cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From alek...@apache.org
Subject git commit: Fix SSL client authentication (CASSANDRA-5120)
Date Wed, 27 Feb 2013 21:54:39 GMT
Updated Branches:
  refs/heads/cassandra-1.2 33ce1e35f -> ab23afa52


Fix SSL client authentication (CASSANDRA-5120)


Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo
Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/ab23afa5
Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/ab23afa5
Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/ab23afa5

Branch: refs/heads/cassandra-1.2
Commit: ab23afa521327ce5bf46a078e6bbd0591e00e778
Parents: 33ce1e3
Author: Aleksey Yeschenko <aleksey@apache.org>
Authored: Thu Feb 28 00:53:22 2013 +0300
Committer: Aleksey Yeschenko <aleksey@apache.org>
Committed: Thu Feb 28 00:53:22 2013 +0300

----------------------------------------------------------------------
 conf/cassandra.yaml                                |    5 ++++-
 .../apache/cassandra/config/EncryptionOptions.java |    2 +-
 .../cassandra/thrift/CustomTThreadPoolServer.java  |    6 +++++-
 3 files changed, 10 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cassandra/blob/ab23afa5/conf/cassandra.yaml
----------------------------------------------------------------------
diff --git a/conf/cassandra.yaml b/conf/cassandra.yaml
index 6d0528a..0a8102d 100644
--- a/conf/cassandra.yaml
+++ b/conf/cassandra.yaml
@@ -662,12 +662,15 @@ client_encryption_options:
     enabled: false
     keystore: conf/.keystore
     keystore_password: cassandra
+    # require_client_auth: false
+    # Set trustore and truststore_password if require_client_auth is true
+    # truststore: conf/.truststore
+    # truststore_password: cassandra
     # More advanced defaults below:
     # protocol: TLS
     # algorithm: SunX509
     # store_type: JKS
     # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA]
-    # require_client_auth: false
 
 # internode_compression controls whether traffic between nodes is
 # compressed.

http://git-wip-us.apache.org/repos/asf/cassandra/blob/ab23afa5/src/java/org/apache/cassandra/config/EncryptionOptions.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/config/EncryptionOptions.java b/src/java/org/apache/cassandra/config/EncryptionOptions.java
index fe07f68..f873636 100644
--- a/src/java/org/apache/cassandra/config/EncryptionOptions.java
+++ b/src/java/org/apache/cassandra/config/EncryptionOptions.java
@@ -27,7 +27,7 @@ public abstract class EncryptionOptions
     public String protocol = "TLS";
     public String algorithm = "SunX509";
     public String store_type = "JKS";
-    public Boolean require_client_auth = false;
+    public boolean require_client_auth = false;
 
     public static class ClientEncryptionOptions extends EncryptionOptions
     {

http://git-wip-us.apache.org/repos/asf/cassandra/blob/ab23afa5/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java
----------------------------------------------------------------------
diff --git a/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java b/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java
index 0a456b9..7014443 100644
--- a/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java
+++ b/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java
@@ -249,7 +249,11 @@ public class CustomTThreadPoolServer extends TServer
                     logger.info("enabling encrypted thrift connections between client and
server");
                     TSSLTransportParameters params = new TSSLTransportParameters(clientEnc.protocol,
clientEnc.cipher_suites);
                     params.setKeyStore(clientEnc.keystore, clientEnc.keystore_password);
-                    params.requireClientAuth(clientEnc.require_client_auth);
+                    if (clientEnc.require_client_auth)
+                    {
+                        params.setTrustStore(clientEnc.truststore, clientEnc.truststore_password);
+                        params.requireClientAuth(true);
+                    }
                     TServerSocket sslServer = TSSLTransportFactory.getServerSocket(addr.getPort(),
0, addr.getAddress(), params);
                     serverTransport = new TCustomServerSocket(sslServer.getServerSocket(),
args.keepAlive, args.sendBufferSize, args.recvBufferSize);
                 }


Mime
View raw message