/tcp_wmem +# /proc/sys/net/ipv4/tcp_wmem +# and: man tcp +# internode_send_buff_size_in_bytes: +# internode_recv_buff_size_in_bytes: + +# Frame size for thrift (maximum message length). +thrift_framed_transport_size_in_mb: 15 + +# Set to true to have Cassandra create a hard link to each sstable +# flushed or streamed locally in a backups/ subdirectory of the +# keyspace data. Removing these links is the operator's +# responsibility. +incremental_backups: false + +# Whether or not to take a snapshot before each compaction. Be +# careful using this option, since Cassandra won't clean up the +# snapshots for you. Mostly useful if you're paranoid when there +# is a data format change. +snapshot_before_compaction: false + +# Whether or not a snapshot is taken of the data before keyspace truncation +# or dropping of column families. The STRONGLY advised default of true +# should be used to provide data safety. If you set this flag to false, you will +# lose data on truncation or drop. +auto_snapshot: true + +# When executing a scan, within or across a partition, we need to keep the +# tombstones seen in memory so we can return them to the coordinator, which +# will use them to make sure other replicas also know about the deleted rows. +# With workloads that generate a lot of tombstones, this can cause performance +# problems and even exaust the server heap. +# (http://www.datastax.com/dev/blog/cassandra-anti-patterns-queues-and-queue-like-datasets) +# Adjust the thresholds here if you understand the dangers and want to +# scan more tombstones anyway. These thresholds may also be adjusted at runtime +# using the StorageService mbean. +tombstone_warn_threshold: 1000 +tombstone_failure_threshold: 100000 + +# Granularity of the collation index of rows within a partition. +# Increase if your rows are large, or if you have a very large +# number of rows per partition. The competing goals are these: +# 1) a smaller granularity means more index entries are generated +# and looking up rows withing the partition by collation column +# is faster +# 2) but, Cassandra will keep the collation index in memory for hot +# rows (as part of the key cache), so a larger granularity means +# you can cache more hot rows +column_index_size_in_kb: 64 + + +# Log WARN on any batch size exceeding this value. 5kb per batch by default. +# Caution should be taken on increasing the size of this threshold as it can lead to node instability. +batch_size_warn_threshold_in_kb: 5 + +# Fail any batch exceeding this value. 50kb (10x warn threshold) by default. +batch_size_fail_threshold_in_kb: 50 + +# Number of simultaneous compactions to allow, NOT including +# validation "compactions" for anti-entropy repair. Simultaneous +# compactions can help preserve read performance in a mixed read/write +# workload, by mitigating the tendency of small sstables to accumulate +# during a single long running compactions. The default is usually +# fine and if you experience problems with compaction running too +# slowly or too fast, you should look at +# compaction_throughput_mb_per_sec first. +# +# concurrent_compactors defaults to the smaller of (number of disks, +# number of cores), with a minimum of 2 and a maximum of 8. +# +# If your data directories are backed by SSD, you should increase this +# to the number of cores. +#concurrent_compactors: 1 + +# Throttles compaction to the given total throughput across the entire +# system. The faster you insert data, the faster you need to compact in +# order to keep the sstable count down, but in general, setting this to +# 16 to 32 times the rate you are inserting data is more than sufficient. +# Setting this to 0 disables throttling. Note that this account for all types +# of compaction, including validation compaction. +compaction_throughput_mb_per_sec: 16 + +# Log a warning when compacting partitions larger than this value +compaction_large_partition_warning_threshold_mb: 100 + +# When compacting, the replacement sstable(s) can be opened before they +# are completely written, and used in place of the prior sstables for +# any range that has been written. This helps to smoothly transfer reads +# between the sstables, reducing page cache churn and keeping hot rows hot +sstable_preemptive_open_interval_in_mb: 50 + +# Throttles all outbound streaming file transfers on this node to the +# given total throughput in Mbps. This is necessary because Cassandra does +# mostly sequential IO when streaming data during bootstrap or repair, which +# can lead to saturating the network connection and degrading rpc performance. +# When unset, the default is 200 Mbps or 25 MB/s. +# stream_throughput_outbound_megabits_per_sec: 200 + +# Throttles all streaming file transfer between the datacenters, +# this setting allows users to throttle inter dc stream throughput in addition +# to throttling all network stream traffic as configured with +# stream_throughput_outbound_megabits_per_sec +# When unset, the default is 200 Mbps or 25 MB/s +# inter_dc_stream_throughput_outbound_megabits_per_sec: 200 + +# How long the coordinator should wait for read operations to complete +read_request_timeout_in_ms: 5000 +# How long the coordinator should wait for seq or index scans to complete +range_request_timeout_in_ms: 10000 +# How long the coordinator should wait for writes to complete +write_request_timeout_in_ms: 2000 +# How long the coordinator should wait for counter writes to complete +counter_write_request_timeout_in_ms: 5000 +# How long a coordinator should continue to retry a CAS operation +# that contends with other proposals for the same row +cas_contention_timeout_in_ms: 1000 +# How long the coordinator should wait for truncates to complete +# (This can be much longer, because unless auto_snapshot is disabled +# we need to flush first so we can snapshot before removing the data.) +truncate_request_timeout_in_ms: 60000 +# The default timeout for other, miscellaneous operations +request_timeout_in_ms: 10000 + +# Enable operation timeout information exchange between nodes to accurately +# measure request timeouts. If disabled, replicas will assume that requests +# were forwarded to them instantly by the coordinator, which means that +# under overload conditions we will waste that much extra time processing +# already-timed-out requests. +# +# Warning: before enabling this property make sure to ntp is installed +# and the times are synchronized between the nodes. +cross_node_timeout: false + +# Enable socket timeout for streaming operation. +# When a timeout occurs during streaming, streaming is retried from the start +# of the current file. This _can_ involve re-streaming an important amount of +# data, so you should avoid setting the value too low. +# Default value is 3600000, which means streams timeout after an hour. +# streaming_socket_timeout_in_ms: 3600000 + +# phi value that must be reached for a host to be marked down. +# most users should never need to adjust this. +# phi_convict_threshold: 8 + +# endpoint_snitch -- Set this to a class that implements +# IEndpointSnitch. The snitch has two functions: +# - it teaches Cassandra enough about your network topology to route +# requests efficiently +# - it allows Cassandra to spread replicas around your cluster to avoid +# correlated failures. It does this by grouping machines into +# "datacenters" and "racks." Cassandra will do its best not to have +# more than one replica on the same "rack" (which may not actually +# be a physical location) +# +# IF YOU CHANGE THE SNITCH AFTER DATA IS INSERTED INTO THE CLUSTER, +# YOU MUST RUN A FULL REPAIR, SINCE THE SNITCH AFFECTS WHERE REPLICAS +# ARE PLACED. +# +# IF THE RACK A REPLICA IS PLACED IN CHANGES AFTER THE REPLICA HAS BEEN +# ADDED TO A RING, THE NODE MUST BE DECOMMISSIONED AND REBOOTSTRAPPED. +# +# Out of the box, Cassandra provides +# - SimpleSnitch: +# Treats Strategy order as proximity. This can improve cache +# locality when disabling read repair. Only appropriate for +# single-datacenter deployments. +# - GossipingPropertyFileSnitch +# This should be your go-to snitch for production use. The rack +# and datacenter for the local node are defined in +# cassandra-rackdc.properties and propagated to other nodes via +# gossip. If cassandra-topology.properties exists, it is used as a +# fallback, allowing migration from the PropertyFileSnitch. +# - PropertyFileSnitch: +# Proximity is determined by rack and data center, which are +# explicitly configured in cassandra-topology.properties. +# - Ec2Snitch: +# Appropriate for EC2 deployments in a single Region. Loads Region +# and Availability Zone information from the EC2 API. The Region is +# treated as the datacenter, and the Availability Zone as the rack. +# Only private IPs are used, so this will not work across multiple +# Regions. +# - Ec2MultiRegionSnitch: +# Uses public IPs as broadcast_address to allow cross-region +# connectivity. (Thus, you should set seed addresses to the public +# IP as well.) You will need to open the storage_port or +# ssl_storage_port on the public IP firewall. (For intra-Region +# traffic, Cassandra will switch to the private IP after +# establishing a connection.) +# - RackInferringSnitch: +# Proximity is determined by rack and data center, which are +# assumed to correspond to the 3rd and 2nd octet of each node's IP +# address, respectively. Unless this happens to match your +# deployment conventions, this is best used as an example of +# writing a custom Snitch class and is provided in that spirit. +# +# You can use a custom Snitch by setting this to the full class name +# of the snitch, which will be assumed to be on your classpath. +endpoint_snitch: SimpleSnitch + +# controls how often to perform the more expensive part of host score +# calculation +dynamic_snitch_update_interval_in_ms: 100 +# controls how often to reset all host scores, allowing a bad host to +# possibly recover +dynamic_snitch_reset_interval_in_ms: 600000 +# if set greater than zero and read_repair_chance is < 1.0, this will allow +# 'pinning' of replicas to hosts in order to increase cache capacity. +# The badness threshold will control how much worse the pinned host has to be +# before the dynamic snitch will prefer other replicas over it. This is +# expressed as a double which represents a percentage. Thus, a value of +# 0.2 means Cassandra would continue to prefer the static snitch values +# until the pinned host was 20% worse than the fastest. +dynamic_snitch_badness_threshold: 0.1 + +# request_scheduler -- Set this to a class that implements +# RequestScheduler, which will schedule incoming client requests +# according to the specific policy. This is useful for multi-tenancy +# with a single Cassandra cluster. +# NOTE: This is specifically for requests from the client and does +# not affect inter node communication. +# org.apache.cassandra.scheduler.NoScheduler - No scheduling takes place +# org.apache.cassandra.scheduler.RoundRobinScheduler - Round robin of +# client requests to a node with a separate queue for each +# request_scheduler_id. The scheduler is further customized by +# request_scheduler_options as described below. +request_scheduler: org.apache.cassandra.scheduler.NoScheduler + +# Scheduler Options vary based on the type of scheduler +# NoScheduler - Has no options +# RoundRobin +# - throttle_limit -- The throttle_limit is the number of in-flight +# requests per client. Requests beyond +# that limit are queued up until +# running requests can complete. +# The value of 80 here is twice the number of +# concurrent_reads + concurrent_writes. +# - default_weight -- default_weight is optional and allows for +# overriding the default which is 1. +# - weights -- Weights are optional and will default to 1 or the +# overridden default_weight. The weight translates into how +# many requests are handled during each turn of the +# RoundRobin, based on the scheduler id. +# +# request_scheduler_options: +# throttle_limit: 80 +# default_weight: 5 +# weights: +# Keyspace1: 1 +# Keyspace2: 5 + +# request_scheduler_id -- An identifier based on which to perform +# the request scheduling. Currently the only valid option is keyspace. +# request_scheduler_id: keyspace + +# Enable or disable inter-node encryption +# Default settings are TLS v1, RSA 1024-bit keys (it is imperative that +# users generate their own keys) TLS_RSA_WITH_AES_128_CBC_SHA as the cipher +# suite for authentication, key exchange and encryption of the actual data transfers. +# Use the DHE/ECDHE ciphers if running in FIPS 140 compliant mode. +# NOTE: No custom encryption options are enabled at the moment +# The available internode options are : all, none, dc, rack +# +# If set to dc cassandra will encrypt the traffic between the DCs +# If set to rack cassandra will encrypt the traffic between the racks +# +# The passwords used in these options must match the passwords used when generating +# the keystore and truststore. For instructions on generating these files, see: +# http://download.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CreateKeystore +# +server_encryption_options: + internode_encryption: none + keystore: conf/.keystore + keystore_password: cassandra + truststore: conf/.truststore + truststore_password: cassandra + # More advanced defaults below: + # protocol: TLS + # algorithm: SunX509 + # store_type: JKS + # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] + # require_client_auth: false + +# enable or disable client/server encryption. +client_encryption_options: + enabled: false + # If enabled and optional is set to true encrypted and unencrypted connections are handled. + optional: false + keystore: conf/.keystore + keystore_password: cassandra + # require_client_auth: false + # Set trustore and truststore_password if require_client_auth is true + # truststore: conf/.truststore + # truststore_password: cassandra + # More advanced defaults below: + # protocol: TLS + # algorithm: SunX509 + # store_type: JKS + # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] + +# internode_compression controls whether traffic between nodes is +# compressed. +# can be: all - all traffic is compressed +# dc - traffic between different datacenters is compressed +# none - nothing is compressed. +internode_compression: all + +# Enable or disable tcp_nodelay for inter-dc communication. +# Disabling it will result in larger (but fewer) network packets being sent, +# reducing overhead from the TCP protocol itself, at the cost of increasing +# latency if you block for cross-datacenter responses. +inter_dc_tcp_nodelay: false + +# TTL for different trace types used during logging of the repair process. +tracetype_query_ttl: 86400 +tracetype_repair_ttl: 604800 + +# GC Pauses greater than gc_warn_threshold_in_ms will be logged at WARN level +# Adjust the threshold based on your application throughput requirement +# By default, Cassandra logs GC Pauses greater than 200 ms at INFO level +# gc_warn_threshold_in_ms: 1000 + +# UDFs (user defined functions) are disabled by default. +# As of Cassandra 2.2, there is no security manager or anything else in place that +# prevents execution of evil code. CASSANDRA-9402 will fix this issue for Cassandra 3.0. +# This will inherently be backwards-incompatible with any 2.2 UDF that perform insecure +# operations such as opening a socket or writing to the filesystem. +enable_user_defined_functions: false + +# The default Windows kernel timer and scheduling resolution is 15.6ms for power conservation. +# Lowering this value on Windows can provide much tighter latency and better throughput, however +# some virtualized environments may see a negative performance impact from changing this setting +# below their system default. The sysinternals 'clockres' tool can confirm your system's default +# setting. +windows_timer_interval: 1