Connect to Cassandra with dynamic, rotating credentials from Spring vault

Question

Im working on a project that uses Spring Data Cassandra (for simplicity, “SDC” from now on) and we have been working on the integration with Spring Vault so we can generate dynamic credentials and rotate them. We are receiving the new credentials from Vault, but at that point we were expecting to find in the SDC API a way to update the credentials to connect to the database, but we saw it is not possible (on the other hand, we don’t know if other Spring Data projects offer that functionality).

We took a look to how SDC uses the Datastax Java driver. A CqlSession object is created at startup and it contains the credentials, but they cannot be modified. So we come up with a solution composed by the following steps.

1. Update CassandraProperties with the new user and password
2. Create a new CqlSession object that uses the new credentials.
3. Update the CqlTemplate and ReactiveCqlTemplate session factories with the new session, so new operations to the data base will use the new credentials
4. Close the old session, so no new requests are accepted and the ones being executed are allowed to complete.

I think this functionality seems something that could be offered by SDC, instead of being implemented by the user. Updating connection credentials is quite a common operation.

So specific questions:

• Is there any plan to include a similar feature ("update credentials") in future versions of SDC? Or is this a feature that fits better under the scope of the datastax java client?
• Has anyone faced this problem before?

Answer 1

If you were using an application.conf to configure authentication, you can change the credentials in the file at runtime since the Java driver supports hot-reloading. The new credentials will used for new connections when the configuration is reloaded.

See the Cassandra Java driver Configuration page for details.

Alternatively, try setting the credentials programmatically. For example, if you have the session object defined as:

CqlSession session = ... ;

you can set the credentials directly with:

session = CqlSession.builder().withAuthCredentials(username, password).build();

For details, see the Cassandra Java driver Authentication page. Cheers!