[
https://issues.apache.org/jira/browse/CASSANDRA-13971?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16260875#comment-16260875
]
Stefan Podkowinski commented on CASSANDRA-13971:
------------------------------------------------
First of all, I agree that we should have an API/SPI for different
implementations instead of Vault. This is already supported by having a
[CertificateIssuer|https://github.com/spodkowinski/cassandra/blob/WIP-13971/src/java/org/apache/cassandra/security/CertificateIssuer.java]
interface that can be implemented and enabled by a ParameterizedClass in the
cassandra.yaml. We can start focusing the discussion on the interface and
interaction with KeyStoreManager (which is implementation agnostic and not
pluggable) if you want to. Having a specific implementation is still useful, as
it makes the discussion less abstract. I'm not even sure if it's possible to
create a reasonable API without looking at any possible implementations at all.
As for your "third party service" integration concern, I'm not sure why you
look at it that way. Vault is available as OSS product and everyone can run his
own Vault server. What the implementation does is to use the Vault REST API, so
technically you could argue that it's used as "external service", but it's
definitely not tied to a 3rd party, if you choose to run it. Also I'd much
prefer to add a small rest client compared to adding new libraries to the
project.
The utests and dtests don't need a running Vault instance on the network.
Utests are implementing by mocking the REST API. Dtests will download the Vault
binary, start it locally as part of setup phase and execute the integration
tests.
> Automatic certificate management using Vault
> --------------------------------------------
>
> Key: CASSANDRA-13971
> URL: https://issues.apache.org/jira/browse/CASSANDRA-13971
> Project: Cassandra
> Issue Type: Improvement
> Components: Streaming and Messaging
> Reporter: Stefan Podkowinski
> Assignee: Stefan Podkowinski
> Fix For: 4.x
>
>
> We've been adding security features during the last years to enable users to
> secure their clusters, if they are willing to use them and do so correctly.
> Some features are powerful and easy to work with, such as role based
> authorization. Other features that require to manage a local keystore are
> rather painful to deal with. Think about setting up SSL..
> To be fair, keystore related issues and certificate handling hasn't been
> invented by us. We're just following Java standards there. But that doesn't
> mean that we absolutely have to, if there are better options. I'd like to
> give it a shoot and find out if we can automate certificate/key handling
> (PKI) by using external APIs. In this case, the implementation will be based
> on [Vault|https://vaultproject.io]. But certificate management services
> offered by cloud providers may also be able to handle the use-case and I
> intend to create a generic, pluggable API for that.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
