I'm trying to control the access to Cassandra database so it can be accessed from specific hosts only (deny the access from not configured hosts ), I have the following configurations in cassandra.yaml file:-
start_rpc: true
rpc_address: 0.0.0.0
broadcast_rpc_address: x.x.x.x
rpc_port:9160
Are these configurations are correct or there is something missing? AND is there another way to access Cassandra from specific hosts?
Not sure which version of Cassandra you are using, but 9160 is for thrift protocol connections. It's been deprecated in Cassandra 3.0, and removed in Cassandra 4.0.
If it were me, I'd be closing that avenue of access by setting start_rpc: false.
All client connection requests should be using the CQL native binary protocol on port 9042 (9142 if client-to-node SSL is used in v4.0+).
control the access to Cassandra database so it can be accessed from specific hosts only
For this, your best option would be to filter with iptables on each node. Here's a resource which details how to do that. Basically, you'll need to ACCEPT connections to/from each IP address, on each node in the cluster:
Allow incoming connections from 192.168.0.1, only on port 9042:
iptables -A INPUT -s 192.168.0.1 --dport 9042 -j ACCEPT
Allow outgoing connections back to 192.168.0.1:
iptables -A OUTPUT -d 192.168.0.1 -j ACCEPT
I want to echo Aaron's comments. Thrift was deprecated and replaced by CQL in 2012. Support for Thrift in the Cassandra tools was dropped in 2014 (CASSANDRA-8358) and the Thrift RPC server was disabled by default since Cassandra 2.2 (CASSANDRA-9319).
Development on Thrift clients also ceased nearly 10 years ago. Nate McCall who is the current Chair of the Cassandra project and author of the Hector client closed it down in 2015 in preference for the Java driver so I wouldn't use Thrift anymore.
Instead of the Thrift server, you should configure the CQL native transport server. These are the properties you should focus on in cassandra.yaml:
listen_address: private_ip
rpc_address: public_ip
native_transport_port: 9042
If your nodes only have a single IP address, you can use it for both listen_address and rpc_address. It isn't really necessary to use broadcast_address unless you have a complicated network topology where nodes can only talk to nodes in a remote DC using public IP addresses, for example with EC2 multi-region deployments.
Your question isn't really about Cassandra but about networking. You need to talk to your network admin to configure the firewalls to only allow connections to port 9042 from the application servers. Cheers!
I want to run two instances of cassandra on a single machine. It runs fine with two loopback addresses 127.0.0.1 and 127.0.0.1 as the listen_address, rpc_address with the same native_port: 9042. But i shall be using the two resultant single-node clusters from a different machine so i need to have the addresses which can be identified by the other machines(loopbacks and localhost out of question) of the network.
Is there a way to achieve this?
You first need to create 2 IP address for your machine. This can be done by
Setting 2 NIC Cards (or)
Assigning multiple IP for a single NIC.
This can be done by assigning static IP (Make sure you provide the proper gateway and subnet so it will be accessible by other machine) and assign IP addresses, below link explains how to assign multiple IP addresses along with the bottlenecks of doing so:
http://www.tomshardware.com/faq/id-1925787/computer-address.html
After you have created 2 IP addresses, start each Cassandra Server with different IP address.
Do a telnet test:
telnet <IP address> <port(9042)>
from any other machine to check your Cassandra server is started with the assigned IP address.
I have built Cassandra server 2.0.3, then run it. It is starting and then stopped with messages:
X:\MyProjects\cassandra\apache-cassandra-2.0.3-src\bin>cassandra.bat >log.txt
java.lang.RuntimeException: Unable to gossip with any seeds
at org.apache.cassandra.gms.Gossiper.doShadowRound(Gossiper.java:1160)
at org.apache.cassandra.service.StorageService.checkForEndpointCollision
(StorageService.java:416)
at org.apache.cassandra.service.StorageService.joinTokenRing(StorageServ
ice.java:608)
at org.apache.cassandra.service.StorageService.initServer(StorageService
.java:576)
at org.apache.cassandra.service.StorageService.initServer(StorageService
.java:475)
at org.apache.cassandra.service.CassandraDaemon.setup(CassandraDaemon.ja
va:346)
at org.apache.cassandra.service.CassandraDaemon.activate(CassandraDaemon
.java:461)
at org.apache.cassandra.service.CassandraDaemon.main(CassandraDaemon.jav
a:504)
What I can change to run it?
I had a similar problem with my cassandra v2.0.4 cluster running a single node.
Check your cassandra.yaml and make sure that your "listen_address" and "seeds" values match, with the exception that the seeds value requires quotes around it.
You might get this problem if your private IP address is different than the public one (like on AWS). For example, the host thinks it's "172.31.0.2" when it's visible as "55.70.33.10".
The solution to this problem is:
listen_address: 172.31.0.2
broadcast_address: 55.70.33.10
in cassandra.yaml
Make sure your cluster_name entry match on all the nodes in the cluster
(you may need to delete your storage if you changed the cluster name)
Verify that all nodes can ping to each other
broadcast_rpc_address and listen_address should be set to local IP
(not localhost or 127.0.0.1)
seeds should point to the IP address of the seed(s)
If you are on AWS and use the Ec2MultiRegionSnitch you will need to set the seeds to the public IP addresses rather than the private IPs.
I had the same problem on Ubuntu 16.04. I'm not sure which of these changes made it work, where XXX.XXX.XXX.XXX is your public facing IP address, below are selections from cassandra.yaml
seed_provider:
# Addresses of hosts that are deemed contact points.
# Cassandra nodes use this list of hosts to find each other and learn
# the topology of the ring. You must change this if you are running
# multiple nodes!
- class_name: org.apache.cassandra.locator.SimpleSeedProvider
parameters:
# seeds is actually a comma-delimited list of addresses.
# Ex: "<ip1>,<ip2>,<ip3>"
- seeds: "XXX.XXX.XXX.XXX"
listen_address: XXX.XXX.XXX.XXX
broadcast_address: XXX.XXX.XXX.XXX
broadcast_rpc_address: XXX.XXX.XXX.XXX
listen_on_broadcast_address: true
start_rpc: true
rpc_address: XXX.XXX.XXX.XXX
I also needed to restart my Virtual Machine for some reason. ¯_(ツ)_/¯
For a quick single node setup on RHEL, I did the following:
Get info about your network interface setup:
# /sbin/ifconfig -a
It will list the interfaces and the ip addresses they are attached to.
Usually it will show an "Ethernet" interface and a "Local Loopback".
Get the associated ip addresses.
Then edit conf/cassandra.yaml:
rpc_address: [Local Loopback address]
broadcast_rpc_address: [Ethernet address]
listen_address: [Local Loopback address]
broadcast_address: [Ethernet address]
listen_on_broadcast_address: true
seed_provider:
- class_name: org.apache.cassandra.locator.SimpleSeedProvider
parameters:
- seeds: "[Ethernet address]"
Then also, open the correct ports on Linux firewall, being 9042, 7000 and 7001. More info about opening ports on Linux here:
http://ask.xmodulo.com/open-port-firewall-centos-rhel.html
in cassandra.yaml, I update the seed from domain name to IP address. and it works.
Happened to me because in my configuration the "intial_token" settings was specified (I think because I just copied to configuration file over from another cluster member). After clearing the data directory, commenting out the setting and restarting the node, it worked fine for me.
I experienced this error today...
I could not find any reason for the error other than timing issues.
I restarted many times and after a while it sticked. It looks like they expect a bi-directional communication on the gossip channel and if it does not happen quickly enough (which looks like a very small amount of time to me) then they drop the line and generate that error.
In my case I just upgraded my software and restarted the computer. So it was clearly not a connection issue between the computers (I have firewalls and SSL, to complicate matters) and the node was connected before... So the one entry I found in that regard from datastax did not apply...
https://support.datastax.com/hc/en-us/articles/209691483-Bootstap-fails-with-Unable-to-gossip-with-any-seeds-yet-new-node-can-connect-to-seed-nodes
I got the same error. There can be more than one solution. Hope my mistake is what you have done.
I had my localhost IP pointing to some domain name (and I did that in order that my Spring boot application's server context is some domain name like www.example.com:8080 instead of localhost:8080, and I had the following entry in my hosts file on Windows system).
127.0.0.1 www.example.com
While my cassandra batch file was looking for localhost which it didn't find. So, I made another entry for localhost too in my hosts file as:
127.0.0.1 localhost
127.0.0.1 www.example.com
After adding it, I opened new command prompt, ran cassandra batch from the cassandra bin directory and it then worked.
Disable the firewall and SELINUX and try again
In our case ssl was enabled, and cassandra.yaml configuration looks fine as per above comments. Then we enabled ssl debugging by by adding below jvm paramter in cassandra-env.sh -Djavax.net.debug=ssl:handshake
After starting the node again we noticed below in cassandra log file
MessagingService-Outgoing-geo2_host/xx.xx.xx.xx, Exception while
waiting for close javax.net.ssl.SSLHandshakeException: Received fatal
alert: certificate_unknown
After further investigating the ssl debug logs we got to know that the certificate was not valid. After fixing this ssl issue node was able to join the cluster.
Thanks to elvingt
His answer just remind me , I need to verify that all node needs to be able to talk to each other.
https://support.datastax.com/hc/en-us/articles/209691483-Bootstap-fails-with-Unable-to-gossip-with-any-seeds-yet-new-node-can-connect-to-seed-nodes
Gossip communications must be bi-directional.
To verify use this commnd, and you need test from BOTH SIDE
nc -vz {your_node_ip} 7000
Then I recollect that I turned on my ubuntu firewall last night. I open it by
sudo ufw allow 7000/tcp
And it is working now
Getting error during startup/bootstrap
Unable to gossip with any seeds
indicates there is some issue with broadcast_address. broadcast_address is responsible for communication with other nodes not with clients.
This address must be set in seed node(mandatory for seed node), If you are using cloud VMs you might have different IPs(public and private) hence its recommended to use your private IPs for broadcast_address this will save your n/w cost as well.
# Address to broadcast to other Cassandra nodes
# Leaving this blank will set it to the same value as listen_address
broadcast_address: 10.11.xx.xxx
In my scenario I was using IBM and once I set broadcast_address in seed nodes issue got resolved.
Please make sure you are starting your seed node first then other node, this order is mandatory.
in cassandra.yaml
changing listen_address value from localhost to domainName solved my issue
I had same issue, I checked port, used tcpdump, netcat to test connections and finally it comes to expired SSL certificates on internode_encryption. I modified internode_encryption to make it 'none', restarted all nodes and it worked.
Before all neighbor nodes were down. And node repair command was failing with:
"Did not get positive replies from all endpoints"
P.S Dont leave internode_encryption as none for a long time, just regenerate certs and enable it back.
I have installed Apache Cassandra on the remote Ubuntu server. How to allow remote access for an Apache Cassandra database? And how to make a connection?
Remote access to Cassandra is via its thrift port (although note that the JMX port can be used to perform some limited operations).
The thrift port is defined in cassandra.yaml by the rpc_port parameter, which defaults to 9160. Your cassandra node should be bound to the IP address of your server's network card - it shouldn't be 127.0.0.1 or localhost which is the loopback interface's IP, binding to this will prevent direct remote access. You configure the bound address with the rpc_address parameter in cassandra.yaml. Setting this to 0.0.0.0 says "listen on all network interfaces" which may or may not be suitable for you.
To make a connection you can use:
The cassandra-cli in the cassandra distribution's bin directory provides simple get / set / list operations and depends on Java
The cqlsh shell which provides CQL access to cassandra, this depends on Python
A higher level interface such as Apollo
For anyone finding this question now, the top answer is out of date.
Apache Cassandra's thrift interface is deprecated and will be removed in Cassandra 4.0. The default client port is now 9042.
As noted by Tyler Hobbs, you will need to ensure that the rpc_address parameter is not set to 127.0.0.1 or localhost (it is localhost by default). If you set it to 0.0.0.0 to listen on all interfaces, you will also need to set broadcast_rpc_address to either the node's public or private IP address (depending on how you plan to connect to Cassandra)
Cassandra-cli is also deprecated and Apollo is no longer active. Use cqlsh in lieu of cassandra-cli and the Java driver in lieu of Apollo.
I do not recommend making the JMX port accessible remotely unless you secure it properly by enabling SSL and strong authentication.
Hope this is helpful.
cassandra 3.11.3
I did the following to get mine working. Changes in cassandra.yaml :
start_rpc: true
rpc_address: 0.0.0.0
broadcast_rpc_address: ***.***.***.***
broadcast_rpc_address is the address of machine where cassandra is installed
seed_provider:
- class_name: ...
- seeds: "127.0.0.1, ***.***.***.***"
In seeds i added/appended the ip address of machine where cassandra was running.
I accessed it from windows using tableplus. In tableplus, I wrote the ip address of the cassandra machine, in the port section I wrote 9042 and used the username and password, which i used for ssh connection.
For anyone using Azure, the issue may be that you need to create a public ip address since the virtual ip points to the cloud service itself and not the virtual machine. You can find more info in this post
I'm trying to set up multi node Cassandra cluster in a local network. I applied the instructions [here]: http://wiki.apache.org/cassandra/MultinodeCluster. I have two nodes. Here are my changes in /etc/cassandra/cassandra.yaml:
First node (ip is "192.168.0.59"):
listen_address: 192.168.0.59
rpc_address: 0.0.0.0
seeds:
- 192.168.0.59
Second node (ip is "192.168.0.5"):
auto_bootstrap: true
listen_address: 192.168.0.5
rpc_address: 0.0.0.0
seeds:
- 192.168.0.59
It seems it's not working. I'm trying to connect Cassandra using Cassandra-Cluster-Admin but it fails even if I don't connect second node. I'm also using noip service. Is my configuration correct or is noip causing the problem? Do I need to do any configuration for ports or something in the modem? My server is Ubuntu 11.10 and Cassandra version is 1.0.5.
//Edit
I've figured out the problem and now I can connect to both nodes. The problem was in cassandra.yaml file I was commenting old configurations (listen_address etc.) and inserting new ones. But when I do that, I can't connect Cassandra. It's very strange. Why is that happening?
//Edit
Problem is not comments. I see that I shouldn't use tab inside cassandra.yaml
Try to change ip address in Cassandra-Cluster-Admin
path: cassandra/include/conf.inc.php
chage:
$CASSANDRA_CLUSTERS = array(array('nodes' => array('your ip address:9160'),
'username' => '',
'password' => ''));
I think it may be a solution to your problem.
No tab should be used in cassandra.yaml