[jira] [Commented] (CASSANDRA-16555) Add out-of-the-box snitch for Ec2 IMDSv2

[Stefan Miklosovic (Jira)]

    [ 
https://issues.apache.org/jira/browse/CASSANDRA-16555?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17736510#comment-17736510
 ] 

Stefan Miklosovic commented on CASSANDRA-16555:
-----------------------------------------------

The default is v2 of metadata service. From the documentation (1) I read that

_By default, you can use either IMDSv1 or IMDSv2, or both._

and

_You can configure the Instance Metadata Service (IMDS) on each instance so 
that local code or users must use IMDSv2._

So if somebody was using v1 (as they had to because support for v2 was not 
there yet for Cassandra side), if they upgrade the node, they can use v2. It is 
possible to configure it in such a way that nodes _must_ use v2. But there is 
nothing like they _must use v1._ So I think that making v2 default is just fine.

PRs:

trunk [https://github.com/apache/cassandra/pull/2403]
4.1 [https://github.com/apache/cassandra/pull/2442]
4.0 [https://github.com/apache/cassandra/pull/2441]
3.11 [https://github.com/apache/cassandra/pull/2440]
3.0 [https://github.com/apache/cassandra/pull/2439]

If folks are OK with this I will approach the build, it is 5 branches so I do 
not want to build this prematurely.

(1) 
[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html]

> Add out-of-the-box snitch for Ec2 IMDSv2
> ----------------------------------------
>
>                 Key: CASSANDRA-16555
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-16555
>             Project: Cassandra
>          Issue Type: New Feature
>          Components: Consistency/Coordination
>            Reporter: Paul Rütter (BlueConic)
>            Assignee: Stefan Miklosovic
>            Priority: Normal
>             Fix For: 3.0.x, 3.11.x, 4.0.x, 4.1.x, 5.x
>
>          Time Spent: 3h 20m
>  Remaining Estimate: 0h
>
> In order to patch a vulnerability, Amazon came up with a new version of their 
> metadata service.
> It's no longer unrestricted but now requires a token (in a header), in order 
> to access the metadata service.
> See 
> [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html]
>  for more information.
> Cassandra currently doesn't offer an out-of-the-box snitch class to support 
> this.
> See 
> [https://cassandra.apache.org/doc/latest/operating/snitch.html#snitch-classes]
> This issue asks to add support for this as a separate snitch class.
> We'll probably do a PR for this, as we are in the process of developing one.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org