[jira] [Commented] (CASSANDRA-20484) Bulkloader requires truststore path even when required_client_auth is false in cassandra.yaml

Mon, 31 Mar 2025 13:03:40 -0700 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-20484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17939790#comment-17939790
 ] 

Niket Vilas Bagwe commented on CASSANDRA-20484:
-----------------------------------------------

[~maulin.vasavada] The documentation says that both  server_encryption_options  
and client_encryption_options are read from config file. Pls refer to the text 
just above 
[this|https://cassandra.apache.org/doc/stable/cassandra/tools/sstable/sstableloader.html#load-sstables-from-a-snapshot].
 Also, from the code its evident that the config is created from yaml file 
[here|https://github.com/apache/cassandra/blob/f278f6774fc76465c182041e081982105c3e7dbb/src/java/org/apache/cassandra/tools/LoaderOptions.java#L488]
   and then client_encyrption_options are copied 
[here|https://github.com/apache/cassandra/blob/f278f6774fc76465c182041e081982105c3e7dbb/src/java/org/apache/cassandra/tools/LoaderOptions.java#L553].

> Bulkloader requires truststore path even when required_client_auth is false 
> in cassandra.yaml
> ---------------------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-20484
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-20484
>             Project: Apache Cassandra
>          Issue Type: Bug
>          Components: Tool/bulk load
>            Reporter: Niket Vilas Bagwe
>            Assignee: Maulin Vasavada
>            Priority: Normal
>
> If client_encryption_options are enabled in cassandra.yaml with 
> require_client_auth false *and* Sstableloader command is used with -f option 
> (for cassandra.yaml path), sstableloader fails with "NoSuchFileException: 
> conf/.truststore".
> Sample sstableloader command is as follows.
> |sstableloader /opt/cassandra/data/keyspace/table -d 127.0.0.1 -p 9042 -ssp 
> 7001 -sp 7000 -f */opt/nosql/clusters/cassandra-6382/conf/cassandra.yaml* -u 
> "caas" -pw *******|
> Exception encountered is as follows:
>  
> {code:java}
> Exception in thread "main" java.lang.RuntimeException: Could not create SSL 
> Context.
>         at 
> org.apache.cassandra.tools.BulkLoader.buildSSLOptions(BulkLoader.java:271)
>         at org.apache.cassandra.tools.BulkLoader.load(BulkLoader.java:72)
>         at org.apache.cassandra.tools.BulkLoader.main(BulkLoader.java:58)
> Caused by: javax.net.ssl.SSLException: failed to build trust manager store 
> for secure connections
>         at 
> org.apache.cassandra.security.FileBasedSslContextFactory.buildTrustManagerFactory(FileBasedSslContextFactory.java:196)
>         at 
> org.apache.cassandra.security.AbstractSslContextFactory.createJSSESslContext(AbstractSslContextFactory.java:155)
>         at 
> org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:127)
>         at 
> org.apache.cassandra.tools.BulkLoader.buildSSLOptions(BulkLoader.java:267)
>         ... 2 more
> Caused by: java.nio.file.NoSuchFileException: conf/.truststore
>         at 
> java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
>         at 
> java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
>         at 
> java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:116)
>         at 
> java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:219)
>         at java.base/java.nio.file.Files.newByteChannel(Files.java:371)
>         at java.base/java.nio.file.Files.newByteChannel(Files.java:422)
>         at 
> java.base/java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:420)
>         at java.base/java.nio.file.Files.newInputStream(Files.java:156)
>         at 
> org.apache.cassandra.security.FileBasedSslContextFactory.buildTrustManagerFactory(FileBasedSslContextFactory.java:183)
>         ... 5 more {code}
> The reason for this is that sslcontext for native connection in BulkLoader is 
> always created with EncryptionOptions.ClientAuth set to true at 
> [line|https://github.com/apache/cassandra/blob/f278f6774fc76465c182041e081982105c3e7dbb/src/java/org/apache/cassandra/tools/BulkLoader.java#L267]
>  irrespective of the value of require_client_auth present in cassandra.yaml. 
> Because of this BulkLoader always expects to have a truststore file inorder 
> to verify the client certificates. Copying below the errorneous code block 
> for reference.
> {code:java}
>     private static SSLOptions buildSSLOptions(EncryptionOptions 
> clientEncryptionOptions)
>     {        if (!clientEncryptionOptions.getEnabled())
>         {
>             return null;
>         }        SSLContext sslContext;
>         try
>         {
> ################ problematic line
>             sslContext = SSLFactory.createSSLContext(clientEncryptionOptions, 
> true);
> ################
>         }
>         catch (IOException e)
>         {
>             throw new RuntimeException("Could not create SSL Context.", e);
>         } {code}
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to