cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason Brown (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (CASSANDRA-13971) Automatic certificate management using Vault
Date Tue, 21 Nov 2017 16:28:01 GMT

    [ https://issues.apache.org/jira/browse/CASSANDRA-13971?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16260987#comment-16260987
] 

Jason Brown edited comment on CASSANDRA-13971 at 11/21/17 4:27 PM:
-------------------------------------------------------------------

bq. everyone can run his own Vault server

Oh, ok - I misunderstood this, then :D. I'm less concerned then as users can scale up Vault
to their needs. I thought it was only hosted by HashiCorp (or some related party).

bq. Having a specific implementation is still useful, as it makes the discussion less abstract.
I'm not even sure if it's possible to create a reasonable API without looking at any possible
implementations at all

I do agree with this.

bq. Also I'd much prefer to add a small rest client .... Dtests will download the Vault binary

My only minor concern here is [Vault is MPL|https://github.com/hashicorp/vault/blob/master/LICENSE],
and while I think that is fine for the ASF as [MPL is category-B|https://www.apache.org/legal/resolved.html#category-b],
let's research it more. Admittedly I just did the basic research to see if it's category-X,
didn't follow through all the way.


was (Author: jasobrown):
bq. everyone can run his own Vault server

Oh, ok - I misunderstood this, then :D. I'm less concerned then as users can scale up Vault
to their needs, then. I thought it was only hosted by HashiCorp (or some related party).

bq. Having a specific implementation is still useful, as it makes the discussion less abstract.
I'm not even sure if it's possible to create a reasonable API without looking at any possible
implementations at all

I do agree with this.

bq. Also I'd much prefer to add a small rest client .... Dtests will download the Vault binary

My only minor concern here is [Vault is MPL|https://github.com/hashicorp/vault/blob/master/LICENSE],
and while I think that is fine for the ASF as [MPL is category-B|https://www.apache.org/legal/resolved.html#category-b],
let's research it more. Admittedly I just did the basic research to see if it's category-X,
didn't follow through all the way.

> Automatic certificate management using Vault
> --------------------------------------------
>
>                 Key: CASSANDRA-13971
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-13971
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Streaming and Messaging
>            Reporter: Stefan Podkowinski
>            Assignee: Stefan Podkowinski
>             Fix For: 4.x
>
>
> We've been adding security features during the last years to enable users to secure their
clusters, if they are willing to use them and do so correctly. Some features are powerful
and easy to work with, such as role based authorization. Other features that require to manage
a local keystore are rather painful to deal with. Think about setting up SSL..
> To be fair, keystore related issues and certificate handling hasn't been invented by
us. We're just following Java standards there. But that doesn't mean that we absolutely have
to, if there are better options. I'd like to give it a shoot and find out if we can automate
certificate/key handling (PKI) by using external APIs. In this case, the implementation will
be based on [Vault|https://vaultproject.io]. But certificate management services offered by
cloud providers may also be able to handle the use-case and I intend to create a generic,
pluggable API for that.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org


Mime
View raw message