You are viewing a plain text version of this content. The canonical link for it is here.

Posted to pr@cassandra.apache.org by "maedhroz (via GitHub)" <gi...@apache.org> on 2023/04/05 04:54:12 UTC

[GitHub] [cassandra] maedhroz commented on a diff in pull request #2253: CASSANDRA-18124 Make keystore_password nullable

maedhroz commented on code in PR #2253:
URL: https://github.com/apache/cassandra/pull/2253#discussion_r1158021107


##########
conf/cassandra.yaml:
##########
@@ -1360,6 +1360,7 @@ server_encryption_options:
   # during upgrade to 4.0; otherwise, set to false.
   legacy_ssl_storage_port_enabled: false
   # Set to a valid keystore if internode_encryption is dc, rack or all
+  # For configurating PEM based key material, refer to https://cassandra.apache.org/doc/latest/cassandra/operating/security.html#using-pem-based-key-material

Review Comment:
   There is something similar for `num_tokens`, but even that is sort of a "best practices" reference, not something that describes the configuration format itself. The problem here is that what is at the URL in question won't necessarily be versioned along w/ the code itself, right?
   
   We already duplicate a small amount of information in the comments for server and client encryption. What about just adding a commented out section before `keystore` to both that looks something like this:
   
   ```
   # Configure the way Cassandra creates SSL contexts.
   # To use PEM-based key material, see org.apache.cassandra.security.PEMBasedSslContextFactory
   # ssl_context_factory:
   #     # Must be an instance of org.apache.cassandra.security.ISslContextFactory
   #     class_name: org.apache.cassandra.security.DefaultSslContextFactory
   ```
   
   `PEMBasedSslContextFactory` at least has comments that should be updated if necessary.
   
   (As an aside, this is one of the reasons something like CASSANDRA-17292 would be useful. There's no documentation-friendly hierarchy in our configuration format.)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: pr-unsubscribe@cassandra.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: pr-unsubscribe@cassandra.apache.org
For additional commands, e-mail: pr-help@cassandra.apache.org