You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Stefan Podkowinski (JIRA)" <ji...@apache.org> on 2017/11/07 13:38:00 UTC
[jira] [Commented] (CASSANDRA-13971) Automatic certificate
management using Vault
[ https://issues.apache.org/jira/browse/CASSANDRA-13971?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16242001#comment-16242001 ]
Stefan Podkowinski commented on CASSANDRA-13971:
------------------------------------------------
Work here is getting ahead nicely. I'm now done with a first implementation that allows me to authenticate against Vault and retrieve certificates. There's also a dtest that would download vault (a static go executable), spin up an instance and bootstrap a Cassandra cluster with SSL Vault support enabled.
There are still some aspects that need some more test coverage, such as certificate renewal for running Cassandra instances. But I don't see any major blockers on the way so far.
As for Vault, I've found that Java/JCA is a bit limited when it comes to supported rsa private key encodings and Vault's PKCS#1 encoded keys could not be read using the Java standard classes. But a [PR|https://github.com/hashicorp/vault/pull/3518] has been merged recently that will enable PKCS#8 support in one of the upcoming Vault releases, which is going to solve this issue (thanks [~jeffm]!).
> Automatic certificate management using Vault
> --------------------------------------------
>
> Key: CASSANDRA-13971
> URL: https://issues.apache.org/jira/browse/CASSANDRA-13971
> Project: Cassandra
> Issue Type: Improvement
> Components: Streaming and Messaging
> Reporter: Stefan Podkowinski
> Assignee: Stefan Podkowinski
> Fix For: 4.x
>
>
> We've been adding security features during the last years to enable users to secure their clusters, if they are willing to use them and do so correctly. Some features are powerful and easy to work with, such as role based authorization. Other features that require to manage a local keystore are rather painful to deal with. Think about setting up SSL..
> To be fair, keystore related issues and certificate handling hasn't been invented by us. We're just following Java standards there. But that doesn't mean that we absolutely have to, if there are better options. I'd like to give it a shoot and find out if we can automate certificate/key handling (PKI) by using external APIs. In this case, the implementation will be based on [Vault|https://vaultproject.io]. But certificate management services offered by cloud providers may also be able to handle the use-case and I intend to create a generic, pluggable API for that.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org