[jira] [Comment Edited] (CASSANDRA-18124) Config parameter keystore_password should be nullable
[ https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17712659#comment-17712659 ] Stefan Miklosovic edited comment on CASSANDRA-18124 at 4/15/23 1:45 PM: 4.1 j8 pre-commit https://app.circleci.com/pipelines/github/instaclustr/cassandra/2079/workflows/1b38f1ca-83c2-4670-91fd-1d438974deef 4.1 j11 pre-commit https://app.circleci.com/pipelines/github/instaclustr/cassandra/2079/workflows/8c42e4dc-06f8-4d9e-acc5-a6fb7dc27800 trunk j8 pre-commit https://app.circleci.com/pipelines/github/instaclustr/cassandra/2080/workflows/f02a1089-b95f-4284-895d-73fbdbc63f8c trunk j11 pre-commit https://app.circleci.com/pipelines/github/instaclustr/cassandra/2080/workflows/a560d634-2596-4954-8486-87764efaee0d all failing tests are known / are flaky 4.1 branch / commit https://github.com/instaclustr/cassandra/commit/bd49f6ff265c8bfa64bf140328ae6736dc4a87bd trunk branch / commit https://github.com/instaclustr/cassandra/commit/c67b8691e0e32ad9133a5295bc2f9d756dd0541c I just took what was there from Maulin and squashed it and rebased. Both 4.1 and trunk example in examples/ssl-factory work. CI also contains multiplexer jobs for modified / added tests. [~maedhroz] I am +1, are you too? I have to ask! was (Author: smiklosovic): 4.1 j8 pre-commit https://app.circleci.com/pipelines/github/instaclustr/cassandra/2079/workflows/1b38f1ca-83c2-4670-91fd-1d438974deef 4.1 j11 pre-commit https://app.circleci.com/pipelines/github/instaclustr/cassandra/2079/workflows/8c42e4dc-06f8-4d9e-acc5-a6fb7dc27800 trunk j8 pre-commit https://app.circleci.com/pipelines/github/instaclustr/cassandra/2080/workflows/f02a1089-b95f-4284-895d-73fbdbc63f8c trunk j11 pre-commit https://app.circleci.com/pipelines/github/instaclustr/cassandra/2080/workflows/a560d634-2596-4954-8486-87764efaee0d all failing tests are known / are flaky 4.1 branch / commit https://github.com/instaclustr/cassandra/commit/bd49f6ff265c8bfa64bf140328ae6736dc4a87bd trunk branch / commit https://github.com/instaclustr/cassandra/commit/c67b8691e0e32ad9133a5295bc2f9d756dd0541c I just took what was there from Maulin and squashed it and rebased. [~maedhroz] I am +1, are you too? I have to ask! > Config parameter keystore_password should be nullable > - > > Key: CASSANDRA-18124 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18124 > Project: Cassandra > Issue Type: Bug > Components: Local/Config >Reporter: Tibor Repasi >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1.x, 5.x > > Time Spent: 10h 40m > Remaining Estimate: 0h > > Some SSL configuration may pass unencrypted private keys. PEMReader might > accept that by assuming keyPassword to be null in that case (e.g. > https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103). > Current configuration reader does not accept keystore_password parameter to > be set null or empty in the cassandra.yaml. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Comment Edited] (CASSANDRA-18124) Config parameter keystore_password should be nullable
[ https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17711098#comment-17711098 ] Maulin Vasavada edited comment on CASSANDRA-18124 at 4/11/23 7:52 PM: -- Will prepare 4.1 patch and picked-up Caleb's suggestions on the NEWS.txt. Now I guess one comment left to be resolved. It shows conflict for NEWS.txt with trunk so I'd have to take the latest copy and reapply the latest changes on it once we close on all the comments. was (Author: maulin.vasavada): Will prepare 4.1 patch and picked-up Caleb's suggestions on the NEWS.txt. Now I guess one comment left to be resolved. > Config parameter keystore_password should be nullable > - > > Key: CASSANDRA-18124 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18124 > Project: Cassandra > Issue Type: Bug > Components: Local/Config >Reporter: Tibor Repasi >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1.x, 5.x > > Time Spent: 7h 10m > Remaining Estimate: 0h > > Some SSL configuration may pass unencrypted private keys. PEMReader might > accept that by assuming keyPassword to be null in that case (e.g. > https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103). > Current configuration reader does not accept keystore_password parameter to > be set null or empty in the cassandra.yaml. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Comment Edited] (CASSANDRA-18124) Config parameter keystore_password should be nullable
[ https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17710308#comment-17710308 ] Stefan Miklosovic edited comment on CASSANDRA-18124 at 4/10/23 8:54 PM: I tried to backport it here https://github.com/instaclustr/cassandra/commit/943bf9824387e60a5a30745508d6b8a869e5607e I ll build it soonish. Could you go through that if you have 10 mins? https://github.com/apache/cassandra/pull/2268 was (Author: smiklosovic): I tried to backport it here https://github.com/instaclustr/cassandra/commit/943bf9824387e60a5a30745508d6b8a869e5607e I ll build it soonish. Could you go through that if you have 10 mins? > Config parameter keystore_password should be nullable > - > > Key: CASSANDRA-18124 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18124 > Project: Cassandra > Issue Type: Bug > Components: Local/Config >Reporter: Tibor Repasi >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1.x, 5.x > > Time Spent: 5h 20m > Remaining Estimate: 0h > > Some SSL configuration may pass unencrypted private keys. PEMReader might > accept that by assuming keyPassword to be null in that case (e.g. > https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103). > Current configuration reader does not accept keystore_password parameter to > be set null or empty in the cassandra.yaml. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Comment Edited] (CASSANDRA-18124) Config parameter keystore_password should be nullable
[ https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17710306#comment-17710306 ] Maulin Vasavada edited comment on CASSANDRA-18124 at 4/10/23 8:41 PM: -- [~smiklosovic] This might have conflict with 4.1 because the trunk's compilation on examples/ssl-factory was broken and originally you fixed it in your branch and I picked up the same changes in my PR. I made sure in my PR I have a separate commit just to fix that compilation issue on the trunk to clearly see what was needed for that vs my actual intended changes for this ticket. Yes based on CASSANDRA-17513 changes the examples/ssl-factory needed to have the changes it didn't have I think. was (Author: maulin.vasavada): [~smiklosovic] This might have conflict with 4.1 because the trunk's compilation on examples/ssl-factory was broken and originally you fixed it in your branch and I picked up the same changes in my PR. I made sure in my PR I have a separate commit just to fix that compilation issue on the trunk to clearly see what was needed for that vs my actual intended changes for this ticket. > Config parameter keystore_password should be nullable > - > > Key: CASSANDRA-18124 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18124 > Project: Cassandra > Issue Type: Bug > Components: Local/Config >Reporter: Tibor Repasi >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1.x, 5.x > > Time Spent: 5h 10m > Remaining Estimate: 0h > > Some SSL configuration may pass unencrypted private keys. PEMReader might > accept that by assuming keyPassword to be null in that case (e.g. > https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103). > Current configuration reader does not accept keystore_password parameter to > be set null or empty in the cassandra.yaml. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Comment Edited] (CASSANDRA-18124) Config parameter keystore_password should be nullable
[ https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17710275#comment-17710275 ] Stefan Miklosovic edited comment on CASSANDRA-18124 at 4/10/23 7:42 PM: [~maulin.vasavada] is this applicable to 4.1? I was trying to cherry-pick that but it I was getting conflicts. Was there something done in trunk since 4.1 so this is not nicely applicable to 4.1? I am OK with committing only to trunk if it is too much work. This stuff seems to add new things https://issues.apache.org/jira/browse/CASSANDRA-17513 was (Author: smiklosovic): [~maulin.vasavada] is this applicable to 4.1? I was trying to cherry-pick that but it I was getting conflicts. Was there something done in trunk since 4.1 so this is not nicely applicable to 4.1? I am OK with committing only to trunk if it is too much work. > Config parameter keystore_password should be nullable > - > > Key: CASSANDRA-18124 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18124 > Project: Cassandra > Issue Type: Bug > Components: Local/Config >Reporter: Tibor Repasi >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1.x, 5.x > > Time Spent: 5h 10m > Remaining Estimate: 0h > > Some SSL configuration may pass unencrypted private keys. PEMReader might > accept that by assuming keyPassword to be null in that case (e.g. > https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103). > Current configuration reader does not accept keystore_password parameter to > be set null or empty in the cassandra.yaml. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Comment Edited] (CASSANDRA-18124) Config parameter keystore_password should be nullable
[ https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17710275#comment-17710275 ] Stefan Miklosovic edited comment on CASSANDRA-18124 at 4/10/23 7:34 PM: [~maulin.vasavada] is this applicable to 4.1? I was trying to cherry-pick that but it I was getting conflicts. Was there something done in trunk since 4.1 so this is not nicely applicable to 4.1? I am OK with committing only to trunk if it is too much work. was (Author: smiklosovic): [~maulin.vasavada] is this applicable to 4.1? I was trying to cherry-pick that but it I was getting conflicts. Was there something done in trunk since 4.1 so this is not nicely applicable to 4.1? > Config parameter keystore_password should be nullable > - > > Key: CASSANDRA-18124 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18124 > Project: Cassandra > Issue Type: Bug > Components: Local/Config >Reporter: Tibor Repasi >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1.x, 5.x > > Time Spent: 5h 10m > Remaining Estimate: 0h > > Some SSL configuration may pass unencrypted private keys. PEMReader might > accept that by assuming keyPassword to be null in that case (e.g. > https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103). > Current configuration reader does not accept keystore_password parameter to > be set null or empty in the cassandra.yaml. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Comment Edited] (CASSANDRA-18124) Config parameter keystore_password should be nullable
[ https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17708973#comment-17708973 ] Caleb Rackliffe edited comment on CASSANDRA-18124 at 4/5/23 3:50 PM: - +1 (w/ some minor conversations to wrap up in the PR) The two test failures that popped up are a timeout and a 2i building failure, neither of which have anything to do w/ this patch. was (Author: maedhroz): +1 (w/ some minor conversations to wrap up in the PR) > Config parameter keystore_password should be nullable > - > > Key: CASSANDRA-18124 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18124 > Project: Cassandra > Issue Type: Bug > Components: Local/Config >Reporter: Tibor Repasi >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1.x, 5.x > > Time Spent: 3h 50m > Remaining Estimate: 0h > > Some SSL configuration may pass unencrypted private keys. PEMReader might > accept that by assuming keyPassword to be null in that case (e.g. > https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103). > Current configuration reader does not accept keystore_password parameter to > be set null or empty in the cassandra.yaml. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Comment Edited] (CASSANDRA-18124) Config parameter keystore_password should be nullable
[ https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17707335#comment-17707335 ] Stefan Miklosovic edited comment on CASSANDRA-18124 at 3/31/23 7:18 PM: j8 precommit looks good https://app.circleci.com/pipelines/github/instaclustr/cassandra/2043/workflows/058d0781-13f9-45f0-9343-b6b84d6f4485 j11 precommit too https://app.circleci.com/pipelines/github/instaclustr/cassandra/2043/workflows/dcd865fa-7332-47cc-ba60-cb2ee1f18024 I have also tested example and tests pass. [~rtib] is that still all good for you? I then have to look for another committer. was (Author: smiklosovic): j8 precommit looks good https://app.circleci.com/pipelines/github/instaclustr/cassandra/2043/workflows/058d0781-13f9-45f0-9343-b6b84d6f4485 > Config parameter keystore_password should be nullable > - > > Key: CASSANDRA-18124 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18124 > Project: Cassandra > Issue Type: Bug > Components: Local/Config >Reporter: Tibor Repasi >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1.x, 5.x > > Time Spent: 1h 50m > Remaining Estimate: 0h > > Some SSL configuration may pass unencrypted private keys. PEMReader might > accept that by assuming keyPassword to be null in that case (e.g. > https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103). > Current configuration reader does not accept keystore_password parameter to > be set null or empty in the cassandra.yaml. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Comment Edited] (CASSANDRA-18124) Config parameter keystore_password should be nullable
[ https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17699885#comment-17699885 ] Maulin Vasavada edited comment on CASSANDRA-18124 at 3/29/23 7:04 PM: -- [~smiklosovic] Here you go [-https://github.com/apache/cassandra/pull/2225-] was (Author: maulin.vasavada): [~smiklosovic] Here you go https://github.com/apache/cassandra/pull/2225 > Config parameter keystore_password should be nullable > - > > Key: CASSANDRA-18124 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18124 > Project: Cassandra > Issue Type: Bug > Components: Local/Config >Reporter: Tibor Repasi >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1.x, 5.x > > Time Spent: 1.5h > Remaining Estimate: 0h > > Some SSL configuration may pass unencrypted private keys. PEMReader might > accept that by assuming keyPassword to be null in that case (e.g. > https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103). > Current configuration reader does not accept keystore_password parameter to > be set null or empty in the cassandra.yaml. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Comment Edited] (CASSANDRA-18124) Config parameter keystore_password should be nullable
[ https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17704370#comment-17704370 ] Maulin Vasavada edited comment on CASSANDRA-18124 at 3/23/23 9:39 PM: -- Thanks [~rtib] for the review. I can update the cassandra yaml to have the PEM example in comments. Also I'll try to check on the Nodetool output. I fixed the issue of getting truststore warning for the PEM and made truststore password also nullable but this warning I need to check. Earlier it came because of defaults and the fallback of `key_password` to `keystore_password` in the absence of the prior, now it could be the same reason. One option is - avoid logging a warning in case both the values are same since technically it doesn't create any issue ONLY in case they are different we should log a warning. What do you think? Meanwhile [~smiklosovic] can we get any additional PR reviews to have more eyes on this ? was (Author: maulin.vasavada): Thanks [~rtib] for the review. I can update the cassandra yaml to have the PEM example in comments. Also I'll try to check on the Nodetool output. I fixed the issue of getting truststore warning for the PEM and made truststore password also nullable but this warning I need to check. Earlier it came because of defaults and the fallback of `key_password` to `keystore_password` in the absence of the prior, now it could be the same reason. Meanwhile [~smiklosovic] can we get any additional PR reviews to have more eyes on this ? > Config parameter keystore_password should be nullable > - > > Key: CASSANDRA-18124 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18124 > Project: Cassandra > Issue Type: Bug > Components: Local/Config >Reporter: Tibor Repasi >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1.x, 5.x > > Time Spent: 20m > Remaining Estimate: 0h > > Some SSL configuration may pass unencrypted private keys. PEMReader might > accept that by assuming keyPassword to be null in that case (e.g. > https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103). > Current configuration reader does not accept keystore_password parameter to > be set null or empty in the cassandra.yaml. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Comment Edited] (CASSANDRA-18124) Config parameter keystore_password should be nullable
[ https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17699885#comment-17699885 ] Maulin Vasavada edited comment on CASSANDRA-18124 at 3/16/23 9:01 PM: -- [~smiklosovic] Here you go https://github.com/apache/cassandra/pull/2225 was (Author: maulin.vasavada): [~smiklosovic] Here you go with [a PR|https://github.com/instaclustr/cassandra/pull/49] on the instaclustr/cassandra. Let us review that and I can start porting those changes to 4.1/trunk on apache/cassandra. > Config parameter keystore_password should be nullable > - > > Key: CASSANDRA-18124 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18124 > Project: Cassandra > Issue Type: Bug > Components: Local/Config >Reporter: Tibor Repasi >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1.x, 5.x > > Time Spent: 10m > Remaining Estimate: 0h > > Some SSL configuration may pass unencrypted private keys. PEMReader might > accept that by assuming keyPassword to be null in that case (e.g. > https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103). > Current configuration reader does not accept keystore_password parameter to > be set null or empty in the cassandra.yaml. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Comment Edited] (CASSANDRA-18124) Config parameter keystore_password should be nullable
[ https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17699145#comment-17699145 ] Maulin Vasavada edited comment on CASSANDRA-18124 at 3/11/23 1:18 AM: -- So far it looks like 1st option is more convoluted. 2nd option is much cleaner and simple changes. If we fail to provide `keystore_password` for the JKS, it will fail with the new changes (throws NPE since the FileBasedSslContextFactory.java doesn't expect null for the password). I can add validation in the FileBasedSslContextFactory for the null keystore password to avoid NPE. was (Author: maulin.vasavada): So far it looks like 1st option is more convoluted. 2nd option is much cleaner and simple changes. If we fail to provide `keystore_password` for the JKS, it will fail with the new changes (throws NPE since the FileBasedSslContextFactory.java) doesn't expect null for the password. I can add validation in the FileBasedSslContextFactory for the null keystore password to avoid NPE. > Config parameter keystore_password should be nullable > - > > Key: CASSANDRA-18124 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18124 > Project: Cassandra > Issue Type: Bug > Components: Local/Config >Reporter: Tibor Repasi >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1.x, 5.x > > > Some SSL configuration may pass unencrypted private keys. PEMReader might > accept that by assuming keyPassword to be null in that case (e.g. > https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103). > Current configuration reader does not accept keystore_password parameter to > be set null or empty in the cassandra.yaml. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Comment Edited] (CASSANDRA-18124) Config parameter keystore_password should be nullable
[ https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17699105#comment-17699105 ] Maulin Vasavada edited comment on CASSANDRA-18124 at 3/10/23 8:36 PM: -- Thanks [~brandon.williams] . [~smiklosovic] While modifying the code to allow null password configuration for the PEM I am running into a challenge due to the default logic to fallback to `keystore_password` configuration in case `key_password` configuration (created for the PEM) is null/missing. Due to that fallback logic we have to change default for the `keystore_password` also to be null (specifically in EncryptionOptions.java). I think we have two options- # Drop the fallback logic reading the `keystore_password` in case of PEM keys. ## This fallback logic was done primarily to support a use-case for PEM keys provided in a file with existing `keystore` configuration in which case it also makes sense to continue read the key password from the `keystore_password`configuration. # Make `keystore_password` nullable configuration which means removing the default value injected by EncryptionOptions.java ## I think we can make this nullable since practically operators might not have JKS keystores without the passwords except for a missed-configuration use-case AND for PEM it makes perfect sense to allow null password for the unencrypted keys. ## However, since we are changing the default for an older configuration, we have to give more thoughts on its effect on existing systems. Let me see what 2nd option entails (in terms of tests etc) while you provide you thoughts on this. was (Author: maulin.vasavada): Thanks [~brandon.williams] . [~smiklosovic] While modifying the code to allow null password configuration for the PEM I am running into a challenge due to the default logic to fallback to `keystore_password` configuration in case `key_password` configuration (created for the PEM) is null/missing. Due to that fallback logic we have to change default for the `keystore_password` also to be null (specifically in EncryptionOptions.java). I think we have two options- # Drop the fallback logic reading the `keystore_password` in case of PEM keys. ## This fallback logic was done primarily to support a use-case for PEM keys provided in a file with existing `keystore` configuration in which case it also makes sense to continue read the key password from the `keystore_password`configuration. # Make `keystore_password` nullable configuration which means removing the default value injected by EncryptionOptions.java ## I think we can make this nullable since practically operators might not have JKS keystores with the passwords except for a missed-configuration use-case AND for PEM it makes perfect sense to allow null password for the unencrypted keys. ## However, since we are changing the default for an older configuration, we have to give more thoughts on its effect on existing systems. Let me see what 2nd option entails (in terms of tests etc) while you provide you thoughts on this. > Config parameter keystore_password should be nullable > - > > Key: CASSANDRA-18124 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18124 > Project: Cassandra > Issue Type: Bug > Components: Local/Config >Reporter: Tibor Repasi >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1.x, 5.x > > > Some SSL configuration may pass unencrypted private keys. PEMReader might > accept that by assuming keyPassword to be null in that case (e.g. > https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103). > Current configuration reader does not accept keystore_password parameter to > be set null or empty in the cassandra.yaml. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Comment Edited] (CASSANDRA-18124) Config parameter keystore_password should be nullable
[ https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17699105#comment-17699105 ] Maulin Vasavada edited comment on CASSANDRA-18124 at 3/10/23 8:35 PM: -- Thanks [~brandon.williams] . [~smiklosovic] While modifying the code to allow null password configuration for the PEM I am running into a challenge due to the default logic to fallback to `keystore_password` configuration in case `key_password` configuration (created for the PEM) is null/missing. Due to that fallback logic we have to change default for the `keystore_password` also to be null (specifically in EncryptionOptions.java). I think we have two options- # Drop the fallback logic reading the `keystore_password` in case of PEM keys. ## This fallback logic was done primarily to support a use-case for PEM keys provided in a file with existing `keystore` configuration in which case it also makes sense to continue read the key password from the `keystore_password`configuration. # Make `keystore_password` nullable configuration which means removing the default value injected by EncryptionOptions.java ## I think we can make this nullable since practically operators might not have JKS keystores with the passwords except for a missed-configuration use-case AND for PEM it makes perfect sense to allow null password for the unencrypted keys. ## However, since we are changing the default for an older configuration, we have to give more thoughts on its effect on existing systems. Let me see what 2nd option entails (in terms of tests etc) while you provide you thoughts on this. was (Author: maulin.vasavada): Thanks [~brandon.williams] . [~smiklosovic] While modifying the code to allow null password configuration for the PEM I am running into a challenge that we have a logic to fallback to `keystore_password` configuration in case `key_password` configuration (created for the PEM). Due to that fallback logic we have to change default for the `keystore_password` also to be null (specifically in EncryptionOptions.java). I think we have two options- # Drop the fallback logic reading the `keystore_password` in case of PEM keys. ## This fallback logic was done primarily to support a use-case for PEM keys provided in a file with existing `keystore` configuration in which case it also makes sense to continue read the key password from the `keystore_password`configuration. # Make `keystore_password` nullable configuration which means removing the default value injected by EncryptionOptions.java ## I think we can make this nullable since practically operators might not have JKS keystores with the passwords except for a missed-configuration use-case AND for PEM it makes perfect sense to allow null password for the unencrypted keys. ## However, since we are changing the default for an older configuration, we have to give more thoughts on its effect on existing systems. Let me see what 2nd option entails (in terms of tests etc) while you provide you thoughts on this. > Config parameter keystore_password should be nullable > - > > Key: CASSANDRA-18124 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18124 > Project: Cassandra > Issue Type: Bug > Components: Local/Config >Reporter: Tibor Repasi >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1.x, 5.x > > > Some SSL configuration may pass unencrypted private keys. PEMReader might > accept that by assuming keyPassword to be null in that case (e.g. > https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103). > Current configuration reader does not accept keystore_password parameter to > be set null or empty in the cassandra.yaml. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Comment Edited] (CASSANDRA-18124) Config parameter keystore_password should be nullable
[ https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17698669#comment-17698669 ] Brandon Williams edited comment on CASSANDRA-18124 at 3/10/23 1:04 AM: --- I think you should base this patch off of 4.1 and trunk, regardless of other tickets. was (Author: brandon.williams): I think you should base this patch off of trunk, regardless of other tickets. > Config parameter keystore_password should be nullable > - > > Key: CASSANDRA-18124 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18124 > Project: Cassandra > Issue Type: Bug > Components: Local/Config >Reporter: Tibor Repasi >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1.x, 5.x > > > Some SSL configuration may pass unencrypted private keys. PEMReader might > accept that by assuming keyPassword to be null in that case (e.g. > https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103). > Current configuration reader does not accept keystore_password parameter to > be set null or empty in the cassandra.yaml. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Comment Edited] (CASSANDRA-18124) Config parameter keystore_password should be nullable
[ https://issues.apache.org/jira/browse/CASSANDRA-18124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17698660#comment-17698660 ] Maulin Vasavada edited comment on CASSANDRA-18124 at 3/10/23 12:39 AM: --- [~smiklosovic] I'll take this. Sorry last couple of weeks have been crazy. was (Author: maulin.vasavada): [~smiklosovic] I'll take this. Sorry last couple of weeks has been crazy. > Config parameter keystore_password should be nullable > - > > Key: CASSANDRA-18124 > URL: https://issues.apache.org/jira/browse/CASSANDRA-18124 > Project: Cassandra > Issue Type: Bug > Components: Local/Config >Reporter: Tibor Repasi >Assignee: Maulin Vasavada >Priority: Normal > Fix For: 4.1.x, 5.x > > > Some SSL configuration may pass unencrypted private keys. PEMReader might > accept that by assuming keyPassword to be null in that case (e.g. > https://github.com/apache/cassandra/blob/f9e033f519c14596da4dc954875756a69aea4e78/src/java/org/apache/cassandra/security/PEMReader.java#L103). > Current configuration reader does not accept keystore_password parameter to > be set null or empty in the cassandra.yaml. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org