Mailing-List: contact commits-help@cassandra.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@cassandra.apache.org
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: aweisberg@apache.org
To: commits@cassandra.apache.org
Date: Wed, 15 Nov 2017 21:47:15 -0000
Message-Id: <ce27b0c832ef45748a56d5c0b75d362c@git.apache.org>
In-Reply-To: <7b6f5caba1744195b9d4ab4d41a9d308@git.apache.org>
References: <7b6f5caba1744195b9d4ab4d41a9d308@git.apache.org>
Subject: [47/50] cassandra git commit: Node to Node encryption transitional
 mode
archived-at: Wed, 15 Nov 2017 21:46:40 -0000

Node to Node encryption transitional mode

patch by jasobrown; reviewed by Stefan Podkowinski for CASSANDRA-10404


Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo
Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/7cc06a08
Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/7cc06a08
Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/7cc06a08

Branch: refs/heads/master
Commit: 7cc06a086f89ed76499837558ff263d84337acba
Parents: 957ae2b
Author: Jason Brown <jasedbrown@gmail.com>
Authored: Thu May 25 03:57:54 2017 -0700
Committer: Jason Brown <jasedbrown@gmail.com>
Committed: Fri Nov 3 05:09:36 2017 -0700

----------------------------------------------------------------------
 requirements.txt                               |  2 +-
 sslnodetonode_test.py                          | 87 +++++++++++++--------
 upgrade_tests/upgrade_through_versions_test.py |  8 +-
 3 files changed, 62 insertions(+), 35 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cassandra/blob/7cc06a08/requirements.txt
----------------------------------------------------------------------
diff --git a/requirements.txt b/requirements.txt
index a939dcd..2832ff1 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -4,7 +4,7 @@
 futures
 six
 -e git+https://github.com/datastax/python-driver.git@cassandra-test#egg=cassandra-driver
-ccm==2.8.4
+ccm==3.1.0
 cql
 decorator
 docopt

http://git-wip-us.apache.org/repos/asf/cassandra/blob/7cc06a08/sslnodetonode_test.py
----------------------------------------------------------------------
diff --git a/sslnodetonode_test.py b/sslnodetonode_test.py
index a675985..d498b0f 100644
--- a/sslnodetonode_test.py
+++ b/sslnodetonode_test.py
@@ -31,7 +31,7 @@ class TestNodeToNodeSSLEncryption(Tester):
         credNode1 = sslkeygen.generate_credentials("127.0.0.1")
         credNode2 = sslkeygen.generate_credentials("127.0.0.2", credNode1.cakeystore, credNode1.cacert)
 
-        self.setup_nodes(credNode1, credNode2, endpointVerification=True)
+        self.setup_nodes(credNode1, credNode2, endpoint_verification=True)
         self.allow_log_errors = False
         self.cluster.start()
         time.sleep(2)
@@ -43,7 +43,7 @@ class TestNodeToNodeSSLEncryption(Tester):
         credNode1 = sslkeygen.generate_credentials("127.0.0.80")
         credNode2 = sslkeygen.generate_credentials("127.0.0.81", credNode1.cakeystore, credNode1.cacert)
 
-        self.setup_nodes(credNode1, credNode2, endpointVerification=False)
+        self.setup_nodes(credNode1, credNode2, endpoint_verification=False)
         self.cluster.start()
         time.sleep(2)
         self.cql_connection(self.node1)
@@ -54,7 +54,7 @@ class TestNodeToNodeSSLEncryption(Tester):
         credNode1 = sslkeygen.generate_credentials("127.0.0.80")
         credNode2 = sslkeygen.generate_credentials("127.0.0.81", credNode1.cakeystore, credNode1.cacert)
 
-        self.setup_nodes(credNode1, credNode2, endpointVerification=True)
+        self.setup_nodes(credNode1, credNode2, endpoint_verification=True)
 
         self.allow_log_errors = True
         self.cluster.start(no_wait=True)
@@ -66,7 +66,6 @@ class TestNodeToNodeSSLEncryption(Tester):
         self.assertTrue(found)
 
         self.cluster.stop()
-        self.assertTrue(found)
 
     def ssl_client_auth_required_fail_test(self):
         """peers need to perform mutual auth (cient auth required), but do not supply the local cert"""
@@ -117,15 +116,41 @@ class TestNodeToNodeSSLEncryption(Tester):
         self.cluster.stop()
         self.assertTrue(found)
 
+    def optional_outbound_tls_test(self):
+        """listen on TLS port, but optionally connect using TLS. this supports the upgrade case of starting with a non-encrypted cluster and then upgrading each node to use encryption."""
+        credNode1 = sslkeygen.generate_credentials("127.0.0.1")
+        credNode2 = sslkeygen.generate_credentials("127.0.0.2", credNode1.cakeystore, credNode1.cacert)
+
+        # first, start cluster without TLS (either listening or connecting
+        self.setup_nodes(credNode1, credNode2, internode_encryption='none', encryption_enabled=False)
+        self.cluster.start()
+        self.cql_connection(self.node1)
+
+        # next bounce the cluster to listen on both plain/secure sockets (do not connect secure port, yet, though)
+        self.bounce_node_with_updated_config(credNode1, self.node1, 'none', True, True)
+        self.bounce_node_with_updated_config(credNode2, self.node2, 'none', True, True)
+
+        # next connect with TLS for the outbound connections
+        self.bounce_node_with_updated_config(credNode1, self.node1, 'all', True, True)
+        self.bounce_node_with_updated_config(credNode2, self.node2, 'all', True, True)
+
+        # now shutdown the plaintext port
+        self.bounce_node_with_updated_config(credNode1, self.node1, 'all', True, False)
+        self.bounce_node_with_updated_config(credNode2, self.node2, 'all', True, False)
+        self.cluster.stop()
+
+    def bounce_node_with_updated_config(self, credentials, node, internode_encryption, encryption_enabled, encryption_optional):
+        node.stop()
+        self.copy_cred(credentials, node, internode_encryption, encryption_enabled, encryption_optional)
+        node.start(wait_for_binary_proto=True)
+
     def _grep_msg(self, node, *kwargs):
         tries = 30
         while tries > 0:
             try:
-                print("Checking logs for error")
                 for err in kwargs:
                     m = node.grep_log(err)
                     if m:
-                        print("Found log message: {}".format(m[0]))
                         return True
             except IOError:
                 pass  # log does not exists yet
@@ -134,33 +159,33 @@ class TestNodeToNodeSSLEncryption(Tester):
 
         return False
 
-    def setup_nodes(self, credentials1, credentials2, endpointVerification=False, client_auth=False):
-
+    def setup_nodes(self, credentials1, credentials2, endpoint_verification=False, client_auth=False, internode_encryption='all', encryption_enabled=True, encryption_optional=False):
         cluster = self.cluster
-
-        def copy_cred(credentials, node):
-            dir = node.get_conf_dir()
-            print("Copying credentials to node %s" % dir)
-            kspath = os.path.join(dir, 'keystore.jks')
-            tspath = os.path.join(dir, 'truststore.jks')
-            shutil.copyfile(credentials.keystore, kspath)
-            shutil.copyfile(credentials.cakeystore, tspath)
-
-            node.set_configuration_options(values={
-                'server_encryption_options': {
-                    'internode_encryption': 'all',
-                    'keystore': kspath,
-                    'keystore_password': 'cassandra',
-                    'truststore': tspath,
-                    'truststore_password': 'cassandra',
-                    'require_endpoint_verification': endpointVerification,
-                    'require_client_auth': client_auth
-                }
-            })
-
         cluster = cluster.populate(2)
         self.node1 = cluster.nodelist()[0]
-        copy_cred(credentials1, self.node1)
+        self.copy_cred(credentials1, self.node1, internode_encryption, encryption_enabled, encryption_optional, endpoint_verification, client_auth)
 
         self.node2 = cluster.nodelist()[1]
-        copy_cred(credentials2, self.node2)
+        self.copy_cred(credentials2, self.node2, internode_encryption, encryption_enabled, encryption_optional, endpoint_verification, client_auth)
+
+    def copy_cred(self, credentials, node, internode_encryption, encryption_enabled, encryption_optional, endpoint_verification=False, client_auth=False):
+        dir = node.get_conf_dir()
+        kspath = os.path.join(dir, 'keystore.jks')
+        tspath = os.path.join(dir, 'truststore.jks')
+        shutil.copyfile(credentials.keystore, kspath)
+        shutil.copyfile(credentials.cakeystore, tspath)
+
+        node.set_configuration_options(values={
+            'server_encryption_options': {
+                'enabled': encryption_enabled,
+                'optional': encryption_optional,
+                'internode_encryption': internode_encryption,
+                'keystore': kspath,
+                'keystore_password': 'cassandra',
+                'truststore': tspath,
+                'truststore_password': 'cassandra',
+                'require_endpoint_verification': endpoint_verification,
+                'require_client_auth': client_auth,
+            }
+        })
+        

http://git-wip-us.apache.org/repos/asf/cassandra/blob/7cc06a08/upgrade_tests/upgrade_through_versions_test.py
----------------------------------------------------------------------
diff --git a/upgrade_tests/upgrade_through_versions_test.py b/upgrade_tests/upgrade_through_versions_test.py
index efeab0e..a825645 100644
--- a/upgrade_tests/upgrade_through_versions_test.py
+++ b/upgrade_tests/upgrade_through_versions_test.py
@@ -342,7 +342,7 @@ class UpgradeTester(Tester):
                     # possibly "speed past" in an overly fast upgrade test
                     time.sleep(60)
 
-                    self.upgrade_to_version(version_meta, partial=True, nodes=(node,))
+                    self.upgrade_to_version(version_meta, partial=True, nodes=(node,), internode_ssl=internode_ssl)
 
                     self._check_on_subprocs(self.subprocs)
                     debug('Successfully upgraded %d of %d nodes to %s' %
@@ -364,7 +364,7 @@ class UpgradeTester(Tester):
                 self._write_values()
                 self._increment_counters()
 
-                self.upgrade_to_version(version_meta)
+                self.upgrade_to_version(version_meta, internode_ssl=internode_ssl)
                 self.cluster.set_install_dir(version=version_meta.version)
 
                 self._check_values()
@@ -410,7 +410,7 @@ class UpgradeTester(Tester):
                     debug("Error terminating subprocess. There could be a lingering process.")
                     pass
 
-    def upgrade_to_version(self, version_meta, partial=False, nodes=None):
+    def upgrade_to_version(self, version_meta, partial=False, nodes=None, internode_ssl=False):
         """
         Upgrade Nodes - if *partial* is True, only upgrade those nodes
         that are specified by *nodes*, otherwise ignore *nodes* specified
@@ -431,6 +431,8 @@ class UpgradeTester(Tester):
         for node in nodes:
             node.set_install_dir(version=version_meta.version)
             debug("Set new cassandra dir for %s: %s" % (node.name, node.get_install_dir()))
+            if internode_ssl and version_meta.version >= '4.0':
+                node.set_configuration_options({'server_encryption_options': {'enabled': True, 'enable_legacy_ssl_storage_port': True}})
 
         # hacky? yes. We could probably extend ccm to allow this publicly.
         # the topology file needs to be written before any nodes are started


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org