加密Cassandra节点和客户端之间的通信
我在Cassandra中进行了节点与客户端之间通信加密的设置,以下是相关备忘录。
环境
-
- Vagrant 1.7.4
-
- Ubuntu 14.04.3 LTS x 2
- Cassandra 2.1.12
# -*- mode: ruby -*-
# vi: set ft=ruby :
VAGRANTFILE_API_VERSION = "2"
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
config.vm.box = "ubuntu/trusty64"
config.vm.define "client" do |client|
client.vm.hostname = "client"
client.vm.network "private_network", ip: "192.168.12.10"
client.vm.provision "shell", inline: <<-SHELL
echo "127.0.0.1 localhost" > /etc/hosts
echo "192.168.12.10 client" >> /etc/hosts
echo "192.168.12.11 node" >> /etc/hosts
SHELL
end
config.vm.define "node" do |node|
node.vm.hostname = "node"
node.vm.network "private_network", ip: "192.168.12.11"
node.vm.provision "shell", inline: <<-SHELL
echo "127.0.0.1 localhost" > /etc/hosts
echo "192.168.12.10 client" >> /etc/hosts
echo "192.168.12.11 node" >> /etc/hosts
SHELL
end
end
安装Cassandra(包括node和client)
在Cassandra的安装方面,你需要在节点和客户机两台机器上进行操作,与文章中描述的步骤相同。
$ vagrant ssh node
vagrant@node:~$ sudo add-apt-repository -y ppa:openjdk-r/ppa
vagrant@node:~$ sudo apt-get update
vagrant@node:~$ sudo apt-get install -y openjdk-8-jdk
vagrant@node:~$ echo 'JAVA_HOME="/usr/lib/jvm/java-8-openjdk-amd64"' | sudo tee -a /etc/environment
vagrant@node:~$ source /etc/environment
vagrant@node:~$ echo 'deb http://www.apache.org/dist/cassandra/debian 21x main' | sudo tee -a /etc/apt/sources.list.d/cassandra.list
vagrant@node:~$ echo 'deb-src http://www.apache.org/dist/cassandra/debian 21x main' | sudo tee -a /etc/apt/sources.list.d/cassandra.list
vagrant@node:~$ sudo apt-get update
vagrant@node:~$ gpg --keyserver pgp.mit.edu --recv-keys 749D6EEC0353B12C
vagrant@node:~$ gpg --export --armor 749D6EEC0353B12C | sudo apt-key add -
vagrant@node:~$ sudo apt-get update
vagrant@node:~$ sudo apt-get install -y cassandra
只需要一种选择,以中文表达以下内容:
准备证书和钥匙(仅针对节点)。
我們將準備用於密碼通信的證書和密鑰。登入節點伺服器,執行以下指令。
vagrant@node:~$ cd /etc/cassandra/
vagrant@node:/etc/cassandra$ sudo mkdir conf
vagrant@node:/etc/cassandra/conf$ sudo keytool -genkey -keyalg RSA -alias node -keystore .keystore -dname "CN=Testuser, OU=Private, O=Company, C=JP" -storepass cassandra -keypass cassandra
vagrant@node:/etc/cassandra/conf$ sudo keytool -export -alias node -file /tmp/node.cer -keystore .keystore -storepass cassandra -keypass cassandra
vagrant@node:/etc/cassandra/conf$ sudo keytool -import -v -trustcacerts -alias node -file /tmp/node.cer -keystore .truststore -storepass cassandra -keypass cassandra
vagrant@node:/etc/cassandra/conf$ sudo keytool -importkeystore -srckeystore .keystore -destkeystore client.p12 -deststoretype PKCS12
vagrant@node:/etc/cassandra/conf$ sudo openssl pkcs12 -in client.p12 -out /tmp/client.pem -nodes
vagrant@node:/etc/cassandra/conf$ scp /tmp/client.pem client:/home/vagrant/
Cassandra的设置(仅限节点)
安装完成后,将进行设置。
vagrant@node:~$ sudo chmod 750 /var/run/cassandra
vagrant@node:~$ sudo sed -i 's/CMD_PATT=.*/CMD_PATT="cassandra"/' /etc/init.d/cassandra
vagrant@node:~$ sudo sed -i 's/^#HEAP_NEWSIZE=.*/HEAP_NEWSIZE="40M"/' /etc/cassandra/cassandra-env.sh | grep HEAP_NEWSIZE
vagrant@node:~$ sudo sed -i 's/^#MAX_HEAP_SIZE=.*/MAX_HEAP_SIZE="100M"/' /etc/cassandra/cassandra-env.sh | grep MAX_HEAP_SIZE
vagrant@node:~$ sudo sed -i 's/127.0.0.1/192.168.12.11/' /etc/cassandra/cassandra.yaml
vagrant@node:~$ sudo sed -i 's/localhost/192.168.12.11/' /etc/cassandra/cassandra.yaml
将 client_encryption_options 更改如下。
# sudo vi /etc/cassandra/cassandra.yaml
client_encryption_options:
enabled: true
keystore: /etc/cassandra/conf/.keystore
keystore_password: cassandra
require_client_auth: false
truststore: /etc/cassandra/conf/.truststore
truststore_password: cassandra
为了进行用户认证,必须更新authenticator和authorizer,但这并非必须。
# sudo vi /etc/cassandra/cassandra.yaml
authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer
确认动作
在节点上启动Cassandra。
vagrant@node:~$ sudo service cassandra start
确认能够在客户端进行登录。
vagrant@client:~$ SSL_CERTFILE=client.pem cqlsh node -ucassandra -pcassandra --ssl
Connected to Test Cluster at node:9042.
[cqlsh 5.0.1 | Cassandra 2.1.13 | CQL spec 3.2.1 | Native protocol v3]
Use HELP for help.
cassandra@cqlsh>
