You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by aw...@apache.org on 2017/11/15 21:47:15 UTC
[47/50] cassandra git commit: Node to Node encryption transitional
mode
Node to Node encryption transitional mode
patch by jasobrown; reviewed by Stefan Podkowinski for CASSANDRA-10404
Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo
Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/7cc06a08
Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/7cc06a08
Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/7cc06a08
Branch: refs/heads/master
Commit: 7cc06a086f89ed76499837558ff263d84337acba
Parents: 957ae2b
Author: Jason Brown <ja...@gmail.com>
Authored: Thu May 25 03:57:54 2017 -0700
Committer: Jason Brown <ja...@gmail.com>
Committed: Fri Nov 3 05:09:36 2017 -0700
----------------------------------------------------------------------
requirements.txt | 2 +-
sslnodetonode_test.py | 87 +++++++++++++--------
upgrade_tests/upgrade_through_versions_test.py | 8 +-
3 files changed, 62 insertions(+), 35 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cassandra/blob/7cc06a08/requirements.txt
----------------------------------------------------------------------
diff --git a/requirements.txt b/requirements.txt
index a939dcd..2832ff1 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -4,7 +4,7 @@
futures
six
-e git+https://github.com/datastax/python-driver.git@cassandra-test#egg=cassandra-driver
-ccm==2.8.4
+ccm==3.1.0
cql
decorator
docopt
http://git-wip-us.apache.org/repos/asf/cassandra/blob/7cc06a08/sslnodetonode_test.py
----------------------------------------------------------------------
diff --git a/sslnodetonode_test.py b/sslnodetonode_test.py
index a675985..d498b0f 100644
--- a/sslnodetonode_test.py
+++ b/sslnodetonode_test.py
@@ -31,7 +31,7 @@ class TestNodeToNodeSSLEncryption(Tester):
credNode1 = sslkeygen.generate_credentials("127.0.0.1")
credNode2 = sslkeygen.generate_credentials("127.0.0.2", credNode1.cakeystore, credNode1.cacert)
- self.setup_nodes(credNode1, credNode2, endpointVerification=True)
+ self.setup_nodes(credNode1, credNode2, endpoint_verification=True)
self.allow_log_errors = False
self.cluster.start()
time.sleep(2)
@@ -43,7 +43,7 @@ class TestNodeToNodeSSLEncryption(Tester):
credNode1 = sslkeygen.generate_credentials("127.0.0.80")
credNode2 = sslkeygen.generate_credentials("127.0.0.81", credNode1.cakeystore, credNode1.cacert)
- self.setup_nodes(credNode1, credNode2, endpointVerification=False)
+ self.setup_nodes(credNode1, credNode2, endpoint_verification=False)
self.cluster.start()
time.sleep(2)
self.cql_connection(self.node1)
@@ -54,7 +54,7 @@ class TestNodeToNodeSSLEncryption(Tester):
credNode1 = sslkeygen.generate_credentials("127.0.0.80")
credNode2 = sslkeygen.generate_credentials("127.0.0.81", credNode1.cakeystore, credNode1.cacert)
- self.setup_nodes(credNode1, credNode2, endpointVerification=True)
+ self.setup_nodes(credNode1, credNode2, endpoint_verification=True)
self.allow_log_errors = True
self.cluster.start(no_wait=True)
@@ -66,7 +66,6 @@ class TestNodeToNodeSSLEncryption(Tester):
self.assertTrue(found)
self.cluster.stop()
- self.assertTrue(found)
def ssl_client_auth_required_fail_test(self):
"""peers need to perform mutual auth (cient auth required), but do not supply the local cert"""
@@ -117,15 +116,41 @@ class TestNodeToNodeSSLEncryption(Tester):
self.cluster.stop()
self.assertTrue(found)
+ def optional_outbound_tls_test(self):
+ """listen on TLS port, but optionally connect using TLS. this supports the upgrade case of starting with a non-encrypted cluster and then upgrading each node to use encryption."""
+ credNode1 = sslkeygen.generate_credentials("127.0.0.1")
+ credNode2 = sslkeygen.generate_credentials("127.0.0.2", credNode1.cakeystore, credNode1.cacert)
+
+ # first, start cluster without TLS (either listening or connecting
+ self.setup_nodes(credNode1, credNode2, internode_encryption='none', encryption_enabled=False)
+ self.cluster.start()
+ self.cql_connection(self.node1)
+
+ # next bounce the cluster to listen on both plain/secure sockets (do not connect secure port, yet, though)
+ self.bounce_node_with_updated_config(credNode1, self.node1, 'none', True, True)
+ self.bounce_node_with_updated_config(credNode2, self.node2, 'none', True, True)
+
+ # next connect with TLS for the outbound connections
+ self.bounce_node_with_updated_config(credNode1, self.node1, 'all', True, True)
+ self.bounce_node_with_updated_config(credNode2, self.node2, 'all', True, True)
+
+ # now shutdown the plaintext port
+ self.bounce_node_with_updated_config(credNode1, self.node1, 'all', True, False)
+ self.bounce_node_with_updated_config(credNode2, self.node2, 'all', True, False)
+ self.cluster.stop()
+
+ def bounce_node_with_updated_config(self, credentials, node, internode_encryption, encryption_enabled, encryption_optional):
+ node.stop()
+ self.copy_cred(credentials, node, internode_encryption, encryption_enabled, encryption_optional)
+ node.start(wait_for_binary_proto=True)
+
def _grep_msg(self, node, *kwargs):
tries = 30
while tries > 0:
try:
- print("Checking logs for error")
for err in kwargs:
m = node.grep_log(err)
if m:
- print("Found log message: {}".format(m[0]))
return True
except IOError:
pass # log does not exists yet
@@ -134,33 +159,33 @@ class TestNodeToNodeSSLEncryption(Tester):
return False
- def setup_nodes(self, credentials1, credentials2, endpointVerification=False, client_auth=False):
-
+ def setup_nodes(self, credentials1, credentials2, endpoint_verification=False, client_auth=False, internode_encryption='all', encryption_enabled=True, encryption_optional=False):
cluster = self.cluster
-
- def copy_cred(credentials, node):
- dir = node.get_conf_dir()
- print("Copying credentials to node %s" % dir)
- kspath = os.path.join(dir, 'keystore.jks')
- tspath = os.path.join(dir, 'truststore.jks')
- shutil.copyfile(credentials.keystore, kspath)
- shutil.copyfile(credentials.cakeystore, tspath)
-
- node.set_configuration_options(values={
- 'server_encryption_options': {
- 'internode_encryption': 'all',
- 'keystore': kspath,
- 'keystore_password': 'cassandra',
- 'truststore': tspath,
- 'truststore_password': 'cassandra',
- 'require_endpoint_verification': endpointVerification,
- 'require_client_auth': client_auth
- }
- })
-
cluster = cluster.populate(2)
self.node1 = cluster.nodelist()[0]
- copy_cred(credentials1, self.node1)
+ self.copy_cred(credentials1, self.node1, internode_encryption, encryption_enabled, encryption_optional, endpoint_verification, client_auth)
self.node2 = cluster.nodelist()[1]
- copy_cred(credentials2, self.node2)
+ self.copy_cred(credentials2, self.node2, internode_encryption, encryption_enabled, encryption_optional, endpoint_verification, client_auth)
+
+ def copy_cred(self, credentials, node, internode_encryption, encryption_enabled, encryption_optional, endpoint_verification=False, client_auth=False):
+ dir = node.get_conf_dir()
+ kspath = os.path.join(dir, 'keystore.jks')
+ tspath = os.path.join(dir, 'truststore.jks')
+ shutil.copyfile(credentials.keystore, kspath)
+ shutil.copyfile(credentials.cakeystore, tspath)
+
+ node.set_configuration_options(values={
+ 'server_encryption_options': {
+ 'enabled': encryption_enabled,
+ 'optional': encryption_optional,
+ 'internode_encryption': internode_encryption,
+ 'keystore': kspath,
+ 'keystore_password': 'cassandra',
+ 'truststore': tspath,
+ 'truststore_password': 'cassandra',
+ 'require_endpoint_verification': endpoint_verification,
+ 'require_client_auth': client_auth,
+ }
+ })
+
http://git-wip-us.apache.org/repos/asf/cassandra/blob/7cc06a08/upgrade_tests/upgrade_through_versions_test.py
----------------------------------------------------------------------
diff --git a/upgrade_tests/upgrade_through_versions_test.py b/upgrade_tests/upgrade_through_versions_test.py
index efeab0e..a825645 100644
--- a/upgrade_tests/upgrade_through_versions_test.py
+++ b/upgrade_tests/upgrade_through_versions_test.py
@@ -342,7 +342,7 @@ class UpgradeTester(Tester):
# possibly "speed past" in an overly fast upgrade test
time.sleep(60)
- self.upgrade_to_version(version_meta, partial=True, nodes=(node,))
+ self.upgrade_to_version(version_meta, partial=True, nodes=(node,), internode_ssl=internode_ssl)
self._check_on_subprocs(self.subprocs)
debug('Successfully upgraded %d of %d nodes to %s' %
@@ -364,7 +364,7 @@ class UpgradeTester(Tester):
self._write_values()
self._increment_counters()
- self.upgrade_to_version(version_meta)
+ self.upgrade_to_version(version_meta, internode_ssl=internode_ssl)
self.cluster.set_install_dir(version=version_meta.version)
self._check_values()
@@ -410,7 +410,7 @@ class UpgradeTester(Tester):
debug("Error terminating subprocess. There could be a lingering process.")
pass
- def upgrade_to_version(self, version_meta, partial=False, nodes=None):
+ def upgrade_to_version(self, version_meta, partial=False, nodes=None, internode_ssl=False):
"""
Upgrade Nodes - if *partial* is True, only upgrade those nodes
that are specified by *nodes*, otherwise ignore *nodes* specified
@@ -431,6 +431,8 @@ class UpgradeTester(Tester):
for node in nodes:
node.set_install_dir(version=version_meta.version)
debug("Set new cassandra dir for %s: %s" % (node.name, node.get_install_dir()))
+ if internode_ssl and version_meta.version >= '4.0':
+ node.set_configuration_options({'server_encryption_options': {'enabled': True, 'enable_legacy_ssl_storage_port': True}})
# hacky? yes. We could probably extend ccm to allow this publicly.
# the topology file needs to be written before any nodes are started
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org