client_encryption_options to use enabled Patch by aleksey reviewed by vijay for CASSANDRA-4994
Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/24cf1d12 Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/24cf1d12 Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/24cf1d12 Branch: refs/heads/cassandra-1.2 Commit: 24cf1d1256dd837cfb9b310195c83f9bb1aa697a Parents: f31c530 Author: Vijay Parthasarathy <vijay2...@gmail.com> Authored: Tue Nov 27 00:17:08 2012 -0800 Committer: Vijay Parthasarathy <vijay2...@gmail.com> Committed: Tue Nov 27 00:17:08 2012 -0800 ---------------------------------------------------------------------- conf/cassandra.yaml | 6 +---- .../org/apache/cassandra/cli/CliSessionState.java | 3 +- src/java/org/apache/cassandra/config/Config.java | 8 ++++-- .../cassandra/config/DatabaseDescriptor.java | 6 +++- .../apache/cassandra/config/EncryptionOptions.java | 18 +++++++++----- .../org/apache/cassandra/net/MessagingService.java | 4 +- .../apache/cassandra/thrift/CustomTHsHaServer.java | 3 +- .../cassandra/thrift/CustomTNonBlockingServer.java | 3 +- .../cassandra/thrift/CustomTThreadPoolServer.java | 7 ++--- .../src/org/apache/cassandra/stress/Session.java | 3 +- 10 files changed, 32 insertions(+), 29 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cassandra/blob/24cf1d12/conf/cassandra.yaml ---------------------------------------------------------------------- diff --git a/conf/cassandra.yaml b/conf/cassandra.yaml index a79e150..8aaeb38 100644 --- a/conf/cassandra.yaml +++ b/conf/cassandra.yaml @@ -623,20 +623,16 @@ server_encryption_options: # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA] # enable or disable client/server encryption. -# The available internode options are: none, all client_encryption_options: - internode_encryption: none + enabled: false keystore: conf/.keystore keystore_password: cassandra - truststore: conf/.truststore - truststore_password: cassandra # More advanced defaults below: # protocol: TLS # algorithm: SunX509 # store_type: JKS # cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA] - # internode_compression controls whether traffic between nodes is # compressed. # can be: all - all traffic is compressed http://git-wip-us.apache.org/repos/asf/cassandra/blob/24cf1d12/src/java/org/apache/cassandra/cli/CliSessionState.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/cli/CliSessionState.java b/src/java/org/apache/cassandra/cli/CliSessionState.java index 08375bb..d36b7f3 100644 --- a/src/java/org/apache/cassandra/cli/CliSessionState.java +++ b/src/java/org/apache/cassandra/cli/CliSessionState.java @@ -22,6 +22,7 @@ import java.io.PrintStream; import org.apache.cassandra.cli.transport.FramedTransportFactory; import org.apache.cassandra.config.EncryptionOptions; +import org.apache.cassandra.config.EncryptionOptions.ClientEncryptionOptions; import org.apache.cassandra.tools.NodeProbe; import org.apache.thrift.transport.TTransportFactory; @@ -43,7 +44,7 @@ public class CliSessionState public boolean verbose = false; // verbose output public int schema_mwt = 10 * 1000; // Schema migration wait time (secs.) public TTransportFactory transportFactory = new FramedTransportFactory(); - public EncryptionOptions encOptions = new EncryptionOptions(); + public EncryptionOptions encOptions = new ClientEncryptionOptions(); /* * Streams to read/write from http://git-wip-us.apache.org/repos/asf/cassandra/blob/24cf1d12/src/java/org/apache/cassandra/config/Config.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/config/Config.java b/src/java/org/apache/cassandra/config/Config.java index c605a3a..6395690 100644 --- a/src/java/org/apache/cassandra/config/Config.java +++ b/src/java/org/apache/cassandra/config/Config.java @@ -18,6 +18,8 @@ package org.apache.cassandra.config; import org.apache.cassandra.cache.SerializingCacheProvider; +import org.apache.cassandra.config.EncryptionOptions.ClientEncryptionOptions; +import org.apache.cassandra.config.EncryptionOptions.ServerEncryptionOptions; /** * A class that contains configuration properties for the cassandra node it runs within. @@ -126,10 +128,10 @@ public class Config public RequestSchedulerId request_scheduler_id; public RequestSchedulerOptions request_scheduler_options; - public EncryptionOptions server_encryption_options = new EncryptionOptions(); - public EncryptionOptions client_encryption_options = new EncryptionOptions(); + public ServerEncryptionOptions server_encryption_options = new ServerEncryptionOptions(); + public ClientEncryptionOptions client_encryption_options = new ClientEncryptionOptions(); // this encOptions is for backward compatibility (a warning is logged by DatabaseDescriptor) - public EncryptionOptions encryption_options; + public ServerEncryptionOptions encryption_options; public InternodeCompression internode_compression = InternodeCompression.none; http://git-wip-us.apache.org/repos/asf/cassandra/blob/24cf1d12/src/java/org/apache/cassandra/config/DatabaseDescriptor.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/config/DatabaseDescriptor.java b/src/java/org/apache/cassandra/config/DatabaseDescriptor.java index e615887..bb3e7c1 100644 --- a/src/java/org/apache/cassandra/config/DatabaseDescriptor.java +++ b/src/java/org/apache/cassandra/config/DatabaseDescriptor.java @@ -33,6 +33,8 @@ import org.slf4j.LoggerFactory; import org.apache.cassandra.auth.*; import org.apache.cassandra.cache.IRowCacheProvider; import org.apache.cassandra.config.Config.RequestSchedulerId; +import org.apache.cassandra.config.EncryptionOptions.ClientEncryptionOptions; +import org.apache.cassandra.config.EncryptionOptions.ServerEncryptionOptions; import org.apache.cassandra.db.ColumnFamilyStore; import org.apache.cassandra.db.DefsTable; import org.apache.cassandra.db.SystemTable; @@ -1092,12 +1094,12 @@ public class DatabaseDescriptor conf.dynamic_snitch_badness_threshold = dynamicBadnessThreshold; } - public static EncryptionOptions getServerEncryptionOptions() + public static ServerEncryptionOptions getServerEncryptionOptions() { return conf.server_encryption_options; } - public static EncryptionOptions getClientEncryptionOptions() + public static ClientEncryptionOptions getClientEncryptionOptions() { return conf.client_encryption_options; } http://git-wip-us.apache.org/repos/asf/cassandra/blob/24cf1d12/src/java/org/apache/cassandra/config/EncryptionOptions.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/config/EncryptionOptions.java b/src/java/org/apache/cassandra/config/EncryptionOptions.java index b516b1b..b8a5a91 100644 --- a/src/java/org/apache/cassandra/config/EncryptionOptions.java +++ b/src/java/org/apache/cassandra/config/EncryptionOptions.java @@ -17,9 +17,8 @@ */ package org.apache.cassandra.config; -public class EncryptionOptions +public abstract class EncryptionOptions { - public InternodeEncryption internode_encryption = InternodeEncryption.none; public String keystore = "conf/.keystore"; public String keystore_password = "cassandra"; public String truststore = "conf/.truststore"; @@ -29,12 +28,17 @@ public class EncryptionOptions public String algorithm = "SunX509"; public String store_type = "JKS"; + public static class ClientEncryptionOptions extends EncryptionOptions + { + public boolean enabled = false; + } - public static enum InternodeEncryption + public static class ServerEncryptionOptions extends EncryptionOptions { - all, - none, - dc, - rack + public static enum InternodeEncryption + { + all, none, dc, rack + } + public InternodeEncryption internode_encryption = InternodeEncryption.none; } } http://git-wip-us.apache.org/repos/asf/cassandra/blob/24cf1d12/src/java/org/apache/cassandra/net/MessagingService.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/net/MessagingService.java b/src/java/org/apache/cassandra/net/MessagingService.java index cce3925..0b69014 100644 --- a/src/java/org/apache/cassandra/net/MessagingService.java +++ b/src/java/org/apache/cassandra/net/MessagingService.java @@ -43,7 +43,7 @@ import org.apache.cassandra.concurrent.DebuggableThreadPoolExecutor; import org.apache.cassandra.concurrent.Stage; import org.apache.cassandra.concurrent.StageManager; import org.apache.cassandra.config.DatabaseDescriptor; -import org.apache.cassandra.config.EncryptionOptions; +import org.apache.cassandra.config.EncryptionOptions.ServerEncryptionOptions; import org.apache.cassandra.db.*; import org.apache.cassandra.dht.BootStrapper; import org.apache.cassandra.exceptions.ConfigurationException; @@ -396,7 +396,7 @@ public final class MessagingService implements MessagingServiceMBean private List<ServerSocket> getServerSocket(InetAddress localEp) throws ConfigurationException { final List<ServerSocket> ss = new ArrayList<ServerSocket>(2); - if (DatabaseDescriptor.getServerEncryptionOptions().internode_encryption != EncryptionOptions.InternodeEncryption.none) + if (DatabaseDescriptor.getServerEncryptionOptions().internode_encryption != ServerEncryptionOptions.InternodeEncryption.none) { try { http://git-wip-us.apache.org/repos/asf/cassandra/blob/24cf1d12/src/java/org/apache/cassandra/thrift/CustomTHsHaServer.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/thrift/CustomTHsHaServer.java b/src/java/org/apache/cassandra/thrift/CustomTHsHaServer.java index 0143136..250a549 100644 --- a/src/java/org/apache/cassandra/thrift/CustomTHsHaServer.java +++ b/src/java/org/apache/cassandra/thrift/CustomTHsHaServer.java @@ -36,7 +36,6 @@ import org.slf4j.LoggerFactory; import org.apache.cassandra.concurrent.JMXEnabledThreadPoolExecutor; import org.apache.cassandra.concurrent.NamedThreadFactory; import org.apache.cassandra.config.DatabaseDescriptor; -import org.apache.cassandra.config.EncryptionOptions; import org.apache.thrift.server.TNonblockingServer; import org.apache.thrift.server.TServer; import org.apache.thrift.transport.TNonblockingServerTransport; @@ -352,7 +351,7 @@ public class CustomTHsHaServer extends TNonblockingServer { public TServer buildTServer(Args args) { - if(!DatabaseDescriptor.getClientEncryptionOptions().internode_encryption.equals(EncryptionOptions.InternodeEncryption.none)) + if (DatabaseDescriptor.getClientEncryptionOptions().enabled) throw new RuntimeException("Client SSL is not supported for non-blocking sockets (hsha). Please remove client ssl from the configuration."); final InetSocketAddress addr = args.addr; http://git-wip-us.apache.org/repos/asf/cassandra/blob/24cf1d12/src/java/org/apache/cassandra/thrift/CustomTNonBlockingServer.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/thrift/CustomTNonBlockingServer.java b/src/java/org/apache/cassandra/thrift/CustomTNonBlockingServer.java index af82896..779caf3 100644 --- a/src/java/org/apache/cassandra/thrift/CustomTNonBlockingServer.java +++ b/src/java/org/apache/cassandra/thrift/CustomTNonBlockingServer.java @@ -20,7 +20,6 @@ package org.apache.cassandra.thrift; import java.net.InetSocketAddress; import org.apache.cassandra.config.DatabaseDescriptor; -import org.apache.cassandra.config.EncryptionOptions; import org.apache.thrift.server.TNonblockingServer; import org.apache.thrift.server.TServer; import org.apache.thrift.transport.TNonblockingServerTransport; @@ -47,7 +46,7 @@ public class CustomTNonBlockingServer extends TNonblockingServer { public TServer buildTServer(Args args) { - if(!DatabaseDescriptor.getClientEncryptionOptions().internode_encryption.equals(EncryptionOptions.InternodeEncryption.none)) + if (DatabaseDescriptor.getClientEncryptionOptions().enabled) throw new RuntimeException("Client SSL is not supported for non-blocking sockets. Please remove client ssl from the configuration."); final InetSocketAddress addr = args.addr; http://git-wip-us.apache.org/repos/asf/cassandra/blob/24cf1d12/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java b/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java index 8b88e43..f6ab1f7 100644 --- a/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java +++ b/src/java/org/apache/cassandra/thrift/CustomTThreadPoolServer.java @@ -31,7 +31,7 @@ import org.slf4j.LoggerFactory; import org.apache.cassandra.concurrent.NamedThreadFactory; import org.apache.cassandra.config.DatabaseDescriptor; -import org.apache.cassandra.config.EncryptionOptions; +import org.apache.cassandra.config.EncryptionOptions.ClientEncryptionOptions; import org.apache.thrift.TException; import org.apache.thrift.TProcessor; import org.apache.thrift.protocol.TProtocol; @@ -243,13 +243,12 @@ public class CustomTThreadPoolServer extends TServer TServerTransport serverTransport; try { - final EncryptionOptions clientEnc = DatabaseDescriptor.getClientEncryptionOptions(); - if(EncryptionOptions.InternodeEncryption.all == clientEnc.internode_encryption) + final ClientEncryptionOptions clientEnc = DatabaseDescriptor.getClientEncryptionOptions(); + if (clientEnc.enabled) { logger.info("enabling encrypted thrift connections between client and server"); TSSLTransportParameters params = new TSSLTransportParameters(clientEnc.protocol, clientEnc.cipher_suites); params.setKeyStore(clientEnc.keystore, clientEnc.keystore_password); - params.setTrustStore(clientEnc.truststore, clientEnc.truststore_password); TServerSocket sslServer = TSSLTransportFactory.getServerSocket(addr.getPort(), 0, addr.getAddress(), params); serverTransport = new TCustomServerSocket(sslServer.getServerSocket(), args.keepAlive, args.sendBufferSize, args.recvBufferSize); } http://git-wip-us.apache.org/repos/asf/cassandra/blob/24cf1d12/tools/stress/src/org/apache/cassandra/stress/Session.java ---------------------------------------------------------------------- diff --git a/tools/stress/src/org/apache/cassandra/stress/Session.java b/tools/stress/src/org/apache/cassandra/stress/Session.java index ac109a1..a0c3617 100644 --- a/tools/stress/src/org/apache/cassandra/stress/Session.java +++ b/tools/stress/src/org/apache/cassandra/stress/Session.java @@ -28,6 +28,7 @@ import java.util.concurrent.atomic.AtomicLong; import org.apache.cassandra.cli.transport.FramedTransportFactory; import org.apache.cassandra.config.CFMetaData; import org.apache.cassandra.config.EncryptionOptions; +import org.apache.cassandra.config.EncryptionOptions.ClientEncryptionOptions; import org.apache.cassandra.exceptions.ConfigurationException; import org.apache.cassandra.exceptions.SyntaxException; import org.apache.cassandra.db.marshal.*; @@ -160,7 +161,7 @@ public class Session implements Serializable public final String comparator; public final boolean timeUUIDComparator; public double traceProbability = 0.0; - public EncryptionOptions encOptions = new EncryptionOptions(); + public EncryptionOptions encOptions = new ClientEncryptionOptions(); public TTransportFactory transportFactory = new FramedTransportFactory(); public Session(String[] arguments) throws IllegalArgumentException, SyntaxException