Add cassandra TLS support (cadence-workflow#2769)

* Consolidate duplicate Cassandra setup and config into a new common/cassandra package
* Add TLS support for Cassandra
* Add TLS flags to cadence-cassandra-tool
* Combine TLS config structs into new common auth.TLS
* Add more TLS options:
   - CaFile
   - EnableHostVerification
   - Remove TLS bundleFile option in favor of caFile option

common/auth/tls.go

@@ -0,0 +1,40 @@
+// Copyright (c) 2017 Uber Technologies, Inc.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+
+package auth
+
+type (
+	// TLS describe TLS configuration (for Kafka, Cassandra)
+	TLS struct {
+		Enabled bool `yaml:"enabled"`
+
+		// CertPath and KeyPath are optional depending on server
+		// config, but both fields must be omitted to avoid using a
+		// client certificate
+		CertFile string `yaml:"certFile"`
+		KeyFile  string `yaml:"keyFile"`
+
+		CaFile string `yaml:"caFile"` //optional depending on server config
+		// If you want to verify the hostname and server cert (like a wildcard for cass cluster) then you should turn this on
+		// This option is basically the inverse of InSecureSkipVerify
+		// See InSecureSkipVerify in http://golang.org/pkg/crypto/tls/ for more info
+		EnableHostVerification bool `yaml:"enableHostVerification"`
+	}
+)

common/cassandra/cassandraCluster.go

@@ -0,0 +1,79 @@
+// Copyright (c) 2017 Uber Technologies, Inc.
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+
+package cassandra
+
+import (
+	"strings"
+
+	"github.com/gocql/gocql"
+
+	"github.com/uber/cadence/common/service/config"
+)
+
+// NewCassandraCluster creates a cassandra cluster from a given configuration
+func NewCassandraCluster(cfg config.Cassandra) *gocql.ClusterConfig {
+	hosts := parseHosts(cfg.Hosts)
+	cluster := gocql.NewCluster(hosts...)
+	cluster.ProtoVersion = 4
+	if cfg.Port > 0 {
+		cluster.Port = cfg.Port
+	}
+	if cfg.User != "" && cfg.Password != "" {
+		cluster.Authenticator = gocql.PasswordAuthenticator{
+			Username: cfg.User,
+			Password: cfg.Password,
+		}
+	}
+	if cfg.Keyspace != "" {
+		cluster.Keyspace = cfg.Keyspace
+	}
+	if cfg.Consistency != "" {
+		cluster.Consistency = gocql.ParseConsistency(cfg.Consistency)
+	}
+	if cfg.Datacenter != "" {
+		cluster.HostFilter = gocql.DataCentreHostFilter(cfg.Datacenter)
+	}
+	if cfg.TLS != nil && cfg.TLS.Enabled {
+		cluster.SslOpts = &gocql.SslOptions{
+			CertPath:               cfg.TLS.CertFile,
+			KeyPath:                cfg.TLS.KeyFile,
+			CaPath:                 cfg.TLS.CaFile,
+			EnableHostVerification: cfg.TLS.EnableHostVerification,
+		}
+	}
+	if cfg.MaxConns > 0 {
+		cluster.NumConns = cfg.MaxConns
+	}
+
+	cluster.PoolConfig.HostSelectionPolicy = gocql.TokenAwareHostPolicy(gocql.RoundRobinHostPolicy())
+
+	return cluster
+}
+
+func parseHosts(input string) []string {
+	var hosts = make([]string, 0)
+	for _, h := range strings.Split(input, ",") {
+		if host := strings.TrimSpace(h); len(host) > 0 {
+			hosts = append(hosts, host)
+		}
+	}
+	return hosts
+}

common/messaging/kafkaClient.go

@@ -27,6 +27,8 @@ import (
 	"io/ioutil"
 	"strings"
 
+	"github.com/uber/cadence/common/auth"
+
 	"github.com/Shopify/sarama"
 	uberKafkaClient "github.com/uber-go/kafka-client"
 	uberKafka "github.com/uber-go/kafka-client/kafka"
@@ -173,7 +175,7 @@ func (c *kafkaClient) newProducerHelper(topic string) (Producer, error) {
 }
 
 // CreateTLSConfig return tls config
-func CreateTLSConfig(tlsConfig TLS) (*tls.Config, error) {
+func CreateTLSConfig(tlsConfig auth.TLS) (*tls.Config, error) {
 	if !tlsConfig.Enabled {
 		return nil, nil
 	}
@@ -183,7 +185,7 @@ func CreateTLSConfig(tlsConfig TLS) (*tls.Config, error) {
 		return nil, err
 	}
 	caCertPool := x509.NewCertPool()
-	pemData, err := ioutil.ReadFile(tlsConfig.BundleFile)
+	pemData, err := ioutil.ReadFile(tlsConfig.CaFile)
 	if err != nil {
 		return nil, err
 	}

common/messaging/kafkaConfig.go

@@ -22,26 +22,20 @@ package messaging
 
 import (
 	"fmt"
+
+	"github.com/uber/cadence/common/auth"
 )
 
 type (
 	// KafkaConfig describes the configuration needed to connect to all kafka clusters
 	KafkaConfig struct {
-		TLS            TLS                      `yaml:"tls"`
+		TLS            auth.TLS                 `yaml:"tls"`
 		Clusters       map[string]ClusterConfig `yaml:"clusters"`
 		Topics         map[string]TopicConfig   `yaml:"topics"`
 		ClusterToTopic map[string]TopicList     `yaml:"cadence-cluster-topics"`
 		Applications   map[string]TopicList     `yaml:"applications"`
 	}
 
-	// TLS describe the Kafka TLS configuration
-	TLS struct {
-		Enabled    bool   `yaml:"enabled"`
-		CertFile   string `yaml:"certFile"`
-		KeyFile    string `yaml:"keyFile"`
-		BundleFile string `yaml:"bundleFile"`
-	}
-
 	// ClusterConfig describes the configuration for a single Kafka cluster
 	ClusterConfig struct {
 		Brokers []string `yaml:"brokers"`

common/persistence/cassandra/cassandraHelpers.go

@@ -26,6 +26,8 @@ import (
 	"os"
 	"strings"
 
+	"github.com/uber/cadence/common/auth"
+
 	"github.com/gocql/gocql"
 	log "github.com/sirupsen/logrus"
 
@@ -35,33 +37,6 @@ import (
 
 const cassandraPersistenceName = "cassandra"
 
-// NewCassandraCluster creates a cassandra cluster given comma separated list of clusterHosts
-func NewCassandraCluster(clusterHosts string, port int, user, password, dc string) *gocql.ClusterConfig {
-	var hosts []string
-	for _, h := range strings.Split(clusterHosts, ",") {
-		if host := strings.TrimSpace(h); len(host) > 0 {
-			hosts = append(hosts, host)
-		}
-	}
-
-	cluster := gocql.NewCluster(hosts...)
-	cluster.ProtoVersion = 4
-	if port > 0 {
-		cluster.Port = port
-	}
-	if user != "" && password != "" {
-		cluster.Authenticator = gocql.PasswordAuthenticator{
-			Username: user,
-			Password: password,
-		}
-	}
-	if dc != "" {
-		cluster.HostFilter = gocql.DataCentreHostFilter(dc)
-	}
-	cluster.PoolConfig.HostSelectionPolicy = gocql.TokenAwareHostPolicy(gocql.RoundRobinHostPolicy())
-	return cluster
-}
-
 // CreateCassandraKeyspace creates the keyspace using this session for given replica count
 func CreateCassandraKeyspace(s *gocql.Session, keyspace string, replicas int, overwrite bool) (err error) {
 	// if overwrite flag is set, drop the keyspace and create a new one
@@ -90,9 +65,15 @@ func DropCassandraKeyspace(s *gocql.Session, keyspace string) (err error) {
 	return
 }
 
-// LoadCassandraSchema loads the schema from the given .cql files on this keyspace
-func LoadCassandraSchema(
-	dir string, fileNames []string, hosts []string, port int, keyspace string, override bool,
+// loadCassandraSchema loads the schema from the given .cql files on this keyspace
+func loadCassandraSchema(
+	dir string,
+	fileNames []string,
+	hosts []string,
+	port int,
+	keyspace string,
+	override bool,
+	tls *auth.TLS,
 ) (err error) {
 
 	tmpFile, err := ioutil.TempFile("", "_cadence_")
@@ -120,6 +101,7 @@ func LoadCassandraSchema(
 			Hosts:    strings.Join(hosts, ","),
 			Port:     port,
 			Keyspace: keyspace,
+			TLS:      tls,
 		},
 		SetupConfig: schema.SetupConfig{
 			SchemaFilePath:    tmpFile.Name(),

common/persistence/cassandra/cassandraHistoryPersistence.go

@@ -25,6 +25,8 @@ import (
 	"sort"
 	"time"
 
+	"github.com/uber/cadence/common/cassandra"
+
 	"github.com/gocql/gocql"
 
 	workflow "github.com/uber/cadence/.gen/go/shared"
@@ -78,15 +80,11 @@ func newHistoryV2Persistence(
 	logger log.Logger,
 ) (p.HistoryStore, error) {
 
-	cluster := NewCassandraCluster(cfg.Hosts, cfg.Port, cfg.User, cfg.Password, cfg.Datacenter)
-	cluster.Keyspace = cfg.Keyspace
+	cluster := cassandra.NewCassandraCluster(cfg)
 	cluster.ProtoVersion = cassandraProtoVersion
 	cluster.Consistency = gocql.LocalQuorum
 	cluster.SerialConsistency = gocql.LocalSerial
 	cluster.Timeout = defaultSessionTimeout
-	if cfg.MaxConns > 0 {
-		cluster.NumConns = cfg.MaxConns
-	}
 	session, err := cluster.CreateSession()
 	if err != nil {
 		return nil, err

common/persistence/cassandra/cassandraMetadataPersistenceV2.go

@@ -23,6 +23,8 @@ package cassandra
 import (
 	"fmt"
 
+	"github.com/uber/cadence/common/cassandra"
+
 	"github.com/uber/cadence/common"
 
 	"github.com/gocql/gocql"
@@ -147,8 +149,7 @@ type (
 
 // newMetadataPersistenceV2 is used to create an instance of HistoryManager implementation
 func newMetadataPersistenceV2(cfg config.Cassandra, currentClusterName string, logger log.Logger) (p.MetadataStore, error) {
-	cluster := NewCassandraCluster(cfg.Hosts, cfg.Port, cfg.User, cfg.Password, cfg.Datacenter)
-	cluster.Keyspace = cfg.Keyspace
+	cluster := cassandra.NewCassandraCluster(cfg)
 	cluster.ProtoVersion = cassandraProtoVersion
 	cluster.Consistency = gocql.LocalQuorum
 	cluster.SerialConsistency = gocql.LocalSerial

common/persistence/cassandra/cassandraPersistence.go

@@ -25,6 +25,8 @@ import (
 	"strings"
 	"time"
 
+	"github.com/uber/cadence/common/cassandra"
+
 	"github.com/gocql/gocql"
 
 	workflow "github.com/uber/cadence/.gen/go/shared"
@@ -863,8 +865,7 @@ var _ p.ExecutionStore = (*cassandraPersistence)(nil)
 
 // newShardPersistence is used to create an instance of ShardManager implementation
 func newShardPersistence(cfg config.Cassandra, clusterName string, logger log.Logger) (p.ShardStore, error) {
-	cluster := NewCassandraCluster(cfg.Hosts, cfg.Port, cfg.User, cfg.Password, cfg.Datacenter)
-	cluster.Keyspace = cfg.Keyspace
+	cluster := cassandra.NewCassandraCluster(cfg)
 	cluster.ProtoVersion = cassandraProtoVersion
 	cluster.Consistency = gocql.LocalQuorum
 	cluster.SerialConsistency = gocql.LocalSerial
@@ -893,8 +894,7 @@ func NewWorkflowExecutionPersistence(
 
 // newTaskPersistence is used to create an instance of TaskManager implementation
 func newTaskPersistence(cfg config.Cassandra, logger log.Logger) (p.TaskStore, error) {
-	cluster := NewCassandraCluster(cfg.Hosts, cfg.Port, cfg.User, cfg.Password, cfg.Datacenter)
-	cluster.Keyspace = cfg.Keyspace
+	cluster := cassandra.NewCassandraCluster(cfg)
 	cluster.ProtoVersion = cassandraProtoVersion
 	cluster.Consistency = gocql.LocalQuorum
 	cluster.SerialConsistency = gocql.LocalSerial

common/persistence/cassandra/cassandraPersistenceTest.go

@@ -25,6 +25,8 @@ import (
 	"strings"
 	"time"
 
+	"github.com/uber/cadence/common/cassandra"
+
 	"github.com/gocql/gocql"
 	log "github.com/sirupsen/logrus"
 
@@ -115,7 +117,12 @@ func (s *TestCluster) TearDownTestDatabase() {
 
 // CreateSession from PersistenceTestCluster interface
 func (s *TestCluster) CreateSession() {
-	s.cluster = NewCassandraCluster(s.cfg.Hosts, s.cfg.Port, testUser, testPassword, "")
+	s.cluster = cassandra.NewCassandraCluster(config.Cassandra{
+		Hosts:    s.cfg.Hosts,
+		Port:     s.cfg.Port,
+		User:     testUser,
+		Password: testPassword,
+	})
 	s.cluster.Consistency = gocql.Consistency(1)
 	s.cluster.Keyspace = "system"
 	s.cluster.Timeout = 40 * time.Second
@@ -147,7 +154,7 @@ func (s *TestCluster) DropDatabase() {
 // LoadSchema from PersistenceTestCluster interface
 func (s *TestCluster) LoadSchema(fileNames []string, schemaDir string) {
 	workflowSchemaDir := schemaDir + "/cadence"
-	err := LoadCassandraSchema(workflowSchemaDir, fileNames, s.cluster.Hosts, s.cluster.Port, s.DatabaseName(), true)
+	err := loadCassandraSchema(workflowSchemaDir, fileNames, s.cluster.Hosts, s.cluster.Port, s.DatabaseName(), true, nil)
 	if err != nil && !strings.Contains(err.Error(), "AlreadyExists") {
 		log.Fatal(err)
 	}
@@ -156,7 +163,7 @@ func (s *TestCluster) LoadSchema(fileNames []string, schemaDir string) {
 // LoadVisibilitySchema from PersistenceTestCluster interface
 func (s *TestCluster) LoadVisibilitySchema(fileNames []string, schemaDir string) {
 	workflowSchemaDir := schemaDir + "visibility"
-	err := LoadCassandraSchema(workflowSchemaDir, fileNames, s.cluster.Hosts, s.cluster.Port, s.DatabaseName(), false)
+	err := loadCassandraSchema(workflowSchemaDir, fileNames, s.cluster.Hosts, s.cluster.Port, s.DatabaseName(), false, nil)
 	if err != nil && !strings.Contains(err.Error(), "AlreadyExists") {
 		log.Fatal(err)
 	}

common/persistence/cassandra/cassandraQueue.go

@@ -29,6 +29,7 @@ import (
 	workflow "github.com/uber/cadence/.gen/go/shared"
 	"github.com/uber/cadence/common"
 	"github.com/uber/cadence/common/backoff"
+	"github.com/uber/cadence/common/cassandra"
 	"github.com/uber/cadence/common/log"
 	"github.com/uber/cadence/common/persistence"
 	"github.com/uber/cadence/common/service/config"
@@ -71,8 +72,7 @@ func newQueue(
 	logger log.Logger,
 	queueType common.QueueType,
 ) (persistence.Queue, error) {
-	cluster := NewCassandraCluster(cfg.Hosts, cfg.Port, cfg.User, cfg.Password, cfg.Datacenter)
-	cluster.Keyspace = cfg.Keyspace
+	cluster := cassandra.NewCassandraCluster(cfg)
 	cluster.ProtoVersion = cassandraProtoVersion
 	cluster.Consistency = gocql.LocalQuorum
 	cluster.SerialConsistency = gocql.LocalSerial

common/persistence/cassandra/cassandraVisibilityPersistence.go

@@ -24,6 +24,8 @@ import (
 	"fmt"
 	"time"
 
+	"github.com/uber/cadence/common/cassandra"
+
 	"github.com/gocql/gocql"
 
 	workflow "github.com/uber/cadence/.gen/go/shared"
@@ -144,8 +146,7 @@ type (
 
 // newVisibilityPersistence is used to create an instance of VisibilityManager implementation
 func newVisibilityPersistence(cfg config.Cassandra, logger log.Logger) (p.VisibilityStore, error) {
-	cluster := NewCassandraCluster(cfg.Hosts, cfg.Port, cfg.User, cfg.Password, cfg.Datacenter)
-	cluster.Keyspace = cfg.Keyspace
+	cluster := cassandra.NewCassandraCluster(cfg)
 	cluster.ProtoVersion = cassandraProtoVersion
 	cluster.Consistency = gocql.LocalQuorum
 	cluster.SerialConsistency = gocql.LocalSerial