Secretless has a Cassandra DB connector

[izgeri]

Objective

Adds a Cassandra DB connector to Secretless, so it can proxy connections to a Cassandra backend.

Feature Overview

Details TBA, but Cassandra apparently ships with the AllowAllAuthenticator on by default and support for a PasswordAuthenticator in the default distribution (see here for more info)

If this connector is interesting for you, please share info about the Cassandra DB versions you're using, the authentication mode your server is configured with, and the client you're using to connect to it.

AC:

• [ ] Secretless can proxy Cassandra PasswordAuthenticator-based auth
• [ ] There are tests for this functionality

Story Breakdown

To be added. Will include handler, tests, documentation, etc.

[jodyhuntatx]

Did a demo today and they were asking about AWS-hosted DBs like Cassandra and RDS instance types.

[izgeri]

@jodyhuntatx we do our XA and performance testing against RDS instances, so we've already tested with PostgreSQL, MySQL, and MSSQL!

[BradleyBoutcher]

Last Friday, I spent some time exploring possible implementations of Cassandra support for Secretless-Broker. This is what I found!

• There exists a third-party driver, GoCQL, that is fairly comprehensive in its implementation of the Cassandra protocols. I forked it here: https://github.com/BradleyBoutcher/gocql
• When exploring this repository, I think we can focus our attention on conn.go and conn_test.go. This module contains a majority of the methods we would need for creating and authenticating a connection.

• The driver has a nice baked-in implementation of SSLOptions you can see below. EnableHostVerification in particular will be helpful, as we had to create a solution for this exact issue ourselves in MsSQL.

  type SslOptions struct {
  *tls.Config
  
  // CertPath and KeyPath are optional depending on server
  // config, but both fields must be omitted to avoid using a
  // client certificate
  CertPath string
  KeyPath  string
  CaPath   string //optional depending on server config
  // If you want to verify the hostname and server cert (like a wildcard for cass cluster) then you should turn this on
  // This option is basically the inverse of InSecureSkipVerify
  // See InSecureSkipVerify in http://golang.org/pkg/crypto/tls/ for more info
  EnableHostVerification bool
  }

Overall, I think this would be something we could reasonably implement.

I made a branch called cassandra-support that can be used if anyone else wants to dig in. The local version of the forked repo sits inside our third_party directory as a submodule, so we can make changes as needed for now.

[izgeri]

Nice find @BradleyBoutcher! I'm glad to see the library you found uses BSD 3-clause, which allows code modifications and distribution. Thanks for looking into this - if you get to the point of getting e2e with an initial version of this, that'd be cool!