Re: Securing a Cassandra 2.2.6 Cluster
Hi guys, Thank you for your responses. Let me try to address them: - I just tried cqlsh directly with the IP, no change in behaviour. (I previously tried the hostnames, didn't work either.) - As for the "empty" ..._address: I meant that I leave these blank. Please let me quote from the default cassandra.yaml: # Leaving it blank leaves it up to InetAddress.getLocalHost(). This # (hostname, name resolution, etc), and the Right Thing is to use the # address associated with the hostname (it might not be). # will always do the Right Thing _if_ the node is properly configured So what should I put instead? - Requested outputs: nodetool status Datacenter: datacenter1 === Status=Up/Down |/ State=Normal/Leaving/Joining/Moving -- Address Load Tokens Owns (effective) Host ID Rack UN 344.56 KB 256 100.0% 6271c749-e41d-443c-89e4-46c0fbac49af rack1 UN266.91 KB 256 100.0% e50a1076-7149-45f3-9001-26bb479f2a50 rack1 # netstat -lptn | grep java tcp0 0 :70000.0.0.0:* LISTEN 17040/*java* tcp0 0 127.0.0.1:36415 0.0.0.0:* LISTEN 17040/*java* tcp0 0 127.0.0.1:7199 0.0.0.0:* LISTEN 17040/*java* tcp6 0 0 :9042:::*LISTEN 17040/ *java * # netstat -lptn | grep java tcp0 0 127.0.0.1:43569 0.0.0.0:* LISTEN 49349/*java* tcp0 0 :7000 0.0.0.0:* LISTEN 49349/*java* tcp0 0 127.0.0.1:7199 0.0.0.0:* LISTEN 49349/*java* tcp6 0 0 :::8009 :::* LISTEN 42088/*java* tcp6 0 0 :::8080 :::* LISTEN 42088/*java* tcp6 0 0 :9042 :::*LISTEN 49349/*java* tcp6 0 0 127.0.0.1:8005 :::* LISTEN 42088/*java* Jonathan, thank you for reassuring me that I didn't misunderstand seeds completely. ;-) Any ideas? Regards Raimund 2016-10-30 18:48 GMT+00:00 Jonathan Haddad : > I always prefer to set the listen interface instead of listen adress > > Both nodes can be seeds. In fact, there should be more than one seed. > Having your first 2 nodes as seeds is usual the correct thing to do. > On Sun, Oct 30, 2016 at 8:28 AM Vladimir Yudovin > wrote: > >> >Empty listen_address and rpc_address. >> What do you mean by "Empty"? You should set either ***_address or >> ***_interface. Otherwise >> Cassandra will not listen on port 9042. >> >> >Open ports 9042, 7000 and 7001 for external communication. >> Only port 9042 should be open to the world, Port 7000 for internode >> communication, and 7001 for internode SSL communication (only one of them >> is used). >> >> >What is the best order of steps >> Order doesn't really matter. >> >> >Define both machines as seeds. >> It's wrong. Only one (started first) should be seed. >> >> >> >nodetool sees both of them >> cqlsh refuses to connect >> Can you please give output of >> *nodetool status* >> and >> *netstat -lptn | grep java* >> >> Best regards, Vladimir Yudovin, >> >> *Winguzone <https://winguzone.com?from=list> - Hosted Cloud >> CassandraLaunch your cluster in minutes.* >> >> >> On Sun, 30 Oct 2016 14:11:55 -0400*Raimund Klein >> >* wrote >> >> Hi everyone, >> >> We've managed to set up a Cassandra 2.2.6 cluster of two physical nodes >> (nodetool sees both of them, so I'm quite certain the cluster is indeed >> active). My steps to create the cluster were (this applies to both >> machines): >> >> - Empty listen_address and rpc_address. >> - Define a cluster_name. >> - Define both machines as seeds. >> - Open ports 9042, 7000 and 7001 for external communication. >> >> >> >> Now I want to secure access to the cluster in all forms: >> >> - define a different database user with a new password >> - encrypt communication bet ween clients and the cluster including >> client verification >> - encrypt communication between the nodes including verification >> >> What is the best order of steps and correct way to achieve this? I wanted >> to start with defining a different user, but cqlsh refuses to connect after >> enforcing user/password authentication: >> >> cqlsh -u cassandra -p cassandra >> Connection error: ('Unable to connect to any servers', {'127.0.0.1': >> error(111, "Tried connecting to [('127.0.0.1', 9042)]. Last error: >> Connection refused")}) >> >> >> >> This happens when I run the command on either of the two machines. Any >> help would be greatly appreciated. >> >>
Securing a Cassandra 2.2.6 Cluster
Hi everyone, We've managed to set up a Cassandra 2.2.6 cluster of two physical nodes (nodetool sees both of them, so I'm quite certain the cluster is indeed active). My steps to create the cluster were (this applies to both machines): - Empty listen_address and rpc_address. - Define a cluster_name. - Define both machines as seeds. - Open ports 9042, 7000 and 7001 for external communication. Now I want to secure access to the cluster in all forms: - define a different database user with a new password - encrypt communication bet ween clients and the cluster including client verification - encrypt communication between the nodes including verification What is the best order of steps and correct way to achieve this? I wanted to start with defining a different user, but cqlsh refuses to connect after enforcing user/password authentication: cqlsh -u cassandra -p cassandra Connection error: ('Unable to connect to any servers', {'127.0.0.1': error(111, "Tried connecting to [('127.0.0.1', 9042)]. Last error: Connection refused")}) This happens when I run the command on either of the two machines. Any help would be greatly appreciated.
Re: Failure when setting up cassandra in cluster
Hi Ricardo, Thank you, the nodes are indeed configured like this. /etc/hosts contains both the line you mention AND another one with the general IP. But both with the nodes' names. Guess it's time to ask our responsible guys why this is the case. At least now I know what to look for. I'll play around with this configuration line and see if I can get it to work. Again, thank you for the help. Cheers Raimund 2016-08-22 17:32 GMT+01:00 Riccardo Ferrari : > Hi that's very likely because of: >> >> empty the listen_address entry > > and > > # Leaving it blank leaves it up to InetAddress.getLocalHost(). This > > # will always do the Right Thing _if_ the node is properly configured > > # (hostname, name resolution, etc), and the Right Thing is to use the > # address associated with the hostname (it might not be). > > You probably have na /etc/hosts line that is > 127.0.1.1 myhostname > > Nodes can not communicate if bound to loopback interface > Best, > > On Mon, Aug 22, 2016 at 6:22 PM, Raimund Klein > wrote: > >> Hi guys, >> >> Thanks for the responses. I'm running the cqlsh commands directly on one >> of the nodes, so should that really make a difference? >> >> Anyway, as for Carlos' questions: >> >> - We're using Cassandra 2.2.6. >> - nodetool status on first node: >> >> Datacenter: datacenter1 >> >> === >> >> Status=Up/Down >> >> |/ State=Normal/Leaving/Joining/Moving >> >> -- AddressLoad Tokens Owns (effective) Host ID >> Rack >> >> UN 127.0.1.1 168.6 KB 256 100.0% >> 7217530d-1db4-4208-b181-f627546ed386 rack1 >> >> - nodetool status on second node: >> >> Datacenter: datacenter1 >> >> === >> >> Status=Up/Down >> >> |/ State=Normal/Leaving/Joining/Moving >> >> -- AddressLoad Tokens Owns (effective) Host ID >> Rack >> >> UN 127.0.1.1 128.35 KB 256 100.0% >> 46917945-6f5d-4f94-b48a-d7cbbd94110f rack1 >> >> >> Cheers >> >> Riamund >> >> 2016-08-22 16:23 GMT+01:00 Carlos Rolo : >> >>> If Ryan answer doesn't help, post Cassandra version. There is a bug with >>> cql and some python version that would lead to that error. >>> >>> Also, please post "nodetool status". >>> >>> Regards, >>> >>> Carlos Juzarte Rolo >>> Cassandra Consultant / Datastax Certified Architect / Cassandra MVP >>> >>> Pythian - Love your data >>> >>> rolo@pythian | Twitter: @cjrolo | Skype: cjr2k3 | Linkedin: >>> *linkedin.com/in/carlosjuzarterolo >>> <http://linkedin.com/in/carlosjuzarterolo>* >>> Mobile: +351 918 918 100 >>> www.pythian.com >>> >>> On Mon, Aug 22, 2016 at 4:08 PM, Ryan Svihla wrote: >>> >>>> instead of 127.0.0.1 have you tried just passing the IP of the one of >>>> the nodes. >>>> >>>> On Mon, Aug 22, 2016 at 9:45 AM Raimund Klein >>>> wrote: >>>> >>>>> Hello all, >>>>> >>>>> Sorry for reposting this, but I didn't receive any response. Can >>>>> someone help please? >>>>> >>>>> -- Forwarded message -- >>>>> From: Raimund Klein >>>>> Date: 2016-08-15 12:07 GMT+01:00 >>>>> Subject: Failure when setting up cassandra in cluster >>>>> To: user@cassandra.apache.org >>>>> >>>>> >>>>> Hi all, >>>>> >>>>> Sorry if this is a fairly stupid question, but we've all only been >>>>> exposed to Cassandra very recently. >>>>> >>>>> We're trying to configure a 2-node cluster with non-default >>>>> credentials. Here's what I've been doing so far based on my understanding >>>>> of the documentation. The platform is RHEL 7: >>>>> >>>>> >>>>>1. Use an RPM I found with Datastax to perform a basic cassandra >>>>>installation. >>>>>2. Change the temporary directory in cassandra-env.sh, because >>>>>nobody is allowed to execute anything in /tmp. >>>>>3. In cassandra.yaml, >>>>>- change the cluster_name >>>>>- empty the listen_address entry >>>>>- define both VMs as seeds >>>>>4. Open port 7000 in the firewall. >>>>>5. Start cassandra. >>>>>6. In the cassandra.yaml, change to PasswordAuthenticator. >>>>>7. Run cqlsh -u cassandra -p cassandra -e "ALTER KEYSPACE >>>>>system_auth WITH REPLICATION = { 'class' : 'SimpleStrategy', >>>>>'replication_factor' : 2 };" >>>>>8. Restart cassandra >>>>>9. Perform 1-8 on the second node >>>>>10. To create a new user, run cqlsh -u cassandra -p cassandra >>>>>-e "CREATE USER ${CASSANDRA_USERNAME} WITH PASSWORD >>>>> '${CASSANDRA_PASSWORD}' >>>>>SUPERUSER;" >>>>> >>>>> Step 10 fails with this error: >>>>> >>>>> Connection error: ('Unable to connect to any servers', {'127.0.0.1': >>>>> AuthenticationFailed(u'Failed to authenticate to 127.0.0.1: code=0100 >>>>> [Bad credentials] message="org.apache.cassandra. >>>>> exceptions.UnavailableException: Cannot achieve consistency level >>>>> QUORUM"',)}) >>>>> >>>>> >>>>> What am I missing? >>>>> >>>>> >>>>> Cheers >>>>> >>>>> Raimund >>>>> >>>>> >>>>> -- >>>> Regards, >>>> >>>> Ryan Svihla >>>> >>> >>> >>> -- >>> >>> >>> >>> >> >
Re: Failure when setting up cassandra in cluster
Hi guys, Thanks for the responses. I'm running the cqlsh commands directly on one of the nodes, so should that really make a difference? Anyway, as for Carlos' questions: - We're using Cassandra 2.2.6. - nodetool status on first node: Datacenter: datacenter1 === Status=Up/Down |/ State=Normal/Leaving/Joining/Moving -- AddressLoad Tokens Owns (effective) Host ID Rack UN 127.0.1.1 168.6 KB 256 100.0% 7217530d-1db4-4208-b181-f627546ed386 rack1 - nodetool status on second node: Datacenter: datacenter1 === Status=Up/Down |/ State=Normal/Leaving/Joining/Moving -- AddressLoad Tokens Owns (effective) Host ID Rack UN 127.0.1.1 128.35 KB 256 100.0% 46917945-6f5d-4f94-b48a-d7cbbd94110f rack1 Cheers Riamund 2016-08-22 16:23 GMT+01:00 Carlos Rolo : > If Ryan answer doesn't help, post Cassandra version. There is a bug with > cql and some python version that would lead to that error. > > Also, please post "nodetool status". > > Regards, > > Carlos Juzarte Rolo > Cassandra Consultant / Datastax Certified Architect / Cassandra MVP > > Pythian - Love your data > > rolo@pythian | Twitter: @cjrolo | Skype: cjr2k3 | Linkedin: > *linkedin.com/in/carlosjuzarterolo > <http://linkedin.com/in/carlosjuzarterolo>* > Mobile: +351 918 918 100 > www.pythian.com > > On Mon, Aug 22, 2016 at 4:08 PM, Ryan Svihla wrote: > >> instead of 127.0.0.1 have you tried just passing the IP of the one of the >> nodes. >> >> On Mon, Aug 22, 2016 at 9:45 AM Raimund Klein >> wrote: >> >>> Hello all, >>> >>> Sorry for reposting this, but I didn't receive any response. Can someone >>> help please? >>> >>> -- Forwarded message -- >>> From: Raimund Klein >>> Date: 2016-08-15 12:07 GMT+01:00 >>> Subject: Failure when setting up cassandra in cluster >>> To: user@cassandra.apache.org >>> >>> >>> Hi all, >>> >>> Sorry if this is a fairly stupid question, but we've all only been >>> exposed to Cassandra very recently. >>> >>> We're trying to configure a 2-node cluster with non-default credentials. >>> Here's what I've been doing so far based on my understanding of the >>> documentation. The platform is RHEL 7: >>> >>> >>>1. Use an RPM I found with Datastax to perform a basic cassandra >>>installation. >>>2. Change the temporary directory in cassandra-env.sh, because >>>nobody is allowed to execute anything in /tmp. >>>3. In cassandra.yaml, >>>- change the cluster_name >>>- empty the listen_address entry >>>- define both VMs as seeds >>>4. Open port 7000 in the firewall. >>>5. Start cassandra. >>>6. In the cassandra.yaml, change to PasswordAuthenticator. >>>7. Run cqlsh -u cassandra -p cassandra -e "ALTER KEYSPACE >>>system_auth WITH REPLICATION = { 'class' : 'SimpleStrategy', >>>'replication_factor' : 2 };" >>>8. Restart cassandra >>>9. Perform 1-8 on the second node >>>10. To create a new user, run cqlsh -u cassandra -p cassandra >>>-e "CREATE USER ${CASSANDRA_USERNAME} WITH PASSWORD >>> '${CASSANDRA_PASSWORD}' >>>SUPERUSER;" >>> >>> Step 10 fails with this error: >>> >>> Connection error: ('Unable to connect to any servers', {'127.0.0.1': >>> AuthenticationFailed(u'Failed to authenticate to 127.0.0.1: code=0100 >>> [Bad credentials] message="org.apache.cassandra. >>> exceptions.UnavailableException: Cannot achieve consistency level >>> QUORUM"',)}) >>> >>> >>> What am I missing? >>> >>> >>> Cheers >>> >>> Raimund >>> >>> >>> -- >> Regards, >> >> Ryan Svihla >> > > > -- > > > >
Fwd: Failure when setting up cassandra in cluster
Hello all, Sorry for reposting this, but I didn't receive any response. Can someone help please? -- Forwarded message -- From: Raimund Klein Date: 2016-08-15 12:07 GMT+01:00 Subject: Failure when setting up cassandra in cluster To: user@cassandra.apache.org Hi all, Sorry if this is a fairly stupid question, but we've all only been exposed to Cassandra very recently. We're trying to configure a 2-node cluster with non-default credentials. Here's what I've been doing so far based on my understanding of the documentation. The platform is RHEL 7: 1. Use an RPM I found with Datastax to perform a basic cassandra installation. 2. Change the temporary directory in cassandra-env.sh, because nobody is allowed to execute anything in /tmp. 3. In cassandra.yaml, - change the cluster_name - empty the listen_address entry - define both VMs as seeds 4. Open port 7000 in the firewall. 5. Start cassandra. 6. In the cassandra.yaml, change to PasswordAuthenticator. 7. Run cqlsh -u cassandra -p cassandra -e "ALTER KEYSPACE system_auth WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 2 };" 8. Restart cassandra 9. Perform 1-8 on the second node 10. To create a new user, run cqlsh -u cassandra -p cassandra -e "CREATE USER ${CASSANDRA_USERNAME} WITH PASSWORD '${CASSANDRA_PASSWORD}' SUPERUSER;" Step 10 fails with this error: Connection error: ('Unable to connect to any servers', {'127.0.0.1': AuthenticationFailed(u'Failed to authenticate to 127.0.0.1: code=0100 [Bad credentials] message="org.apache.cassandra.exceptions.UnavailableException: Cannot achieve consistency level QUORUM"',)}) What am I missing? Cheers Raimund
Failure when setting up cassandra in cluster
Hi all, Sorry if this is a fairly stupid question, but we've all only been exposed to Cassandra very recently. We're trying to configure a 2-node cluster with non-default credentials. Here's what I've been doing so far based on my understanding of the documentation. The platform is RHEL 7: 1. Use an RPM I found with Datastax to perform a basic cassandra installation. 2. Change the temporary directory in cassandra-env.sh, because nobody is allowed to execute anything in /tmp. 3. In cassandra.yaml, - change the cluster_name - empty the listen_address entry - define both VMs as seeds 4. Open port 7000 in the firewall. 5. Start cassandra. 6. In the cassandra.yaml, change to PasswordAuthenticator. 7. Run cqlsh -u cassandra -p cassandra -e "ALTER KEYSPACE system_auth WITH REPLICATION = { 'class' : 'SimpleStrategy', 'replication_factor' : 2 };" 8. Restart cassandra 9. Perform 1-8 on the second node 10. To create a new user, run cqlsh -u cassandra -p cassandra -e "CREATE USER ${CASSANDRA_USERNAME} WITH PASSWORD '${CASSANDRA_PASSWORD}' SUPERUSER;" Step 10 fails with this error: Connection error: ('Unable to connect to any servers', {'127.0.0.1': AuthenticationFailed(u'Failed to authenticate to 127.0.0.1: code=0100 [Bad credentials] message="org.apache.cassandra.exceptions.UnavailableException: Cannot achieve consistency level QUORUM"',)}) What am I missing? Cheers Raimund