[jira] [Commented] (CASSANDRA-20484) Bulkloader requires truststore path even when required_client_auth is false in cassandra.yaml

[Andy Tolbert (Jira)]

    [ 
https://issues.apache.org/jira/browse/CASSANDRA-20484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18005163#comment-18005163
 ] 

Andy Tolbert commented on CASSANDRA-20484:
------------------------------------------

I think [~Jyothsnakonisa] has this right, I don't think {{require_client_auth}} 
is relevant to the error being observed in this context, as a client really 
should always be verifying a server's certificate, which is why the 
[line|https://github.com/apache/cassandra/blob/f278f6774fc76465c182041e081982105c3e7dbb/src/java/org/apache/cassandra/tools/BulkLoader.java#L267]
 [~niketba...@gmail.com] pointed out is hardcoded to pass {true} to verify peer 
certificate.

There isn't option to not require a valid trust store generally for cassandra; 
there isn't a way to configure it in a way that it falls back on the default 
system trust or to ignore validating at all (unless you implement your own 
{{ssl_context_factory}}, so you need to provide a path to a valid trust store 
which contains certs you can trust to validate your server's cert.   

To [~maulin.vasavada]'s question about {{server_encryption_options}} in the 
documentation, particularly in the [Use a Config File for SSL 
Clusters|https://cassandra.apache.org/doc/4.0/cassandra/tools/sstable/sstableloader.html#use-a-config-file-for-ssl-clusters]
 section, it states:

{quote}
If SSL encryption is enabled in the cluster, use the --conf-path option with 
sstableloader to point the tool to the cassandra.yaml with the relevant 
server_encryption_options (e.g., truststore location, algorithm). This will 
work better than passing individual ssl options shown above to sstableloader on 
the command line.
{quote}

Looking at 
[BulkLoader.java|https://github.com/apache/cassandra/blob/trunk/tools/sstableloader/src/org/apache/cassandra/tools/BulkLoader.java#L255-L266],
 it looks like it uses {{client_encryption_options}} for configuring the ssl 
context for use by the Driver, but {{server_encryption_options}} is also used 
for setting up an ExternalClient 
[here|https://github.com/apache/cassandra/blame/trunk/tools/sstableloader/src/org/apache/cassandra/tools/BulkLoader.java#L70]
 to connect on the storage port to do bulkloading.  Therefore it looks 
significant to configure your truststore for both driver connectivity (using 
client_encryption_options) and over the storage interface (using 
server_encryption_options).

I think the documentation could be improved to make it more consistently 
reference that *both* client_encryption and server_encryption_options be 
configured when using SSL, but I think in the context of the jira issue, 
everything is behaving as it should.

It's also a bit confusing I think because the {{client_encryption_options}} 
configuration is being overloaded for use in bulk loader.   It's used by the 
server for setting up how the server should trust client connections over the 
native protocol, but its being used here in SSTableLoader for setting up a 
clients configuration, which I think is a reasonable compromise to avoid adding 
a bunch of client specific configuration just for sstableloader.

> Bulkloader requires truststore path even when required_client_auth is false 
> in cassandra.yaml
> ---------------------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-20484
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-20484
>             Project: Apache Cassandra
>          Issue Type: Bug
>          Components: Tool/bulk load
>            Reporter: Niket Vilas Bagwe
>            Assignee: Maulin Vasavada
>            Priority: Normal
>         Attachments: image-2025-05-13-23-42-19-536.png
>
>
> If client_encryption_options are enabled in cassandra.yaml with 
> require_client_auth false *and* Sstableloader command is used with -f option 
> (for cassandra.yaml path), sstableloader fails with "NoSuchFileException: 
> conf/.truststore".
> Sample sstableloader command is as follows.
> |sstableloader /opt/cassandra/data/keyspace/table -d 127.0.0.1 -p 9042 -ssp 
> 7001 -sp 7000 -f */opt/nosql/clusters/cassandra-6382/conf/cassandra.yaml* -u 
> "caas" -pw *******|
> Exception encountered is as follows:
>  
> {code:java}
> Exception in thread "main" java.lang.RuntimeException: Could not create SSL 
> Context.
>         at 
> org.apache.cassandra.tools.BulkLoader.buildSSLOptions(BulkLoader.java:271)
>         at org.apache.cassandra.tools.BulkLoader.load(BulkLoader.java:72)
>         at org.apache.cassandra.tools.BulkLoader.main(BulkLoader.java:58)
> Caused by: javax.net.ssl.SSLException: failed to build trust manager store 
> for secure connections
>         at 
> org.apache.cassandra.security.FileBasedSslContextFactory.buildTrustManagerFactory(FileBasedSslContextFactory.java:196)
>         at 
> org.apache.cassandra.security.AbstractSslContextFactory.createJSSESslContext(AbstractSslContextFactory.java:155)
>         at 
> org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:127)
>         at 
> org.apache.cassandra.tools.BulkLoader.buildSSLOptions(BulkLoader.java:267)
>         ... 2 more
> Caused by: java.nio.file.NoSuchFileException: conf/.truststore
>         at 
> java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
>         at 
> java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
>         at 
> java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:116)
>         at 
> java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:219)
>         at java.base/java.nio.file.Files.newByteChannel(Files.java:371)
>         at java.base/java.nio.file.Files.newByteChannel(Files.java:422)
>         at 
> java.base/java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:420)
>         at java.base/java.nio.file.Files.newInputStream(Files.java:156)
>         at 
> org.apache.cassandra.security.FileBasedSslContextFactory.buildTrustManagerFactory(FileBasedSslContextFactory.java:183)
>         ... 5 more {code}
> The reason for this is that sslcontext for native connection in BulkLoader is 
> always created with EncryptionOptions.ClientAuth set to true at 
> [line|https://github.com/apache/cassandra/blob/f278f6774fc76465c182041e081982105c3e7dbb/src/java/org/apache/cassandra/tools/BulkLoader.java#L267]
>  irrespective of the value of require_client_auth present in cassandra.yaml. 
> Because of this BulkLoader always expects to have a truststore file inorder 
> to verify the client certificates. Copying below the errorneous code block 
> for reference.
> {code:java}
>     private static SSLOptions buildSSLOptions(EncryptionOptions 
> clientEncryptionOptions)
>     {        if (!clientEncryptionOptions.getEnabled())
>         {
>             return null;
>         }        SSLContext sslContext;
>         try
>         {
> ################ problematic line
>             sslContext = SSLFactory.createSSLContext(clientEncryptionOptions, 
> true);
> ################
>         }
>         catch (IOException e)
>         {
>             throw new RuntimeException("Could not create SSL Context.", e);
>         } {code}
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org