cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Stupp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CASSANDRA-9590) Support for both encrypted and unencrypted native transport connections
Date Wed, 02 Sep 2015 19:08:46 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-9590?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14727870#comment-14727870
] 

Robert Stupp commented on CASSANDRA-9590:
-----------------------------------------

Patch and tests look good so far.

Some notes:
* Can you add the option {{native_transport_port_ssl}} to {{conf/cassandra.yaml}} (commented
out, but with some words describing its meaning and how it relates to {{native_transport_port}})?
You can use {{9142}} as the (commented out) standard port. Maybe also a note that it's beneficial
to install the _Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files_?
* Let startup fail, if both {{native_transport_port}} and {{native_transport_port_ssl}} are
set but {{client_encryption_options}} is not enabled. It is a configuration failure. At the
moment it silently just not starts SSL at all.
* The unit tests look good, but never start NetworkTransportService with SSL enabled - but
that's ok as there are dtests.
* dtests unfortunately don't work on my machine. Is the {{keystone.jks}} file mentioned in
the test source missing? (Ping me, if you need some logs or so.)

I tested the stuff manually using a self-signed cert with cqlsh and it works (with JCE policy
files).

> Support for both encrypted and unencrypted native transport connections
> -----------------------------------------------------------------------
>
>                 Key: CASSANDRA-9590
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-9590
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Core
>            Reporter: Stefan Podkowinski
>            Assignee: Stefan Podkowinski
>             Fix For: 2.1.x
>
>
> Enabling encryption for native transport currently turns SSL exclusively on or off for
the opened socket. Migrating from plain to encrypted requires to migrate all native clients
as well and redeploy all of them at the same time after starting the SSL enabled Cassandra
nodes. 
> This patch would allow to start Cassandra with both an unencrypted and ssl enabled native
port. Clients can connect to either, based whether they support ssl or not.
> This has been implemented by introducing a new {{native_transport_port_ssl}} config option.

> There would be three scenarios:
> * client encryption disabled, {{native_transport_port}} unencrypted, {{native_transport_port_ssl}}
not used
> * client encryption enabled, {{native_transport_port_ssl}} not set, {{native_transport_port}}
encrypted
> * client encryption enabled, {{native_transport_port_ssl}} set, {{native_transport_port}}
unencrypted, {{native_transport_port_ssl}} encrypted
> This approach would keep configuration behavior fully backwards compatible.
> Patch proposal: [Branch|https://github.com/spodkowinski/cassandra/tree/cassandra-9590],
[Diff cassandra-3.0|https://github.com/apache/cassandra/compare/cassandra-3.0...spodkowinski:cassandra-9590],
[Patch against cassandra-3.0|https://github.com/apache/cassandra/compare/cassandra-3.0...spodkowinski:cassandra-9590.patch]
> DTest: [Branch|https://github.com/spodkowinski/cassandra-dtest/tree/cassandra-9590],
[Diff master|https://github.com/riptano/cassandra-dtest/compare/master...spodkowinski:cassandra-9590]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message