You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Jason Brown (JIRA)" <ji...@apache.org> on 2012/09/13 00:57:07 UTC
[jira] [Created] (CASSANDRA-4662) Core support for Thrift SSL
integration
Jason Brown created CASSANDRA-4662:
--------------------------------------
Summary: Core support for Thrift SSL integration
Key: CASSANDRA-4662
URL: https://issues.apache.org/jira/browse/CASSANDRA-4662
Project: Cassandra
Issue Type: Sub-task
Components: Core
Reporter: Jason Brown
Assignee: Jason Brown
Fix For: 1.1.6
Ticket to separate out the changes to yaml and cassandra/thrift code for the thrift SSL integration.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CASSANDRA-4662) Core support for Thrift SSL
integration
Posted by "Jason Brown (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-4662?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jason Brown updated CASSANDRA-4662:
-----------------------------------
Attachment: 0001-CASSANDRA-4662.-Core-work-of-adding-thrift-ssl-suppo.patch
CASSANDRA-4662. Core work of adding thrift ssl support. Includes modification to the yaml and associated config classes. Extended EncryptionOptions with client and server subclasses. Added ThriftSSLFactory to act as the centralized source for getting client and server thrift sockets (much like SSLFactory).
> Core support for Thrift SSL integration
> ---------------------------------------
>
> Key: CASSANDRA-4662
> URL: https://issues.apache.org/jira/browse/CASSANDRA-4662
> Project: Cassandra
> Issue Type: Sub-task
> Components: Core
> Reporter: Jason Brown
> Assignee: Jason Brown
> Fix For: 1.1.6
>
> Attachments: 0001-CASSANDRA-4662.-Core-work-of-adding-thrift-ssl-suppo.patch
>
>
> Ticket to separate out the changes to yaml and cassandra/thrift code for the thrift SSL integration.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CASSANDRA-4662) Core support for Thrift SSL
integration
Posted by "Jason Brown (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-4662?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13458940#comment-13458940 ]
Jason Brown commented on CASSANDRA-4662:
----------------------------------------
1) The configuration is backward compatible (you can use the traditional names for the rpc_server_type - sync/async/hsha). However, I do like the notion of using the class name for the value (so you can plug in what variant you wish), and, yes, that would best be left for a major rev rather than a point upgrade.
2) ThriftSSLFactory is actually used in a sister ticket, CASSANDRA-4608 :). The work for the full SSL integration got spread around several tickets; parent ticket is CASSANDRA-4239. I put ThriftSSLFactory in o.a.c.security as it seemed parallel to the existing SSLFactory, but I'm flexible on the package.
3) D'oh! I forgot to remove the hard coded value. Let me fix this one.
4) Good question (which I probably should have answered in the yaml itself): thrift only supports blocking SSL sockets, so I assumed it would only work with the sync rpc_server_type. However, I'll double check to see if it can work with hsha.
As for supporting SSL or not, I've made it configurable at the server-side to use it (via the yaml's new client_encryption_options.enabled).
I'll take a look at stress, as well, to test this out.
> Core support for Thrift SSL integration
> ---------------------------------------
>
> Key: CASSANDRA-4662
> URL: https://issues.apache.org/jira/browse/CASSANDRA-4662
> Project: Cassandra
> Issue Type: Sub-task
> Components: Core
> Reporter: Jason Brown
> Assignee: Jason Brown
> Fix For: 1.1.6
>
> Attachments: 0001-CASSANDRA-4662.-Core-work-of-adding-thrift-ssl-suppo.patch
>
>
> Ticket to separate out the changes to yaml and cassandra/thrift code for the thrift SSL integration.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CASSANDRA-4662) Core support for Thrift SSL
integration
Posted by "Vijay (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-4662?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13458961#comment-13458961 ]
Vijay commented on CASSANDRA-4662:
----------------------------------
{quote}
1) The configuration is backward compatible (you can use the traditional names for the rpc_server_type - sync/async/hsha).
{quote}
I am talking about rename of encryption_options to server_encryption_options, i am not sure if we need 2 classes there too :)
{quote}
ThriftSSLFactory is actually used in a sister ticket
{quote}
It is better to merge this effort into the sister ticket then as the sister ticket by itself will not be useful.
{quote}
thrift only supports blocking SSL sockets
{quote}
take a look at CustomTHsHaServer
> Core support for Thrift SSL integration
> ---------------------------------------
>
> Key: CASSANDRA-4662
> URL: https://issues.apache.org/jira/browse/CASSANDRA-4662
> Project: Cassandra
> Issue Type: Sub-task
> Components: Core
> Reporter: Jason Brown
> Assignee: Jason Brown
> Fix For: 1.1.6
>
> Attachments: 0001-CASSANDRA-4662.-Core-work-of-adding-thrift-ssl-suppo.patch
>
>
> Ticket to separate out the changes to yaml and cassandra/thrift code for the thrift SSL integration.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CASSANDRA-4662) Core support for Thrift SSL
integration
Posted by "Vijay (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-4662?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13458869#comment-13458869 ]
Vijay commented on CASSANDRA-4662:
----------------------------------
1) IMO the changes to the configuration needs to be done in the major releases (changes in encryption option name) so folks will notice NEWS.txt, the default is none if they dont read news.txt
2) ThriftSSLFactory is not called anywhere, am i missing something here? If we decide to use ThriftSSLFactory is better served within the o.a.c.thrift (not sure if we need a seperate class for this though)
3)
{code}
int clientTimeout = 10000;
{code}
Should be RPC Timeout, if you look at the thrift source it is client SoTimeout...
Traditionally we dont set SoTimeout in the server for the client connections (You might want to follow the same, because the other parts of cassandra will timeout just after the socket timeout and the client will not receive the Operation timeout).
4)
{code}
# this client encryption will only apply if you set rpc_server_type = sync.
{code}
Why?
Other concern have is either we support SSL or not, which is kind of hard in real life there can be clients which might not need encryption enabled, for unencrypted ports can be easily blocked via firewall.
It will be easier to review if we have stress modified and have an end to end test setup.
> Core support for Thrift SSL integration
> ---------------------------------------
>
> Key: CASSANDRA-4662
> URL: https://issues.apache.org/jira/browse/CASSANDRA-4662
> Project: Cassandra
> Issue Type: Sub-task
> Components: Core
> Reporter: Jason Brown
> Assignee: Jason Brown
> Fix For: 1.1.6
>
> Attachments: 0001-CASSANDRA-4662.-Core-work-of-adding-thrift-ssl-suppo.patch
>
>
> Ticket to separate out the changes to yaml and cassandra/thrift code for the thrift SSL integration.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Comment Edited] (CASSANDRA-4662) Core support for Thrift
SSL integration
Posted by "Jason Brown (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-4662?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13454482#comment-13454482 ]
Jason Brown edited comment on CASSANDRA-4662 at 9/13/12 10:34 AM:
------------------------------------------------------------------
Core work of adding thrift ssl support. Includes modification to the yaml and associated config classes. Extended EncryptionOptions with client and server subclasses. Added ThriftSSLFactory to act as the centralized source for getting client and server thrift sockets (much like SSLFactory).
was (Author: jasobrown):
CASSANDRA-4662. Core work of adding thrift ssl support. Includes modification to the yaml and associated config classes. Extended EncryptionOptions with client and server subclasses. Added ThriftSSLFactory to act as the centralized source for getting client and server thrift sockets (much like SSLFactory).
> Core support for Thrift SSL integration
> ---------------------------------------
>
> Key: CASSANDRA-4662
> URL: https://issues.apache.org/jira/browse/CASSANDRA-4662
> Project: Cassandra
> Issue Type: Sub-task
> Components: Core
> Reporter: Jason Brown
> Assignee: Jason Brown
> Fix For: 1.1.6
>
> Attachments: 0001-CASSANDRA-4662.-Core-work-of-adding-thrift-ssl-suppo.patch
>
>
> Ticket to separate out the changes to yaml and cassandra/thrift code for the thrift SSL integration.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (CASSANDRA-4662) Core support for Thrift SSL
integration
Posted by "Jason Brown (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-4662?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13459063#comment-13459063 ]
Jason Brown commented on CASSANDRA-4662:
----------------------------------------
First off, sorry for the ticket confusion. I didn't realize I was making it worse :).
1) That was suggested in the parent ticket CASSANDRA-4239, to break out the options into server/client. The intent was you may have a different keystore/truststore for clients vs. internode communications. The two classes came from the variants between server and client options: ServerEncryptionOptions has the InternodeEncryption enum, which didn't seem to fit with the client options.
>> It is better to merge this effort into the sister ticket
Jake created that ticket as a subtask of the parent 'add thrift SSL support'. That additional ticket refers to creating a factory for the thrift servers within o.a.c.thrift.CassandraDaemon. I figured since I was would be touching the CD code anyway, I added the thrift SSL support (calling over to ThriftSSLFactory) there.
Will explore the CustomTHsHaServer, as well.
Thanks (all) for your patience.
> Core support for Thrift SSL integration
> ---------------------------------------
>
> Key: CASSANDRA-4662
> URL: https://issues.apache.org/jira/browse/CASSANDRA-4662
> Project: Cassandra
> Issue Type: Sub-task
> Components: Core
> Reporter: Jason Brown
> Assignee: Jason Brown
> Fix For: 1.1.6
>
> Attachments: 0001-CASSANDRA-4662.-Core-work-of-adding-thrift-ssl-suppo.patch
>
>
> Ticket to separate out the changes to yaml and cassandra/thrift code for the thrift SSL integration.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (CASSANDRA-4662) Core support for Thrift SSL
integration
Posted by "Brandon Williams (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CASSANDRA-4662?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Brandon Williams updated CASSANDRA-4662:
----------------------------------------
Reviewer: vijay2win@yahoo.com (was: tjake)
> Core support for Thrift SSL integration
> ---------------------------------------
>
> Key: CASSANDRA-4662
> URL: https://issues.apache.org/jira/browse/CASSANDRA-4662
> Project: Cassandra
> Issue Type: Sub-task
> Components: Core
> Reporter: Jason Brown
> Assignee: Jason Brown
> Fix For: 1.1.6
>
> Attachments: 0001-CASSANDRA-4662.-Core-work-of-adding-thrift-ssl-suppo.patch
>
>
> Ticket to separate out the changes to yaml and cassandra/thrift code for the thrift SSL integration.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira