[jira] [Commented] (CASSANDRA-16666) Make SSLContext creation pluggable/extensible

[Maulin Vasavada (Jira)]

    [ 
https://issues.apache.org/jira/browse/CASSANDRA-16666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17385048#comment-17385048
 ] 

Maulin Vasavada commented on CASSANDRA-16666:
---------------------------------------------

I updated the CEP with a Final Recommendation on using Map in the constructor. 
Also realized I should have added one more rejected alternative- to use JSSE 
Security Provider- for solving the goal of the CEP, hence I added it with a 
link to [SPIFFE|https://spiffe.io/] framework.

> Make SSLContext creation pluggable/extensible
> ---------------------------------------------
>
>                 Key: CASSANDRA-16666
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-16666
>             Project: Cassandra
>          Issue Type: Improvement
>          Components: Messaging/Internode
>            Reporter: Maulin Vasavada
>            Assignee: Maulin Vasavada
>            Priority: Normal
>             Fix For: 4.x
>
>
> Currently Cassandra creates the SSLContext via SSLFactory.java. SSLFactory is 
> a final class with static methods and not overridable. The SSLFactory loads 
> the keys and certs from the file based artifacts for the same. While this 
> works for many, in the industry where security is stricter and contextual, 
> this approach falls short. Many big organizations need flexibility to load 
> the SSL artifacts from a custom resource (like custom Key Management 
> Solution, HashiCorp Vault, Amazon KMS etc). While JSSE SecurityProvider 
> architecture allows us flexibility to build our custom mechanisms to validate 
> and process security artifacts, many times all we need is to build upon 
> Java's existing extensibility that Trust/Key Manager interfaces provide to 
> load keystores from various resources in the absence of any customized 
> requirements on the Keys/Certificate formats.
> My proposal here is to make the SSLContext creation pluggable/extensible and 
> have the current SSLFactory.java implement an extensible interface. 
> I contributed a similar change that is live now in Apache Kafka (2.6.0) - 
> https://issues.apache.org/jira/browse/KAFKA-8890 
> I can spare some time writing the pluggable interface and run by the required 
> reviewers.
>  
> Created [CEP-9: Make SSLContext creation 
> pluggable|https://cwiki.apache.org/confluence/display/CASSANDRA/CEP-9%3A+Make+SSLContext+creation+pluggable]
>  
>  
> cc: [~dcapwell] [~djoshi]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org