CASSSIDECAR-407 Pluggable withCredentials provider for file access

conf/sidecar.yaml

@@ -325,8 +325,11 @@ access_control:
 driver_parameters:
   contact_points:
     - "127.0.0.1:9042"
-  username: cassandra
-  password: cassandra
+  auth_provider:
+    class_name: org.apache.cassandra.sidecar.cluster.auth.ConfigProvider
+    parameters:
+      username: cassandra
+      password: cassandra
   ssl:
     enabled:  false
     keystore:

docs/src/user.adoc

@@ -99,8 +99,16 @@ driver_parameters:
   contact_points:
     - "<host from cassandra_instances>:<port from cassandra_instances>"
     - "<host of additional cassandra instances in your cluster>:<port of instance>"
-  username: <A user which has been configured on the local Cassandra cluster>
-  password: <Password associated with the above user>
+  auth_provider:
+    class_name: org.apache.cassandra.sidecar.cluster.auth.ConfigProvider
+    parameters:
+      username: <A user configured on the local Cassandra cluster>
+      password: <Password associated with the above user>
+    # Alternative option is to read username and password from a file
+    # class_name: org.apache.cassandra.sidecar.cluster.auth.FileProvider
+    # parameters:
+    #   username_path: <Path to file containing Cassandra username>
+    #   password_path: <Path to file containing Cassandra password>
   ssl:
     enabled: <true if you have enabled encryption for CQL, false if otherwise>
     keystore:
@@ -338,8 +346,9 @@ This section of the `sidecar.yaml` file configures how requests are authenticate
 The `driver_parameters` section of the `sidecar.yaml` file is used to configure the Cassandra driver used by Cassandra Sidecar to connect to Cassandra over CQL. The following properties are defined:
 
 * `contact_points`: This is a list of IP Addresses or hostnames and ports of the Cassandra instances that Cassandra Sidecar can use to bootstrap its connection to the Cassandra cluster.
-* `username`: This is the username used to authenticate with the Cassandra cluster.
-* `password`: This is the password used to authenticate with the Cassandra cluster.
+* `auth_provider`: Provider entry used to resolve driver authentication details. Implementation choices are `org.apache.cassandra.sidecar.cluster.auth.FileProvider` and `org.apache.cassandra.sidecar.cluster.auth.ConfigProvider`. If both `auth_provider` and `username`/`password` are configured, Sidecar uses `auth_provider` and uses `username`/`password` as fallback when no provider is configured.
+* `username`: This is the username used to authenticate with the Cassandra cluster. This is a legacy fallback and is deprecated in favor of `auth_provider` with `ConfigProvider`.
+* `password`: This is the password used to authenticate with the Cassandra cluster. This is a legacy fallback and is deprecated in favor of `auth_provider` with `ConfigProvider`.
 * `ssl`: This defines how the Cassandra driver can connect to Cassandra over SSL. See the above <<ssl, SSL/TLS Configuration>> section for more information.
 * `num_connections`: This defines the number of connections that the Cassandra driver will open to each Cassandra instance. By default, 2.
 * `local_dc`: This configures the local data center of the Cassandra driver. Ensure that this is the same value as the data center of the Cassandra nodes which this Cassandra Sidecar manages.

integration-tests/src/integrationTest/resources/config/sidecar.yaml.template

@@ -267,8 +267,17 @@ access_control:
 driver_parameters:
   contact_points:
     - "127.0.0.1:9042"
-  username: cassandra
-  password: cassandra
+  auth_provider:
+  # Authentication information, implementing org.apache.cassandra.sidecar.cluster.auth.CqlAuthProvider;
+  # used to provide username/password to connect to the Cassandra cluster.
+  #   class_name: org.apache.cassandra.sidecar.cluster.auth.FileProvider
+  #   parameters:
+  #     username_path: /opt/sidecar/superuser/username
+  #     password_path: /opt/sidecar/superuser/password
+    class_name: org.apache.cassandra.sidecar.cluster.auth.ConfigProvider
+    parameters:
+      username: cassandra
+      password: cassandra
   ssl:
     enabled:  false
     keystore:

server/src/main/java/org/apache/cassandra/sidecar/cluster/CQLSessionProviderImpl.java

@@ -27,7 +27,9 @@
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.TimeoutException;
@@ -51,6 +53,8 @@
 import com.datastax.driver.core.policies.ReconnectionPolicy;
 import io.netty.handler.ssl.SslContext;
 import io.netty.handler.ssl.SslContextBuilder;
+import org.apache.cassandra.sidecar.cluster.auth.ConfigProvider;
+import org.apache.cassandra.sidecar.cluster.auth.CqlAuthProvider;
 import org.apache.cassandra.sidecar.cluster.driver.SidecarLoadBalancingPolicy;
 import org.apache.cassandra.sidecar.common.server.CQLSessionProvider;
 import org.apache.cassandra.sidecar.common.server.utils.DriverUtils;
@@ -80,8 +84,7 @@ public class CQLSessionProviderImpl implements CQLSessionProvider
     private final NettyOptions nettyOptions;
     private final ReconnectionPolicy reconnectionPolicy;
     private final List<InetSocketAddress> localInstances;
-    private final String username;
-    private final String password;
+    private final CqlAuthProvider authProvider;
     private final DriverUtils driverUtils;
     private volatile Session session;
 
@@ -119,8 +122,10 @@ public CQLSessionProviderImpl(List<InetSocketAddress> contactPoints,
         this.localInstances = localInstances;
         this.localDc = localDc;
         this.numAdditionalConnections = numAdditionalConnections;
-        this.username = username;
-        this.password = password;
+        Map<String, String> namedParameters = new HashMap<>();
+        namedParameters.put("username", username);
+        namedParameters.put("password", password);
+        this.authProvider = new ConfigProvider(namedParameters);
         this.sslConfiguration = sslConfiguration;
         this.nettyOptions = options;
         this.reconnectionPolicy = new ExponentialReconnectionPolicy(500, healthCheckFrequencyMillis);
@@ -129,6 +134,7 @@ public CQLSessionProviderImpl(List<InetSocketAddress> contactPoints,
 
     public CQLSessionProviderImpl(SidecarConfiguration configuration,
                                   NettyOptions options,
+                                  CqlAuthProvider authProvider,
                                   DriverUtils driverUtils)
     {
         this.driverUtils = driverUtils;
@@ -139,11 +145,10 @@ public CQLSessionProviderImpl(SidecarConfiguration configuration,
                                            .map(i -> new InetSocketAddress(i.host(), i.port()))
                                            .collect(Collectors.toList());
         this.localDc = driverConfiguration.localDc();
-        this.username = driverConfiguration.username();
-        this.password = driverConfiguration.password();
         this.sslConfiguration = driverConfiguration.sslConfiguration();
         this.numAdditionalConnections = driverConfiguration.numConnections();
         this.nettyOptions = options;
+        this.authProvider = authProvider;
         long maxDelayMs = configuration.healthCheckConfiguration().executeInterval().toMillis();
         this.reconnectionPolicy = new ExponentialReconnectionPolicy(500, maxDelayMs);
     }
@@ -208,9 +213,14 @@ public synchronized Session get() throws CassandraUnavailableException
                 builder.withSSL(sslOptions);
             }
 
-            if (username != null && password != null)
+            if (authProvider != null)
             {
-                builder.withCredentials(username, password);
+                String username = authProvider.username();
+                String password = authProvider.password();
+                if (username != null && password != null)
+                {
+                    builder.withCredentials(username, password);
+                }
             }
             // During mTLS connections, when client sends in keystore, we should have an AuthProvider passed along.
             // hence we pass empty username and password in PlainTextAuthProvider here, in case user hasn't already

server/src/main/java/org/apache/cassandra/sidecar/cluster/auth/ConfigProvider.java

@@ -0,0 +1,64 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cassandra.sidecar.cluster.auth;
+
+import java.util.Map;
+import java.util.Objects;
+
+import org.apache.cassandra.sidecar.exceptions.ConfigurationException;
+
+/**
+ * Loads CQL username/password directly from auth_provider parameters.
+ */
+public class ConfigProvider implements CqlAuthProvider
+{
+    static final String USERNAME_PARAM = "username";
+    static final String PASSWORD_PARAM = "password";
+
+    private final String username;
+    private final String password;
+
+    public ConfigProvider(Map<String, String> parameters)
+    {
+        Objects.requireNonNull(parameters, "parameters must not be null");
+        this.username = requiredParameter(parameters, USERNAME_PARAM);
+        this.password = requiredParameter(parameters, PASSWORD_PARAM);
+    }
+
+    private static String requiredParameter(Map<String, String> parameters, String key)
+    {
+        if (!parameters.containsKey(key))
+        {
+            throw new ConfigurationException("Missing required auth_provider parameter \"" + key + "\"");
+        }
+        return parameters.get(key);
+    }
+
+  @Override
+  public String username()
+  {
+        return username;
+  }
+
+  @Override
+  public String password()
+  {
+        return password;
+  }
+}

server/src/main/java/org/apache/cassandra/sidecar/cluster/auth/CqlAuthProvider.java

@@ -0,0 +1,35 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cassandra.sidecar.cluster.auth;
+
+/**
+ * Provides authentication details used by Sidecar's internal Cassandra CQL client.
+ */
+public interface CqlAuthProvider
+{
+    /**
+     * @return username for the CQL connection
+     */
+    String username();
+
+    /**
+     * @return password for the CQL connection
+     */
+    String password();
+}

server/src/main/java/org/apache/cassandra/sidecar/cluster/auth/FileProvider.java

@@ -0,0 +1,94 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.cassandra.sidecar.cluster.auth;
+
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.InvalidPathException;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.util.Map;
+import java.util.Objects;
+
+import org.apache.cassandra.sidecar.exceptions.ConfigurationException;
+
+/**
+ * Loads CQL username/password from files.
+ */
+public class FileProvider implements CqlAuthProvider
+{
+    static final String USERNAME_PATH_PARAM = "username_path";
+    static final String PASSWORD_PATH_PARAM = "password_path";
+
+    private final Path usernamePath;
+    private final Path passwordPath;
+
+    public FileProvider(Map<String, String> parameters)
+    {
+        Objects.requireNonNull(parameters, "parameters must not be null");
+        this.usernamePath = resolvePath(parameters, USERNAME_PATH_PARAM);
+        this.passwordPath = resolvePath(parameters, PASSWORD_PATH_PARAM);
+    }
+
+    private static Path resolvePath(Map<String, String> parameters, String key)
+    {
+        if (!parameters.containsKey(key))
+        {
+            throw new ConfigurationException("Missing required auth_provider parameter \"" + key + "\"");
+        }
+
+        try
+        {
+            return Paths.get(parameters.get(key));
+        }
+        catch (InvalidPathException e)
+        {
+            throw new ConfigurationException("Invalid path in auth_provider parameter \"" + key + "\"", e);
+        }
+    }
+
+    private static String readSecret(Path path, String key)
+    {
+        try
+        {
+            String secret = Files.readString(path).trim();
+            if (secret.isEmpty())
+            {
+                throw new ConfigurationException("Empty content in auth_provider file for parameter \"" + key + "\"");
+            }
+            return secret;
+        }
+        catch (IOException e)
+        {
+            throw new ConfigurationException("Unable to read auth_provider file for parameter \"" + key + "\"", e);
+        }
+    }
+
+  @Override
+  public String username()
+  {
+        return readSecret(usernamePath, USERNAME_PATH_PARAM);
+  }
+
+  @Override
+  public String password()
+  {
+        return readSecret(passwordPath, PASSWORD_PATH_PARAM);
+  }
+}

server/src/main/java/org/apache/cassandra/sidecar/config/DriverConfiguration.java

@@ -47,15 +47,26 @@ public interface DriverConfiguration
     String localDc();
 
     /**
+     * @deprecated use {@link #authProvider()} with
+     * {@code org.apache.cassandra.sidecar.cluster.auth.ConfigProvider} instead.
      * @return the username used for connecting to the Cassandra instance
      */
+    @Deprecated
     String username();
 
     /**
+     * @deprecated use {@link #authProvider()} with
+     * {@code org.apache.cassandra.sidecar.cluster.auth.ConfigProvider} instead.
      * @return the password used for connecting to the Cassandra instance
      */
+    @Deprecated
     String password();
 
+    /**
+     * @return Configured authentication provider for CQL connections.
+     */
+    ParameterizedClassConfiguration authProvider();
+
     /**
      * @return Configuration such as keystore, truststore needed for establishing SSL/mTLS connection with
      * Cassandra instance.