feat scylla: SSL, secdist and speculative execution

Author: gearonixx

samples/scylla_service/main.cpp

@@ -5,6 +5,8 @@
 #include <userver/storages/scylla/component.hpp>
 #include <userver/storages/scylla/operations.hpp>
 #include <userver/storages/scylla/session.hpp>
+#include <userver/storages/secdist/component.hpp>
+#include <userver/storages/secdist/provider_component.hpp>
 #include <userver/utest/using_namespace_userver.hpp>
 #include <userver/utils/daemon_run.hpp>
 
@@ -17,7 +19,7 @@ class InsertHandler final : public server::handlers::HttpHandlerBase {
 
     InsertHandler(const components::ComponentConfig& config, const components::ComponentContext& context)
         : HttpHandlerBase(config, context),
-          session_(context.FindComponent<components::Scylla>("scylla-example").GetSession()) {}
+          session_(context.FindComponent<components::Scylla>("scylla-dbconnection").GetSession()) {}
 
     std::string HandleRequest(server::http::HttpRequest&, server::request::RequestContext&) const override {
         auto table = session_->GetTable("basic");
@@ -44,7 +46,7 @@ class SelectHandler final : public server::handlers::HttpHandlerBase {
 
     SelectHandler(const components::ComponentConfig& config, const components::ComponentContext& context)
         : HttpHandlerBase(config, context),
-          session_(context.FindComponent<components::Scylla>("scylla-example").GetSession()) {}
+          session_(context.FindComponent<components::Scylla>("scylla-secdist").GetSession()) {}
 
     std::string HandleRequest(server::http::HttpRequest&, server::request::RequestContext&) const override {
         auto table = session_->GetTable("basic");
@@ -83,7 +85,10 @@ int main(int argc, char* argv[]) {
     const auto component_list =
         components::MinimalServerComponentList()
             .Append<clients::dns::Component>()
-            .Append<components::Scylla>("scylla-example")
+            .Append<components::Secdist>()
+            .Append<components::DefaultSecdistProvider>()
+            .Append<components::Scylla>("scylla-dbconnection")
+            .Append<components::Scylla>("scylla-secdist")
             .Append<samples::scylladb::InsertHandler>()
             .Append<samples::scylladb::SelectHandler>();
     return utils::DaemonMain(argc, argv, component_list);

samples/scylla_service/static_config.yaml

@@ -30,13 +30,14 @@ components_manager:
                     level: debug
                     overflow_behavior: discard
 
-        scylla-example:
-            dbconnection: scylladb
+        # Option 1: direct connection string (no secdist needed)
+        scylla-dbconnection:
+            dbconnection: 127.0.0.1
             consistency: local_quorum
             serial_consistency: local_serial
             request_timeout: 10s
             pool_size: 16
-            app_name: scylla_app_name_4
+            app_name: scylla_sample
             shard_awareness: true
             retry_policy: default
             speculative_execution:
@@ -45,3 +46,23 @@ components_manager:
                 delay: 100ms
             default_keyspace: examples
 
+        # Option 2: hosts resolved via secdist
+        scylla-secdist:
+            dbalias: scylla_example
+            consistency: local_quorum
+            serial_consistency: local_serial
+            request_timeout: 10s
+            pool_size: 16
+            app_name: scylla_sample
+            shard_awareness: true
+            retry_policy: default
+            speculative_execution:
+                enabled: false
+                max_attempts: 2
+                delay: 100ms
+            default_keyspace: examples
+
+        secdist:
+            provider: default-secdist-provider
+        default-secdist-provider:
+            config: /etc/scylla_service/secdist.json

scylla/include/userver/storages/scylla/component.hpp

@@ -2,6 +2,7 @@
 
 #include <userver/components/component_base.hpp>
 #include <userver/storages/secdist/secdist.hpp>
+#include <userver/utils/statistics/entry.hpp>
 
 #include <string>
 
@@ -26,6 +27,8 @@ class Scylla : public ComponentBase {
     std::string dbalias_;
     storages::scylla::SessionPtr session_;
 
+
+    utils::statistics::Entry statistics_entry_;
     concurrent::AsyncEventSubscriberScope secdist_subscriber_;
 };
 

scylla/include/userver/storages/scylla/session.hpp

@@ -1,6 +1,7 @@
 #pragma once
 
 #include <memory>
+#include <optional>
 #include <string>
 #include <vector>
 
@@ -56,9 +57,8 @@ class Session {
         const std::string& hosts,
         const SessionConfig& session_config,
         dynamic_config::Source config_source,
-        // ??
-        // const std::string& contact_points,
-        clients::dns::Resolver* dns_resolver
+        clients::dns::Resolver* dns_resolver,
+        std::optional<SslSecrets> ssl_secrets = std::nullopt
     );
 
     friend void DumpMetric(utils::statistics::Writer& writer, const Session& session);

scylla/include/userver/storages/scylla/session_config.hpp

@@ -3,6 +3,7 @@
 #include <chrono>
 #include <optional>
 #include <string>
+#include <vector>
 
 #include <userver/yaml_config/yaml_config.hpp>
 
@@ -26,15 +27,13 @@ enum class Consistency : uint16_t {
 enum class SerialConsistency : uint16_t { kSerial = 0x0008, kLocalSerial = 0x0009 };
 
 struct SessionSettings final {
-    static constexpr std::size_t kDefaultInitialSize = 16;
-    static constexpr std::size_t kDefaultMaxSize = 128;
-    static constexpr std::size_t kDefaultIdleLimit = 64;
-    static constexpr std::size_t kDefaultConnectingLimit = 8;
+    /// Number of I/O threads in the CassSession (handles async I/O)
+    static constexpr std::size_t kDefaultNumThreadsIo = 1;
+    /// Per-host core (minimum) connections kept alive
+    static constexpr std::size_t kDefaultCoreConnectionsPerHost = 1;
 
-    size_t initial_size = kDefaultInitialSize;
-    size_t max_size = kDefaultMaxSize;
-    size_t idle_limit = kDefaultIdleLimit;
-    size_t establishing_limit = kDefaultConnectingLimit;
+    size_t num_threads_io = kDefaultNumThreadsIo;
+    size_t core_connections_per_host = kDefaultCoreConnectionsPerHost;
 
     void Validate(const std::string& session_id) const;
 };
@@ -57,18 +56,21 @@ struct SessionConfig final {
 
     enum class LoadBalancingPolicy {
         kRoundRobin,
-        kTokenAwareRoundRobin,
-        kDcAwareRoundRobin,
+        kDcAware,
     };
-    LoadBalancingPolicy load_balancing_policy = LoadBalancingPolicy::kTokenAwareRoundRobin;
+    LoadBalancingPolicy load_balancing_policy = LoadBalancingPolicy::kDcAware;
     std::string preferred_datacenter;
 
+    /// Token-aware routing: sends queries directly to the replica that owns
+    /// the partition key. In ScyllaDB, this also enables shard-aware routing
+    // (sends to the exact CPU shard within the node).
+    /// Sits on top of the base load balancing policy.
+    bool token_aware_routing = true;
+
     SessionSettings dynamic_settings;
 
     void Validate(const std::string& session_id) const;
 
-    bool shard_awareness = true;
-
     enum class RetryPolicyType {
         kDefault,
         kFallthrough,
@@ -85,9 +87,32 @@ struct SessionConfig final {
     std::string default_keyspace;
 
     std::string app_name = kDefaultAppName;
+
+    struct SslSettings {
+        bool enabled = false;
+
+        enum class VerifyMode {
+            kNone,
+            kPeerCert,
+            kPeerIdentity,
+            kPeerIdentityDns,
+        };
+        VerifyMode verify = VerifyMode::kPeerCert;
+    };
+    SslSettings ssl;
 };
 
 SessionConfig Parse(const yaml_config::YamlConfig& config, formats::parse::To<SessionConfig>);
+
+/// TLS certificate material from secdist. Kept alongside SessionConfig
+/// because the two are consumed together when building a CassCluster.
+struct SslSecrets {
+    std::vector<std::string> trusted_certs;
+    std::optional<std::string> client_cert;
+    std::optional<std::string> client_key;
+    std::string client_key_password;
+};
+
 }  // namespace storages::scylla
 
 USERVER_NAMESPACE_END

scylla/src/storages/scylla/component.cpp

@@ -1,26 +1,24 @@
-#include <iostream>
-
 #include <userver/storages/scylla/component.hpp>
 
+#include <boost/algorithm/string/predicate.hpp>
+
+#include <userver/clients/dns/resolver_utils.hpp>
 #include <userver/components/component.hpp>
-#include <userver/storages/scylla/exception.hpp>
+#include <userver/components/statistics_storage.hpp>
 #include <userver/dynamic_config/storage/component.hpp>
+#include <userver/storages/scylla/exception.hpp>
+#include <userver/storages/scylla/session.hpp>
+#include <userver/storages/scylla/session_config.hpp>
 #include <userver/yaml_config/merge_schemas.hpp>
 
+#include <storages/scylla/scylla_secdist.hpp>
+
+#include <userver/storages/secdist/component.hpp>
+
 #ifndef ARCADIA_ROOT
 #include "generated/src/storages/scylla/component.yaml.hpp"  // Y_IGNORE
 #endif
 
-#include "userver/storages/secdist/component.hpp"
-
-#include <boost/algorithm/string/case_conv.hpp>
-#include <boost/algorithm/string/predicate.hpp>
-#include <userver/storages/scylla/session.hpp>
-#include <userver/storages/scylla/session_config.hpp>
-
-#include <userver/clients/dns/resolver_utils.hpp>
-#include <userver/components/statistics_storage.hpp>
-
 USERVER_NAMESPACE_BEGIN
 
 namespace components {
@@ -46,10 +44,8 @@ Scylla::Scylla(const ComponentConfig& config, const ComponentContext& context) :
     if (!db_alias.empty()) {
         dbalias_ = db_alias;
         secdist = &context.FindComponent<Secdist>().GetStorage();
-
-        hosts = "???";
+        hosts = storages::scylla::secdist::GetSecdistHosts(*secdist, dbalias_);
     } else {
-        // TODO: rename to hosts
         hosts = config["dbconnection"].As<std::string>();
     }
 
@@ -63,28 +59,46 @@ Scylla::Scylla(const ComponentConfig& config, const ComponentContext& context) :
     const auto dynamic_config = context.FindComponent<DynamicConfig>().GetSource();
     const auto session_config = ParseSessionConfig(config);
 
-    session_ = std::make_shared<
-        storages::scylla::Session>(config.Name(), hosts, session_config, dynamic_config, dns_resolver);
-
-    const auto& statistics_storage = context.FindComponent<components::StatisticsStorage>();
+    session_ = std::make_shared<storages::scylla::Session>(
+        config.Name(), hosts, session_config, dynamic_config, dns_resolver);
 
-    auto component_name = config.Name();
+    if (!dbalias_.empty()) {
+        secdist_subscriber_ = secdist->UpdateAndListen(this, dbalias_, &Scylla::OnSecdistUpdate);
+    }
 
-    const bool has_name_after_prefix = component_name.size() > kStandardScyllaPrefix.size();
-    const bool has_scylla_prefix = boost::algorithm::starts_with(component_name, kStandardScyllaPrefix);
+    auto& statistics_storage = context.FindComponent<components::StatisticsStorage>();
 
-    if (has_scylla_prefix && has_name_after_prefix) {
-        component_name = component_name.substr(kStandardScyllaPrefix.size());
+    auto section_name = config.Name();
+    if (boost::algorithm::starts_with(section_name, kStandardScyllaPrefix) &&
+        section_name.size() != kStandardScyllaPrefix.size()) {
+        section_name = section_name.substr(kStandardScyllaPrefix.size());
     }
-};
+
+    statistics_entry_ = statistics_storage.GetStorage().RegisterWriter(
+        "scylla",
+        [this](utils::statistics::Writer& writer) {
+            UASSERT(session_);
+            DumpMetric(writer, *session_);
+        },
+        {{"scylla_database", std::move(section_name)}}
+    );
+}
 
 storages::scylla::SessionPtr Scylla::GetSession() const { return session_; }
 
 yaml_config::Schema Scylla::GetStaticConfigSchema() {
     return yaml_config::MergeSchemasFromResource<ComponentBase>("src/storages/scylla/component.yaml");
 }
 
-Scylla::~Scylla() = default;
+void Scylla::OnSecdistUpdate(const storages::secdist::SecdistConfig& config) {
+    auto hosts = storages::scylla::secdist::GetSecdistHosts(config, dbalias_);
+    session_->SetContactPoints(hosts);
+}
+
+Scylla::~Scylla() {
+    statistics_entry_.Unregister();
+    secdist_subscriber_.Unsubscribe();
+}
 }  // namespace components
 
 USERVER_NAMESPACE_END

scylla/src/storages/scylla/component.yaml

@@ -90,6 +90,24 @@ properties:
     type: string
     description: Default keyspace for queries. If empty, table names must be fully qualified (e.g. keyspace.table).
     default: ''
+  ssl:
+    type: object
+    description: TLS/SSL settings
+    additionalProperties: false
+    properties:
+      enabled:
+        type: boolean
+        description: enable TLS for cluster connections
+        default: false
+      verify:
+        type: string
+        description: certificate verification mode
+        default: peer_cert
+        enum:
+          - none
+          - peer_cert
+          - peer_identity
+          - peer_identity_dns
   dns_resolver:
     type: string
     description: server hostname resolver type