Updated Branches: refs/heads/trunk 565c57684 -> bc4df221e
Add ssl support to cqlsh. Patch by Aleksey Yeschenko, reviewed by brandonwilliams for CASSANDRA-4610 Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/bc4df221 Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/bc4df221 Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/bc4df221 Branch: refs/heads/trunk Commit: bc4df221ef39383f387438928688bceee4f42153 Parents: 98effbf Author: Brandon Williams <[email protected]> Authored: Wed Oct 24 16:35:29 2012 -0500 Committer: Brandon Williams <[email protected]> Committed: Wed Oct 24 16:35:29 2012 -0500 ---------------------------------------------------------------------- conf/cqlshrc.sample | 17 +++++++++- pylib/cqlshlib/ssl.py | 70 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 85 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cassandra/blob/bc4df221/conf/cqlshrc.sample ---------------------------------------------------------------------- diff --git a/conf/cqlshrc.sample b/conf/cqlshrc.sample index 07cf73f..365defd 100644 --- a/conf/cqlshrc.sample +++ b/conf/cqlshrc.sample @@ -25,11 +25,24 @@ password = !!bang!!$ color = on completekey = tab +[cql] +version = 3.0 + [connection] hostname = 127.0.0.1 port = 9160 +; enable below for ssl +;factory = cqlshlib.ssl.ssl_transport_factory + +;[ssl] +;certfile = ~/keys/cassandra.cert +;; optional - true by default. +;validate = true + +;; optional section, overrides default certfile in [ssl] section, if present +;[certfiles] +;192.168.1.3 = ~/keys/cassandra01.cert +;192.168.1.4 = ~/keys/cassandra02.cert -[cql] -version = 2.0 ; vim: set ft=dosini : http://git-wip-us.apache.org/repos/asf/cassandra/blob/bc4df221/pylib/cqlshlib/ssl.py ---------------------------------------------------------------------- diff --git a/pylib/cqlshlib/ssl.py b/pylib/cqlshlib/ssl.py new file mode 100644 index 0000000..3400b40 --- /dev/null +++ b/pylib/cqlshlib/ssl.py @@ -0,0 +1,70 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import os +import sys +import ConfigParser +from thrift.transport import TSSLSocket, TTransport + +def ssl_transport_factory(host, port, env, config_file): + """ + SSL Thrift transport factory function. + + Params: + * host .........: hostname of Cassandra node. + * port .........: port number to connect to. + * env ..........: environment variables. SSL factory will use, if passed, + SSL_CERTFILE and SSL_VALIDATE variables. + * config_file ..: path to cqlsh config file (usually ~/.cqlshrc). + SSL factory will use, if set, certfile and validate + options in [ssl] section, as well as host to certfile + mapping in [certfiles] section. + + [certfiles] section is optional, 'validate' setting in [ssl] section is + optional too. If validation is enabled then SSL certfile must be provided + either in the config file or as an environment variable. + Environment variables override any options set in cqlsh config file. + """ + configs = ConfigParser.SafeConfigParser() + configs.read(config_file) + + def get_option(section, option): + try: + return configs.get(section, option) + except ConfigParser.Error: + return None + + ssl_validate = env.get('SSL_VALIDATE') + if ssl_validate is None: + ssl_validate = get_option('ssl', 'validate') + ssl_validate = ssl_validate is None or ssl_validate.lower() != 'false' + + ssl_certfile = env.get('SSL_CERTFILE') + if ssl_certfile is None: + ssl_certfile = get_option('certfiles', host) + if ssl_certfile is None: + ssl_certfile = get_option('ssl', 'certfile') + if ssl_validate and ssl_certfile is None: + sys.exit("Validation is enabled; SSL transport factory requires a valid certfile " + "to be specified. Please provide path to the certfile in [ssl] section " + "as 'certfile' option in %s (or use [certfiles] section) or set SSL_CERTFILE " + "environment variable." % (config_file,)) + if not ssl_certfile is None: + ssl_certfile = os.path.expanduser(ssl_certfile) + + tsocket = TSSLSocket.TSSLSocket(host, port, ca_certs=ssl_certfile, + validate=ssl_validate) + return TTransport.TFramedTransport(tsocket)
