Fix cassandra schema scripts to be able to run from a remote node #4056
Conversation
Signed-off-by: Alberto Otero Lorenzo <[email protected]>
| | awk -F "." '{print $1}' \ | ||
| ) | ||
| else | ||
| cas_version=$(cqlsh -u ${USER} -p ${PASSWORD} -e "show version" \ |
There was a problem hiding this comment.
Is there another way to pass credentials? Passing via cmd line arguments is not secure, they can be observed via ps.
There was a problem hiding this comment.
I'm afraid not. Seems only $CQLSH_HOST and $CQLSH_PORT can be provided as env vars, and the authentication can only be performed through CLI args or plain config file (see ref).
In fact, there's already calls of this kind on the parent file docker.sh:
if [ -z "$PASSWORD" ]; then
${CQLSH} ${CQLSH_SSL} ${CQLSH_HOST} ${CQLSH_PORT} -e "describe keyspaces"
else
${CQLSH} ${CQLSH_SSL} ${CQLSH_HOST} ${CQLSH_PORT} -u ${USER} -p ${PASSWORD} -e "describe keyspaces"
if [ -z "$PASSWORD" ]; then
MODE="${MODE}" DATACENTER="${DATACENTER}" KEYSPACE="${KEYSPACE}" /cassandra-schema/create.sh "${TEMPLATE}" | ${CQLSH} ${CQLSH_SSL} ${CQLSH_HOST} ${CQLSH_PORT}
else
MODE="${MODE}" DATACENTER="${DATACENTER}" KEYSPACE="${KEYSPACE}" /cassandra-schema/create.sh "${TEMPLATE}" | ${CQLSH} ${CQLSH_SSL} ${CQLSH_HOST} ${CQLSH_PORT} -u ${USER} -p ${PASSWORD}
fi
Is simply that cqlsh -e "show version" is so simple and straight forward that you don't think about a need of authentication to use it, so it's not until you run it from a remote machine when you realize of this (which indeed makes complete sense, to need auth for executing ANY command or query over a remote end).
There was a problem hiding this comment.
Thanks for pointers. Indeed, this shell script was supposed to be used only to generate the schema file, not to do any execution against the server.
What if we remove version check altogether and move it to docker.sh? This script can simply accept another parameter via env (default to 4).
There was a problem hiding this comment.
Also, the version check is only necessary if template is not provided.
There was a problem hiding this comment.
I think for the moment this would keep the current script behavior solving the problem and keeping consistency with the rest of the code, so I would accept it as a fix. Of course a proper refactor would be welcome if you guys find the time 🙂
|
Hi there! Any update on this? |
|
I have alternative fix in #4087 |
Alternative solution, closes #4056 This keeps the create.sh script simpler and not aware of cqlsh. Signed-off-by: Yuri Shkuro <[email protected]> Co-authored-by: Albert <[email protected]>
Alternative solution, closes jaegertracing#4056 This keeps the create.sh script simpler and not aware of cqlsh. Signed-off-by: Yuri Shkuro <[email protected]> Co-authored-by: Albert <[email protected]>
Alternative solution, closes jaegertracing#4056 This keeps the create.sh script simpler and not aware of cqlsh. Signed-off-by: Yuri Shkuro <[email protected]> Co-authored-by: Albert <[email protected]> Signed-off-by: shubbham1215 <[email protected]>
Signed-off-by: Alberto Otero Lorenzo [email protected]
Which problem is this PR solving?
The
create.shfile from the cassandra-schema migration scripts for Jaeger, executes an 'a priori' inoffensivecommand
cqlsh -e "show version". This command shouldn't need of authentication, and it doesn't... But only when the target is the local cassandra node ($CQLSH_HOSTpoints tolocalhost). Otherwise, the CLI tool will report an error asking for auth when running the scrips over a remote node:Short description of the changes
An if is added to the logic for
create.sh's commandcqlsh -e "show version"to be executed with authentication arguments in case a password is set. This doesn't check if the node where the CQL is executed is remote or not, but instead it provides auth in case it is provided, local or remote, covering all use cases.