You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Robert Stupp (JIRA)" <ji...@apache.org> on 2015/09/02 21:10:46 UTC

[jira] [Comment Edited] (CASSANDRA-9590) Support for both encrypted and unencrypted native transport connections

    [ https://issues.apache.org/jira/browse/CASSANDRA-9590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14727870#comment-14727870 ] 

Robert Stupp edited comment on CASSANDRA-9590 at 9/2/15 7:10 PM:
-----------------------------------------------------------------

Patch and tests look good so far.

Some notes:
* Can you add the option {{native_transport_port_ssl}} to {{conf/cassandra.yaml}} (commented out, but with some words describing its meaning and how it relates to {{native_transport_port}})? You can use {{9142}} as the (commented out) standard port. Maybe also a note that it's beneficial to install the _Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files_?
* Let startup fail, if both {{native_transport_port}} and {{native_transport_port_ssl}} are set but {{client_encryption_options}} is not enabled. It is a configuration failure. At the moment it silently just not starts SSL at all.
* The unit tests look good, but never start NetworkTransportService with SSL enabled - but that's ok as there are dtests.
* dtests unfortunately don't work on my machine. Is the {{keystone.jks}} file mentioned in the test source missing? (Ping me, if you need some logs or so.)

I tested the stuff manually using a self-signed cert with cqlsh and it works (with JCE policy files).

EDIT: Forgot to mention: please open a PR for the dtest as soon as it is running. Just put a note in the comment not to merge before this ticket is committed. You can remove the {{@require}} annotation.


was (Author: snazy):
Patch and tests look good so far.

Some notes:
* Can you add the option {{native_transport_port_ssl}} to {{conf/cassandra.yaml}} (commented out, but with some words describing its meaning and how it relates to {{native_transport_port}})? You can use {{9142}} as the (commented out) standard port. Maybe also a note that it's beneficial to install the _Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files_?
* Let startup fail, if both {{native_transport_port}} and {{native_transport_port_ssl}} are set but {{client_encryption_options}} is not enabled. It is a configuration failure. At the moment it silently just not starts SSL at all.
* The unit tests look good, but never start NetworkTransportService with SSL enabled - but that's ok as there are dtests.
* dtests unfortunately don't work on my machine. Is the {{keystone.jks}} file mentioned in the test source missing? (Ping me, if you need some logs or so.)

I tested the stuff manually using a self-signed cert with cqlsh and it works (with JCE policy files).

> Support for both encrypted and unencrypted native transport connections
> -----------------------------------------------------------------------
>
>                 Key: CASSANDRA-9590
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-9590
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Stefan Podkowinski
>            Assignee: Stefan Podkowinski
>             Fix For: 2.1.x
>
>
> Enabling encryption for native transport currently turns SSL exclusively on or off for the opened socket. Migrating from plain to encrypted requires to migrate all native clients as well and redeploy all of them at the same time after starting the SSL enabled Cassandra nodes. 
> This patch would allow to start Cassandra with both an unencrypted and ssl enabled native port. Clients can connect to either, based whether they support ssl or not.
> This has been implemented by introducing a new {{native_transport_port_ssl}} config option. 
> There would be three scenarios:
> * client encryption disabled, {{native_transport_port}} unencrypted, {{native_transport_port_ssl}} not used
> * client encryption enabled, {{native_transport_port_ssl}} not set, {{native_transport_port}} encrypted
> * client encryption enabled, {{native_transport_port_ssl}} set, {{native_transport_port}} unencrypted, {{native_transport_port_ssl}} encrypted
> This approach would keep configuration behavior fully backwards compatible.
> Patch proposal: [Branch|https://github.com/spodkowinski/cassandra/tree/cassandra-9590], [Diff cassandra-3.0|https://github.com/apache/cassandra/compare/cassandra-3.0...spodkowinski:cassandra-9590], [Patch against cassandra-3.0|https://github.com/apache/cassandra/compare/cassandra-3.0...spodkowinski:cassandra-9590.patch]
> DTest: [Branch|https://github.com/spodkowinski/cassandra-dtest/tree/cassandra-9590], [Diff master|https://github.com/riptano/cassandra-dtest/compare/master...spodkowinski:cassandra-9590]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)