cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stefan Podkowinski (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (CASSANDRA-10404) Node to Node encryption transitional mode
Date Thu, 21 Sep 2017 14:28:00 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-10404?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16174847#comment-16174847
] 

Stefan Podkowinski edited comment on CASSANDRA-10404 at 9/21/17 2:27 PM:
-------------------------------------------------------------------------

I had the following couple of questions/remarks while looking at the patch today:

# Assuming we have a 3.x cluster already running with ssl enabled and now start to bump the
first node to 4.0. If we connect to {{storage_port}} by default in 4.0, won't the upgraded
node fail to start with a "Unable to gossip with any seeds" error?
# Do we want to add an option to disable the {{ssl_storage_port}}? E.g. by setting it to the
same value as storage_port?
# {{doc/source/operating/security.rst}}: needs to be updated
# {{cassandra.yaml}}: comments for {{storage_port}} and {{ssl_storage_port}} not accurate
anymore, as both can use  encryption now. We also should clearly describe the port as legacy
port only used during upgrades. There should be a link to {{security.rst}} for further details.
# Some of the native transport and internode netty code has become redundant, e.g. {{Server.OptionalSecureInitializer}}
and the new {{OptionalSslHandler}}. It's probably not in scope of this ticket, but should
maybe addressed in another ticket at some point.
# Use of {{server_encryption}} in {{NettyFactory.OutboundInitializer}} could use some comments,
especially on why we don't have to check all remaining options such as {{internode_encryption}}
(already checked in {{MessagingService}})



was (Author: spodxx@gmail.com):
I had the following couple of questions/remarks while looking at the patch today:

* Assuming we have a 3.x cluster already running with ssl enabled and now start to bump the
first node to 4.0. If we connect to {{storage_port}} by default in 4.0, won't the upgraded
node fail to start with a "Unable to gossip with any seeds" error?
* Do we want to add an option to disable the {{ssl_storage_port}}? E.g. by setting it to the
same value as storage_port?
* {{doc/source/operating/security.rst}}: needs to be updated
* {{cassandra.yaml}}: comments for {{storage_port}} and {{ssl_storage_port}} not accurate
anymore, as both can use  encryption now. We also should clearly describe the port as legacy
port only used during upgrades. There should be a link to {{security.rst}} for further details.
* Some of the native transport and internode netty code has become redundant, e.g. {{Server.OptionalSecureInitializer}}
and the new {{OptionalSslHandler}}. It's probably not in scope of this ticket, but should
maybe addressed in another ticket at some point.
* Use of {{server_encryption}} in {{NettyFactory.OutboundInitializer}} could use some comments,
especially on why we don't have to check all remaining options such as {{internode_encryption}}
(already checked in {{MessagingService}})


> Node to Node encryption transitional mode
> -----------------------------------------
>
>                 Key: CASSANDRA-10404
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-10404
>             Project: Cassandra
>          Issue Type: New Feature
>            Reporter: Tom Lewis
>            Assignee: Jason Brown
>             Fix For: 4.x
>
>
> Create a transitional mode for encryption that allows encrypted and unencrypted traffic
node-to-node during a change over to encryption from unencrypted. This alleviates downtime
during the switch.
>  This is similar to CASSANDRA-10559 which is intended for client-to-node



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org


Mime
View raw message