add option to configure approved password authenticators in Cassandra

jtlisi · jtlisi · commit 9ab6560fc969 · 2020-02-07T14:17:29.000-05:00
Signed-off-by: Jacob Lisi &lt;jacob.t.lisi@gmail.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,10 +1,8 @@
 # Changelog
 
-## master / unreleased
-
-
 ## 0.6.1 / 2020-02-05
 
+* [ENHANCEMENT] Cassandra Authentication: added the `custom_authenticator` config option that allows users to authenticate with cassandra clusters using password authenticators that are not approved by default in [gocql](https://github.com/gocql/gocql/blob/81b8263d9fe526782a588ef94d3fa5c6148e5d67/conn.go#L27)
 * [BUGFIX] Fixed parsing of the WAL configuration when specified in the YAML config file. #2071
 
 ## 0.6.0 / 2020-01-28
diff --git a/pkg/chunk/cassandra/authenticator.go b/pkg/chunk/cassandra/authenticator.go
@@ -0,0 +1,43 @@
+package cassandra
+
+import (
+	"fmt"
+
+	"github.com/gocql/gocql"
+)
+
+// CustomPasswordAuthenticator provides the default behaviour for Username/Password authentication with
+// Cassandra while allowing users to specify a non-default Authenticator to accept.
+type CustomPasswordAuthenticator struct {
+	ApprovedAuthenticators []string
+	Username               string
+	Password               string
+}
+
+func (p CustomPasswordAuthenticator) approve(authenticator string) bool {
+	for _, s := range p.ApprovedAuthenticators {
+		if authenticator == s {
+			return true
+		}
+	}
+	return false
+}
+
+// Challenge verifies the name of the authenticator and formats the provided username and password
+// into a response
+func (p CustomPasswordAuthenticator) Challenge(req []byte) ([]byte, gocql.Authenticator, error) {
+	if !p.approve(string(req)) {
+		return nil, nil, fmt.Errorf("unexpected authenticator %q", req)
+	}
+	resp := make([]byte, 2+len(p.Username)+len(p.Password))
+	resp[0] = 0
+	copy(resp[1:], p.Username)
+	resp[len(p.Username)+1] = 0
+	copy(resp[2+len(p.Username):], p.Password)
+	return resp, nil, nil
+}
+
+// Success returns nil by default, identical to the default PasswordAuthenticator
+func (p CustomPasswordAuthenticator) Success(data []byte) error {
+	return nil
+}
diff --git a/pkg/chunk/cassandra/storage_client.go b/pkg/chunk/cassandra/storage_client.go
@@ -12,24 +12,26 @@ import (
 
 	"github.com/cortexproject/cortex/pkg/chunk"
 	"github.com/cortexproject/cortex/pkg/chunk/util"
+	"github.com/cortexproject/cortex/pkg/util/flagext"
 )
 
 // Config for a StorageClient
 type Config struct {
-	Addresses                string        `yaml:"addresses,omitempty"`
-	Port                     int           `yaml:"port,omitempty"`
-	Keyspace                 string        `yaml:"keyspace,omitempty"`
-	Consistency              string        `yaml:"consistency,omitempty"`
-	ReplicationFactor        int           `yaml:"replication_factor,omitempty"`
-	DisableInitialHostLookup bool          `yaml:"disable_initial_host_lookup,omitempty"`
-	SSL                      bool          `yaml:"SSL,omitempty"`
-	HostVerification         bool          `yaml:"host_verification,omitempty"`
-	CAPath                   string        `yaml:"CA_path,omitempty"`
-	Auth                     bool          `yaml:"auth,omitempty"`
-	Username                 string        `yaml:"username,omitempty"`
-	Password                 string        `yaml:"password,omitempty"`
-	Timeout                  time.Duration `yaml:"timeout,omitempty"`
-	ConnectTimeout           time.Duration `yaml:"connect_timeout,omitempty"`
+	Addresses                string              `yaml:"addresses,omitempty"`
+	Port                     int                 `yaml:"port,omitempty"`
+	Keyspace                 string              `yaml:"keyspace,omitempty"`
+	Consistency              string              `yaml:"consistency,omitempty"`
+	ReplicationFactor        int                 `yaml:"replication_factor,omitempty"`
+	DisableInitialHostLookup bool                `yaml:"disable_initial_host_lookup,omitempty"`
+	SSL                      bool                `yaml:"SSL,omitempty"`
+	HostVerification         bool                `yaml:"host_verification,omitempty"`
+	CAPath                   string              `yaml:"CA_path,omitempty"`
+	Auth                     bool                `yaml:"auth,omitempty"`
+	Username                 string              `yaml:"username,omitempty"`
+	Password                 string              `yaml:"password,omitempty"`
+	CustomAuthenticators     flagext.StringSlice `yaml:"custom_authenticator"`
+	Timeout                  time.Duration       `yaml:"timeout,omitempty"`
+	ConnectTimeout           time.Duration       `yaml:"connect_timeout,omitempty"`
 }
 
 // RegisterFlags adds the flags required to config this to the given FlagSet
@@ -46,6 +48,7 @@ func (cfg *Config) RegisterFlags(f *flag.FlagSet) {
 	f.BoolVar(&cfg.Auth, "cassandra.auth", false, "Enable password authentication when connecting to cassandra.")
 	f.StringVar(&cfg.Username, "cassandra.username", "", "Username to use when connecting to cassandra.")
 	f.StringVar(&cfg.Password, "cassandra.password", "", "Password to use when connecting to cassandra.")
+	f.Var(&cfg.CustomAuthenticators, "cassandra.custom-authenticator", "If set, when authenticating with cassandra a custom authenticator will be expected during the handshake. This flag can be set multiple times.")
 	f.DurationVar(&cfg.Timeout, "cassandra.timeout", 600*time.Millisecond, "Timeout when connecting to cassandra.")
 	f.DurationVar(&cfg.ConnectTimeout, "cassandra.connect-timeout", 600*time.Millisecond, "Initial connection timeout, used during initial dial to server.")
 }
@@ -84,6 +87,14 @@ func (cfg *Config) setClusterConfig(cluster *gocql.ClusterConfig) {
 		}
 	}
 	if cfg.Auth {
+		if len(cfg.CustomAuthenticators) != 0 {
+			cluster.Authenticator = CustomPasswordAuthenticator{
+				ApprovedAuthenticators: cfg.CustomAuthenticators,
+				Username:               cfg.Username,
+				Password:               cfg.Password,
+			}
+			return
+		}
 		cluster.Authenticator = gocql.PasswordAuthenticator{
 			Username: cfg.Username,
 			Password: cfg.Password,
