[
https://issues.apache.org/jira/browse/CASSANDRA-13971?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16445687#comment-16445687
]
Stefan Podkowinski commented on CASSANDRA-13971:
------------------------------------------------
I've now rebased my patch on trunk, which required to resolve some conflicts
related to CASSANDRA-14222, CASSANDRA-14314. The dtest is now migrated to
Python3 and pytest as well. Vault was also upgrade to 0.10.0, but that was
trivial.
I've now attached a script {{start_vault_ssl.sh}} to the ticket. It will
bootstrap a local PKI enabled vault instance and print the matching
cassandra.yaml config. My suggestion would be to run it on the conf folder,
append the output to the yaml and manually enable encryption afterwards. Hope
this makes testing even easier.
As already mentioned, the trunk patch doesn't contain any new libraries or
third party code. It's all HTTP REST communication with any Vault server over
the network. Nothing added in lib.
> Automatic certificate management using Vault
> --------------------------------------------
>
> Key: CASSANDRA-13971
> URL: https://issues.apache.org/jira/browse/CASSANDRA-13971
> Project: Cassandra
> Issue Type: Improvement
> Components: Streaming and Messaging
> Reporter: Stefan Podkowinski
> Assignee: Stefan Podkowinski
> Priority: Major
> Labels: security
> Fix For: 4.x
>
> Attachments: start_vault_ssl.sh
>
>
> We've been adding security features during the last years to enable users to
> secure their clusters, if they are willing to use them and do so correctly.
> Some features are powerful and easy to work with, such as role based
> authorization. Other features that require to manage a local keystore are
> rather painful to deal with. Think about setting up SSL..
> To be fair, keystore related issues and certificate handling hasn't been
> invented by us. We're just following Java standards there. But that doesn't
> mean that we absolutely have to, if there are better options. I'd like to
> give it a shoot and find out if we can automate certificate/key handling
> (PKI) by using external APIs. In this case, the implementation will be based
> on [Vault|https://vaultproject.io]. But certificate management services
> offered by cloud providers may also be able to handle the use-case and I
> intend to create a generic, pluggable API for that.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
