LDAP authentication

[pgloader]

Project board link

Failed to start the cassandra-reaper when including LDAP authentication $ org.apache.shiro.config.ConfigurationException: Unable to load resource path '/var/opt/cassandra-reaper/bin/.shiro.ini' at org.apache.shiro.web.env.IniWebEnvironment.convertPathToIni(IniWebEnvironment.java:351) at org.apache.shiro.web.env.IniWebEnvironment.createIni(IniWebEnvironment.java:244) at org.apache.shiro.web.env.IniWebEnvironment.getSpecifiedIni(IniWebEnvironment.java:185) at org.apache.shiro.web.env.IniWebEnvironment.parseConfig(IniWebEnvironment.java:96) at org.apache.shiro.web.env.IniWebEnvironment.init(IniWebEnvironment.java:69) at org.secnod.dropwizard.shiro.ShiroBundle.createFilter(ShiroBundle.java:60) at org.secnod.dropwizard.shiro.ShiroBundle.run(ShiroBundle.java:41) at io.cassandrareaper.ReaperApplication$1.run(ReaperApplication.java:139) at io.cassandrareaper.ReaperApplication$1.run(ReaperApplication.java:135) at io.dropwizard.setup.Bootstrap.run(Bootstrap.java:199) at io.dropwizard.cli.EnvironmentCommand.run(EnvironmentCommand.java:58) at io.dropwizard.cli.ConfiguredCommand.run(ConfiguredCommand.java:98) at io.dropwizard.cli.Cli.run(Cli.java:78) at io.dropwizard.Application.run(Application.java:94) at io.cassandrareaper.ReaperApplication.main(ReaperApplication.java:105)

$ cat /var/opt/cassandra-reaper/bin/.shiro.ini

ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm ldapRealm.userDnTemplate = uid={0},ou=people,dc=intcx,dc=net ldapRealm.contextFactory.url = ldap://10.13.100.98:389 ;ldapRealm.contextFactory.authenticationMechanism = DIGEST-MD5 ;ldapRealm.contextFactory.systemUsername = cn=Manager, dc=example, dc=com ;ldapRealm.contextFactory.systemPassword = secret ;ldapRealm.contextFactory.environment[java.naming.security.credentials] = ldap_password ;

┆Issue is synchronized with this Jira Story by Unito ┆Issue Number: REAP-82

[pgloader]

Does anyone have a working shiro.ini file for LDAP authentication ?

[adejanovski]

@pgloader, could you show how you configured it in the reaper yaml config file? FYI, you shouldn't put ["classpath:...] in case the file is accessible on the local filesystem.

[pgloader]

segmentCountPerNode: 64 repairParallelism: DATACENTER_AWARE repairIntensity: 0.9 scheduleDaysBetween: 7 repairRunThreadCount: 15 hangingRepairTimeoutMins: 30

storageType: memory

storageType: cassandra cassandra: clusterName: "TRADING_POC" contactPoints: ["10.8.200.136"] keyspace: reaper authProvider: type: plainText username: cass_admin password: xxxxxxxxxxxxxxxx enableCrossOrigin: true incrementalRepair: false blacklistTwcsTables: true enableDynamicSeedList: true repairManagerSchedulingIntervalSeconds: 10 activateQueryLogger: false jmxConnectionTimeoutInSeconds: 5 useAddressTranslator: false maxParallelRepairs: 2

purgeRecordsAfterInDays: 30

numberOfRunsToKeepPerUnit: 10

datacenterAvailability has three possible values: ALL | LOCAL | EACH | SIDECAR

the correct value to use depends on whether jmx ports to C* nodes in remote datacenters are accessible

If the reaper has access to all node jmx ports, across all datacenters, then configure to ALL.

If jmx access is only available to nodes in the same datacenter as reaper in running in, then configure to LOCAL.

If there's a reaper instance running in every datacenter, and it's important that nodes under duress are not involved in repairs,

then configure to EACH.

If jmx access is restricted to localhost, then configure to SIDECAR.

#

The default is ALL

datacenterAvailability: ALL

any cassandra nodes on 127.0.0.x addresses we presume are ccm nodes

jmxPorts: 127.0.0.1: 7100 127.0.0.2: 7200 127.0.0.3: 7300 127.0.0.4: 7400 127.0.0.5: 7500 127.0.0.6: 7600 127.0.0.7: 7700 127.0.0.8: 7800

jmxAuth:

username: myUsername

password: myPassword

logging: level: INFO loggers: io.dropwizard: WARN org.eclipse.jetty: WARN appenders:

• type: console logFormat: "%-6level [%d] [%t] %logger{5} - %msg %n" threshold: WARN
• type: file logFormat: "%-6level [%d] [%t] %logger{5} - %msg %n" currentLogFilename: /var/opt/icetools/cassandra-reaper/current/logs/reaper.log archivedLogFilenamePattern: /var/opt/icetools/cassandra-reaper/logs/reaper-%d.log.gz archivedFileCount: 99

server: type: default applicationConnectors:

• type: http port: 8080 bindHost: 0.0.0.0 adminConnectors:
• type: http port: 8081 bindHost: 0.0.0.0 requestLog: appenders: []

autoScheduling: enabled: true initialDelayPeriod: PT15S periodBetweenPolls: PT10M timeBeforeFirstSchedule: PT5M scheduleSpreadPeriod: PT6H excludedKeyspaces:

• keyspace1
• keyspace2 excludedClusters:

  - cluster1

Uncomment the following to enable dropwizard metrics

Configure to the reporter of your choice

Reaper also provides prometheus metrics on the admin port at /prometheusMetrics

metrics: frequency: 1 minute reporters:

• type: log logger: metrics

Uncomment the following to enable encryption and the ability to store jmx credentials in

the backend data source where SOME_SYSTEM_PROPERTY_KEY is a system property that can be

used to lookup the shared symmetric key.

ie: export SOME_SYSTEM_PROPERTY=YOUR_SHARED_SYMMETRIC_KEY

cryptograph: type: symmetric systemPropertySecret: REAPER_JMX_KEY

Authentication is enabled by default

accessControl: sessionTimeout: PT10M shiro: iniConfigs: ["file:/var/opt/cassandra-reaper/current/shiro.ini"]

[pgloader]

shiro.ini

[main] authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter authc.loginUrl = /webui/login.html

Java Web Token authentication for REST endpoints

jwtv = io.cassandrareaper.resources.auth.ShiroJwtVerifyingFilter rest = io.cassandrareaper.resources.auth.RestPermissionsFilter

Example LDAP realm, see https://shiro.apache.org/static/1.2.4/apidocs/org/apache/shiro/realm/ldap/JndiLdapContextFactory.html

ldapRealm = org.apache.shiro.realm.ldap.JndiLdapRealm ldapRealm.userDnTemplate = uid={0},ou=people,dc=intcx,dc=net ldapRealm.contextFactory.url = ldap://aaa.m4s.intcx.net:389 ;ldapRealm.contextFactory.authenticationMechanism = DIGEST-MD5 ;ldapRealm.contextFactory.systemUsername = cn=Manager, dc=example, dc=com ;ldapRealm.contextFactory.systemPassword = secret ;ldapRealm.contextFactory.environment[java.naming.security.credentials] = ldap_password

Disable global filters introduced in Shiro 1.6.0 as they break our redirects.

filterChainResolver.globalFilters = null

[roles] operator = user = :read

default authentication is the following hardcoded admin user

[users] admin = admin, operator user = user, user

[urls]

Web UI requires manual authentication and session cookie

/webui/ = authc /webui = authc /jwt = authc /webui/.html = authc

login page and all js and css resources do not require authentication

/webui/login.html = anon /webui/** = anon /ping = anon /login = anon

REST endpoints require a Java Web Token and uses the HttpMethodPermissionFilter for http method level permissions

/cluster/ = noSessionCreation,jwtv,rest[cluster] /repair_schedule/ = noSessionCreation,jwtv,rest[repair_schedule] /repair_run/ = noSessionCreation,jwtv,rest[repair_run] /snapshot/ = noSessionCreation,jwtv,rest[snapshot] /** = noSessionCreation,jwtv

[adejanovski]

Your config contains: iniConfigs: ["file:/var/opt/cassandra-reaper/current/shiro.ini"]

but the exception mentions: org.apache.shiro.config.ConfigurationException: Unable to load resource path '/var/opt/cassandra-reaper/bin/.shiro.ini'. Any clue why the two paths aren't matching? Did you change the config between attempts to point to a different file?

[pgloader]

I changed to "file:/var/opt/cassandra-reaper/current/shiro.ini" after my initial post but still not working.

Can your share your working shiro.ini file ?

[askipl]

Hi. my cassandra-reaper.yaml:

accessControl:
  sessionTimeout: PT10M
  shiro:
    iniConfigs:
    - file:/etc/cassandra-reaper/shiro.ini

unfortunately, I've found no option to map ldap realms to any roles etc - so for me ldap is useless

[pgloader]

Would you mind to show me your shiro.ini file ?

[askipl]

I've just copied (I think default file from jar) - and made small changes (I have no production-ready reaper) like passwords, and tested LDAP (worked but unable to assign roles :( ) - so currently without ldap:

[main]
authc = org.apache.shiro.web.filter.authc.PassThruAuthenticationFilter
authc.loginUrl = /webui/login.html

jwtv = io.cassandrareaper.resources.auth.ShiroJwtVerifyingFilter
rest = io.cassandrareaper.resources.auth.RestPermissionsFilter

filterChainResolver.globalFilters = null
sha256Matcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher
iniRealm.credentialsMatcher = $sha256Matcher

[roles]
operator = *
user = *:read

[users]
admin  = 71276b71e5db59ff2630506db0e3af7d25c1f41b1c1a5ea565bf6590a6ef3701 , operator
[urls]
/webui/ = authc
/webui = authc
/jwt = authc
/webui/*.html* = authc

/webui/login.html = anon
/webui/** = anon
/ping = anon
/login = anon

/cluster/** = noSessionCreation,jwtv,rest[cluster]
/repair_schedule/** = noSessionCreation,jwtv,rest[repair_schedule]
/repair_run/** = noSessionCreation,jwtv,rest[repair_run]
/snapshot/** = noSessionCreation,jwtv,rest[snapshot]
/** = noSessionCreation,jwtv