Skip to content

Commit

Permalink
Merge pull request #1 from KillrVideo/support_for_ssl
Browse files Browse the repository at this point in the history
Support for ssl
  • Loading branch information
SonicDMG authored Aug 23, 2018
2 parents 52f6d33 + 0030545 commit fcb1df6
Show file tree
Hide file tree
Showing 3 changed files with 54 additions and 12 deletions.
3 changes: 1 addition & 2 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM datastax/dse-server:6.0.0
FROM datastax/dse-server:6.0.2

# Copy schema files into /opt/killrvideo-data
COPY [ "lib/killrvideo-data/graph/killrvideo_video_recommendations_schema.groovy", "lib/killrvideo-data/schema.cql", "lib/killrvideo-data/search/*", "keyspace.cql", "/opt/killrvideo-data/" ]
Expand All @@ -14,4 +14,3 @@ RUN set -x \

# Set the entrypoint to the bootstrap script
ENTRYPOINT [ "/bootstrap.sh" ]

61 changes: 52 additions & 9 deletions bootstrap.sh
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,13 @@ if [ ! -f killrvideo_bootstrapped ]; then
# Default addresses to use for DSE cluster if starting in Docker
dse_ip='dse'
dse_external_ip=$KILLRVIDEO_DOCKER_IP
dse_enable_ssl='false'

# Create cql_options variable to consolidate multiple options into one
# variable for easier reading
cql_options=''
# Use space variable to concatenate options
space=' '

# If an external cluster address is provided, use that
if [ ! -z "$KILLRVIDEO_DSE_EXTERNAL_IP" ]; then
Expand All @@ -17,10 +24,39 @@ if [ ! -f killrvideo_bootstrapped ]; then
fi
echo "=> Setting up KillrVideo via DSE node at: $dse_ip"

# If a request timeout is available use that. This is useful
# in cases where a longer timeout is needed for cqlsh operations
if [ ! -z "$KILLRVIDEO_DSE_REQUEST_TIMEOUT" ]; then
dse_request_timeout="--request-timeout=$KILLRVIDEO_DSE_REQUEST_TIMEOUT --connect-timeout=$KILLRVIDEO_DSE_REQUEST_TIMEOUT"
cql_options="$dse_request_timeout"

echo "=> Request timeout set at: $dse_request_timeout"
fi

# If SSL is enabled, then provide SSL info
if [ "$KILLRVIDEO_ENABLE_SSL" = 'true' ]; then
dse_enable_ssl='true'

# The reference to this file is provided via a volume enabled
# on the dse-config container within docker-compose.yaml
# in the killrvideo-docker-common repo
dse_ssl_certfile='/opt/killrvideo-data/cassandra.cert'
dse_ssl='--ssl'
cql_options="$cql_options$space$dse_ssl"

# These 2 environment variables are needed for cqlsh to
# properly handle SSL
export SSL_CERTFILE=$dse_ssl_certfile
export SSL_VALIDATE=true

echo "=> SSL encryption is ENABLED with CERT FILE: $dse_ssl_certfile"
fi

# Wait for port 9042 (CQL) to be ready for up to 240 seconds
echo '=> Waiting for DSE to become available'
/wait-for-it.sh -t 300 $dse_ip:9042
echo '=> DSE is available'
echo "=> If any exist, cql_options are: $cql_options"

# Default privileges
admin_user='cassandra'
Expand All @@ -31,9 +67,9 @@ if [ ! -f killrvideo_bootstrapped ]; then
# If requested, create a new superuser to replace the default superuser
if [ "$KILLRVIDEO_CREATE_ADMIN_USER" = 'true' ]; then
echo "=> Creating new superuser $KILLRVIDEO_ADMIN_USERNAME"
cqlsh $dse_ip 9042 -u $admin_user -p $admin_password -e "CREATE ROLE $KILLRVIDEO_ADMIN_USERNAME with SUPERUSER = true and LOGIN = true and PASSWORD = '$KILLRVIDEO_ADMIN_PASSWORD'"
cqlsh $dse_ip 9042 -u $admin_user -p $admin_password $cql_options -e "CREATE ROLE $KILLRVIDEO_ADMIN_USERNAME with SUPERUSER = true and LOGIN = true and PASSWORD = '$KILLRVIDEO_ADMIN_PASSWORD'"
# Login as new superuser to delete default superuser (cassandra)
cqlsh $dse_ip 9042 -u $KILLRVIDEO_ADMIN_USERNAME -p $KILLRVIDEO_ADMIN_PASSWORD -e "DROP ROLE $admin_user"
cqlsh $dse_ip 9042 -u $KILLRVIDEO_ADMIN_USERNAME -p $KILLRVIDEO_ADMIN_PASSWORD $cql_options -e "DROP ROLE $admin_user"
fi

# Use new admin credentials for future actions
Expand All @@ -46,10 +82,10 @@ if [ ! -f killrvideo_bootstrapped ]; then
if [ "$KILLRVIDEO_CREATE_DSE_USER" = 'true' ]; then
# Create user and grant permission to create keyspaces (generator and web will need)
echo "=> Creating user $KILLRVIDEO_DSE_USERNAME and granting keyspace creation permissions"
cqlsh $dse_ip 9042 -u $admin_user -p $admin_password -e "CREATE ROLE $KILLRVIDEO_DSE_USERNAME with LOGIN = true and PASSWORD = '$KILLRVIDEO_DSE_PASSWORD'"
cqlsh $dse_ip 9042 -u $admin_user -p $admin_password $cql_options -e "CREATE ROLE $KILLRVIDEO_DSE_USERNAME with LOGIN = true and PASSWORD = '$KILLRVIDEO_DSE_PASSWORD'"
echo '=> Granting keyspace creation permissions'
cqlsh $dse_ip 9042 -u $admin_user -p $admin_password -e "GRANT CREATE on ALL KEYSPACES to $KILLRVIDEO_DSE_USERNAME"
cqlsh $dse_ip 9042 -u $admin_user -p $admin_password -e "GRANT ALL PERMISSIONS on ALL SEARCH INDICES to $KILLRVIDEO_DSE_USERNAME"
cqlsh $dse_ip 9042 -u $admin_user -p $admin_password $cql_options -e "GRANT CREATE on ALL KEYSPACES to $KILLRVIDEO_DSE_USERNAME"
cqlsh $dse_ip 9042 -u $admin_user -p $admin_password $cql_options -e "GRANT ALL PERMISSIONS on ALL SEARCH INDICES to $KILLRVIDEO_DSE_USERNAME"
fi

# Use the provided username/password for subsequent non-admin operations
Expand All @@ -65,17 +101,24 @@ if [ ! -f killrvideo_bootstrapped ]; then
# TODO: check for valid replication format? https://stackoverflow.com/questions/21112707/check-if-a-string-matches-a-regex-in-bash-script
sed -i "s/{.*}/$KILLRVIDEO_CASSANDRA_REPLICATION/;" $keyspace_file
fi
cqlsh $dse_ip 9042 -f $keyspace_file -u $dse_user -p $dse_password
cqlsh $dse_ip 9042 -f $keyspace_file -u $dse_user -p $dse_password $cql_options

# TODO: Complete nodesync section once documentation is available
# Once we create the keyspace enable nodesync
# Commenting this out for now until we can get the correct
# documentation needed for using nodesync over SSL
#echo '=> Enabling NodeSync for KillrVideo keyspace'
#/opt/dse/resources/cassandra/bin/nodesync -cu $dse_user -cp $dse_password -h $dse_ip --cql-ssl enable -v -k killrvideo "*"

# Create the schema if necessary
echo '=> Ensuring schema is created'
cqlsh $dse_ip 9042 -f /opt/killrvideo-data/schema.cql -k killrvideo -u $dse_user -p $dse_password
cqlsh $dse_ip 9042 -f /opt/killrvideo-data/schema.cql -k killrvideo -u $dse_user -p $dse_password $cql_options

# Create DSE Search core if necessary
echo '=> Ensuring DSE Search is configured'
# TODO: temp workaround - if search index already exists, ALTER statements will cause non-zero exit
set +e
cqlsh $dse_ip 9042 -f /opt/killrvideo-data/videos_search.cql -k killrvideo -u $dse_user -p $dse_password
cqlsh $dse_ip 9042 -f /opt/killrvideo-data/videos_search.cql -k killrvideo -u $dse_user -p $dse_password $cql_options
# TODO: remove workaround
set -e

Expand All @@ -87,7 +130,7 @@ if [ ! -f killrvideo_bootstrapped ]; then
# Update the gremlin-console remote.yaml file to set the remote hosts, username, and password
# This is required because the "dse gremlin-console" command does not accept username/password via command line
echo '=> Setting up remote.yaml for gremlin-console'
sed -i "s/.*hosts:.*/hosts: [$dse_ip]/;s/.*username:.*/username: $dse_user/;s/.*password:.*/password: $dse_password/;" /opt/dse/resources/graph/gremlin-console/conf/remote.yaml
sed -i "s/.*hosts:.*/hosts: [$dse_ip]/;s/.*username:.*/username: $dse_user/;s/.*password:.*/password: $dse_password/;s|enableSsl:.*|enableSsl: $dse_enable_ssl, trustCertChainFile: $dse_ssl_certfile,|;" /opt/dse/resources/graph/gremlin-console/conf/remote.yaml

# Create the graph if necessary
echo '=> Ensuring graph is created'
Expand Down
2 changes: 1 addition & 1 deletion build/VERSION
Original file line number Diff line number Diff line change
@@ -1 +1 @@
DOCKER_BUILD_TAG=1.2.2
DOCKER_BUILD_TAG=2.1.0

0 comments on commit fcb1df6

Please sign in to comment.