ContextQMD
Back to Teleport

Database Access with Cassandra and ScyllaDB

docs/pages/enroll-resources/database-access/enrollment/self-hosted/cassandra-self-hosted.mdx

19.0.1-dev5.6 KB
Original Source

(!docs/pages/includes/database-access/self-hosted-introduction.mdx dbType="Cassandra or ScyllaDB"!)

How it works

(!docs/pages/includes/database-access/how-it-works/mtls.mdx db="Cassandra or ScyllaDB"!)

<Tabs> <TabItem scope={["oss", "enterprise"]} label="Self-Hosted"> ![Enroll Cassandra with a Self-Hosted Teleport Cluster](../../../../../img/database-access/guides/cassandra_selfhosted.png) </TabItem> <TabItem scope={["cloud"]} label="Teleport Enterprise Cloud"> ![Enroll Cassandra with a Cloud-Hosted Teleport Cluster](../../../../../img/database-access/guides/cassandra_cloud.png) </TabItem> </Tabs>

Prerequisites

(!docs/pages/includes/edition-prereqs-tabs.mdx!)

  • Self-hosted Cassandra or ScyllaDB instance.
  • The cqlsh Cassandra client installed and added to your system's PATH environment variable.
  • Optional: a certificate authority that issues certificates for your self-hosted database.
  • (!docs/pages/includes/tctl.mdx!)

Step 1/5. Set up the Teleport Database Service

(!docs/pages/includes/tctl-token.mdx serviceName="Database" tokenType="db" tokenFile="/tmp/token"!)

Install and configure Teleport where you will run the Teleport Database Service:

<Tabs> <TabItem label="Linux Server">

(!docs/pages/includes/install-linux.mdx!)

(!docs/pages/includes/database-access/self-hosted-config-start.mdx dbName="cassandra" dbProtocol="cassandra" databaseAddress="cassandra.example.com:9042" !)

</TabItem> <TabItem label="Kubernetes Cluster"> Teleport provides Helm charts for installing the Teleport Database Service in Kubernetes Clusters.

(!docs/pages/includes/kubernetes-access/helm/helm-repo-add.mdx!)

(!docs/pages/includes/database-access/self-hosted-db-helm-install.mdx dbName="cassandra" dbProtocol="cassandra" databaseAddress="cassandra.example.com:9042" !) </TabItem> </Tabs>

(!docs/pages/includes/database-access/multiple-instances-tip.mdx !)

Step 2/5. Create a Teleport user

(!docs/pages/includes/database-access/create-user.mdx!)

Step 3/5. Set up mutual TLS

(!docs/pages/includes/database-access/tctl-auth-sign.mdx!)

Follow the instructions below to generate TLS credentials for your database.

Cassandra

When connecting to Cassandra, sign the certificate for the hostname over which Teleport will be connecting to it:

code
$ tctl auth sign --format=cassandra --host=cassandra.example.com --out=server --ttl=2190h

(!docs/pages/includes/database-access/ttl-note.mdx!)

The command will create two files:

  • server.keystore with generated private key and user certificate in JKS format.
  • server.truststore with Teleport's certificate authority in JKS format.

If you want to use an existing certificate authority to sign certificates for Cassandra, rather than the Teleport database client CA, discard server.keystore and use a keystore generated by your existing CA instead.

Scylla

(!docs/pages/includes/database-access/tctl-auth-sign-3-files.mdx dbname="Scylla" format="scylla" !)

Step 4/5. Configure Cassandra/Scylla

Follow the instructions for your database to enable TLS communication with your Teleport cluster:

<Tabs> <TabItem label="Cassandra"> To configure Cassandra to accept TLS connections, add the following to your Cassandra configuration file, `cassandra.yaml`: ```conf client_encryption_options: enabled: true optional: false keystore: /path/to/server.keystore keystore_password: "password" require_client_auth: true truststore: /path/to/server.truststore truststore_password: "password" protocol: TLS algorithm: SunX509 store_type: JKS cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA] ``` In the configuration above, replace `"password"` with the value generated in the previous step by the `tctl auth sign` command. Restart the Cassandra instance to enable this configuration. </TabItem> <TabItem label="Scylla"> To configure Scylla to accept TLS connections, add the following to your Scylla configuration file, `scylla.yaml`: ```conf client_encryption_options: enabled: true certificate: /path/to/server.crt keyfile: /path/to/server.key truststore: /path/to/server.cas require_client_auth: True ``` Restart the Scylla instance to enable this configuration. </TabItem> </Tabs>

Step 5/5. Connect

Once the Database Service has joined the cluster, log in to see the available databases:

<Tabs> <TabItem scope={["oss", "enterprise"]} label="Self-Hosted">
code
$ tsh login --proxy=teleport.example.com --user=alice
$ tsh db ls
# Name      Description       Allowed Users Labels  Connect
# --------- ----------------- ------------- ------- -------
# cassandra Cassandra Example [*]           env=dev
</TabItem> <TabItem scope={["cloud"]} label="Teleport Enterprise Cloud">
code
$ tsh login --proxy=mytenant.teleport.sh --user=alice
$ tsh db ls
# Name      Description       Allowed Users Labels  Connect
# --------- ----------------- ------------- ------- -------
# cassandra Cassandra Example [*]           env=dev
</TabItem> </Tabs>

To connect to a particular database instance :

code
$ tsh db connect --db-user=cassandra cassandra
# Password:
# Connected to Test Cluster at localhost:49594
# [cqlsh 6.0.0 | Cassandra 4.0.5 | CQL spec 3.4.5 | Native protocol v5]
# Use HELP for help.
# cassandra@cqlsh>

To log out of the database and remove credentials:

code
# Remove credentials for a particular database instance.
$ tsh db logout example
# Remove credentials for all database instances.
$ tsh db logout

Next steps

(!docs/pages/includes/database-access/guides-next-steps.mdx!)