[
https://issues.apache.org/jira/browse/CASSANDRA-10404?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16174847#comment-16174847
]
Stefan Podkowinski edited comment on CASSANDRA-10404 at 9/21/17 2:27 PM:
-------------------------------------------------------------------------
I had the following couple of questions/remarks while looking at the patch
today:
# Assuming we have a 3.x cluster already running with ssl enabled and now start
to bump the first node to 4.0. If we connect to {{storage_port}} by default in
4.0, won't the upgraded node fail to start with a "Unable to gossip with any
seeds" error?
# Do we want to add an option to disable the {{ssl_storage_port}}? E.g. by
setting it to the same value as storage_port?
# {{doc/source/operating/security.rst}}: needs to be updated
# {{cassandra.yaml}}: comments for {{storage_port}} and {{ssl_storage_port}}
not accurate anymore, as both can use encryption now. We also should clearly
describe the port as legacy port only used during upgrades. There should be a
link to {{security.rst}} for further details.
# Some of the native transport and internode netty code has become redundant,
e.g. {{Server.OptionalSecureInitializer}} and the new {{OptionalSslHandler}}.
It's probably not in scope of this ticket, but should maybe addressed in
another ticket at some point.
# Use of {{server_encryption}} in {{NettyFactory.OutboundInitializer}} could
use some comments, especially on why we don't have to check all remaining
options such as {{internode_encryption}} (already checked in
{{MessagingService}})
was (Author: [email protected]):
I had the following couple of questions/remarks while looking at the patch
today:
* Assuming we have a 3.x cluster already running with ssl enabled and now start
to bump the first node to 4.0. If we connect to {{storage_port}} by default in
4.0, won't the upgraded node fail to start with a "Unable to gossip with any
seeds" error?
* Do we want to add an option to disable the {{ssl_storage_port}}? E.g. by
setting it to the same value as storage_port?
* {{doc/source/operating/security.rst}}: needs to be updated
* {{cassandra.yaml}}: comments for {{storage_port}} and {{ssl_storage_port}}
not accurate anymore, as both can use encryption now. We also should clearly
describe the port as legacy port only used during upgrades. There should be a
link to {{security.rst}} for further details.
* Some of the native transport and internode netty code has become redundant,
e.g. {{Server.OptionalSecureInitializer}} and the new {{OptionalSslHandler}}.
It's probably not in scope of this ticket, but should maybe addressed in
another ticket at some point.
* Use of {{server_encryption}} in {{NettyFactory.OutboundInitializer}} could
use some comments, especially on why we don't have to check all remaining
options such as {{internode_encryption}} (already checked in
{{MessagingService}})
> Node to Node encryption transitional mode
> -----------------------------------------
>
> Key: CASSANDRA-10404
> URL: https://issues.apache.org/jira/browse/CASSANDRA-10404
> Project: Cassandra
> Issue Type: New Feature
> Reporter: Tom Lewis
> Assignee: Jason Brown
> Fix For: 4.x
>
>
> Create a transitional mode for encryption that allows encrypted and
> unencrypted traffic node-to-node during a change over to encryption from
> unencrypted. This alleviates downtime during the switch.
> This is similar to CASSANDRA-10559 which is intended for client-to-node
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
