To ensure Scylla connections are secure, there are a number of ways to access the database; specifcally, SSL and SSH portals. The SSL portals are ideal for general use and use Let's Encrypt backed certificates for validation where needed. Most applications and the cqlsh command will use the SSL portals. The SSH portal comes into use for administration tools such as nodetool.
If you wish to use a particular tool, you can go directly to its dedicated page:
If you want to use a particular language, you can go directly to its dedicated page:
In the Compose Console for a Scylla deployment, on the Overview page, you will find the Connection Info pane. This includes all the known formulations of connection information that a user may need.
At the top is the Credentials control. This holds the password for the "scylla" user for the database. Clicking Show will reveal the password and also insert it into all the following connection information.
The Connection Strings panel contains three HTTPS endpoints – the Compose portals – to which applications can connect. Each endpoint has a one to one mapping to a Scylla node. This information can be used to connect a simple application to one of the Scylla nodes which will then transparently interact with the other nodes. For applications which need to discover and connect to all the Scylla nodes, see the Address Translation Map below.
The Cqlsh Command Line panel contains three
cqlsh commands, each of which connect to the three Compose portals. Full details on obtaining
cqlsh and configuring it are available in Scylla and cqlsh.
The displayed command include required flags (
--cqlversion). If the command is preceded by setting the environment variable
SSL_VALIDATE=false, then no further configuration is needed.
When an application requires high-availability from the Scylla cluster, it can auto-discover the nodes in the cluster so it can maintain a connection with all of them. But, where the cluster is behind a portal, firewall or some other IP address obscuring mechanism, that autodiscovery can have problems. This is where the Address Translation Map comes in. It has the details on how to convert from an "internal" address to an "external" address. Consult the Address Translation Maps section for examples of how applications can consume these maps.
While most commands and applications that work with Scylla are happy enough to use the SSL connections, some need a more tunneled approach as they don't know about encryption. One of these commands is
nodetool, used for administering Scylla clusters. For commands like that, the SSH Portal is configured by default. The Socks Proxy Configuration is a command that you can then run locally or on a trusted host to create a connection through the SSH portal. The command must be run from a user who is registered, with their public SSH key, in the Users view.
With the Socks Proxy configured, it is then possible to run
nodetool. In the Nodetool Administration panel, there are three
nodetool commands which are configured so they will use the previously mentioned Socks Proxy to connect to Scylla.
nodetool can connect to any node, so each command reflects connecting to a different node. For details on how to obtain and configure
nodetool and what the command supports, see Scylla and nodetool.
If this article didn't solve things, summon a human and get some help!
Updated about a year ago