[jira] [Commented] (CASSANDRA-15146) Transitional TLS server configuration options are overly complex
[ https://issues.apache.org/jira/browse/CASSANDRA-15146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17146355#comment-17146355 ] Ekaterina Dimitrova commented on CASSANDRA-15146: - Closing this one as duplicate, the annotation for the name change of server_encryption_options to internode_encryption will be added as part of CASSANDRA-15234. I take the responsibility to add the commit here later for the record. > Transitional TLS server configuration options are overly complex > > > Key: CASSANDRA-15146 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15146 > Project: Cassandra > Issue Type: Bug > Components: Feature/Encryption, Local/Config >Reporter: Joey Lynch >Assignee: Ekaterina Dimitrova >Priority: Normal > Fix For: 4.0-alpha > > > It appears as part of the port from transitional client TLS to transitional > server TLS in CASSANDRA-10404 (the ability to switch a cluster to using > {{internode_encryption}} without listening on two ports and without downtime) > we carried the {{enabled}} setting over from the client implementation. I > believe that the {{enabled}} option is redundant to {{internode_encryption}} > and {{optional}} and it should therefore be removed prior to the 4.0 release > where we will have to start respecting that interface. > Current trunk yaml: > {noformat} > server_encryption_options: > > # set to true for allowing secure incoming connections > > enabled: false > > # If enabled and optional are both set to true, encrypted and unencrypted > connections are handled on the storage_port > optional: false > > > > > # if enabled, will open up an encrypted listening socket on > ssl_storage_port. Should be used > # during upgrade to 4.0; otherwise, set to false. > > enable_legacy_ssl_storage_port: false > > # on outbound connections, determine which type of peers to securely > connect to. 'enabled' must be set to true. > internode_encryption: none > > keystore: conf/.keystore > > keystore_password: cassandra > > truststore: conf/.truststore > > truststore_password: cassandra > {noformat} > I propose we eliminate {{enabled}} and just use {{optional}} and > {{internode_encryption}} to determine the listener setup. I also propose we > change the default of {{optional}} to true. We could also re-name > {{optional}} since it's a new option but I think it's good to stay consistent > with the client and use {{optional}}. > ||optional||internode_encryption||description|| > |true|none|(default) No encryption is used but if a server reaches out with > it we'll use it| > |false|dc|Encryption is required for inter-dc communication, but not intra-dc| > |false|all|Encryption is required for all communication| > |false|none|We only listen for unencrypted connections| > |true|dc|Encryption is used for inter-dc communication but is not required| > |true|all|Encryption is used for all communication but is not required| > From these states it is clear when we should be accepting TLS connections > (all except for false and none) as well as when we must enforce it. > To transition without downtime from an un-encrypted cluster to an encrypted > cluster the user would do the following: > 1. After adding valid truststores, change {{internode_encryption}} to the > desired level of encryption (recommended {{all}}) and restart Cassandra > 2. Change {{optional=false}} and restart Cassandra to enforce #1 > If {{optional}} defaulted to {{false}} as it does right now we'd need a third > restart to first change {{optional}} to {{true}}, which given my > understanding of the OptionalSslHandler isn't really relevant. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-15146) Transitional TLS server configuration options are overly complex
[ https://issues.apache.org/jira/browse/CASSANDRA-15146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17126834#comment-17126834 ] Ekaterina Dimitrova commented on CASSANDRA-15146: - [~jolynch], just to confirm what we talked and for the record, the final plan is to rename only server_encryption_options to internode_encryption, right? Let me know if there is any additional work that needs attention as part of this ticket. Thanks > Transitional TLS server configuration options are overly complex > > > Key: CASSANDRA-15146 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15146 > Project: Cassandra > Issue Type: Bug > Components: Feature/Encryption, Local/Config >Reporter: Joey Lynch >Assignee: Ekaterina Dimitrova >Priority: Normal > Fix For: 4.0-alpha > > > It appears as part of the port from transitional client TLS to transitional > server TLS in CASSANDRA-10404 (the ability to switch a cluster to using > {{internode_encryption}} without listening on two ports and without downtime) > we carried the {{enabled}} setting over from the client implementation. I > believe that the {{enabled}} option is redundant to {{internode_encryption}} > and {{optional}} and it should therefore be removed prior to the 4.0 release > where we will have to start respecting that interface. > Current trunk yaml: > {noformat} > server_encryption_options: > > # set to true for allowing secure incoming connections > > enabled: false > > # If enabled and optional are both set to true, encrypted and unencrypted > connections are handled on the storage_port > optional: false > > > > > # if enabled, will open up an encrypted listening socket on > ssl_storage_port. Should be used > # during upgrade to 4.0; otherwise, set to false. > > enable_legacy_ssl_storage_port: false > > # on outbound connections, determine which type of peers to securely > connect to. 'enabled' must be set to true. > internode_encryption: none > > keystore: conf/.keystore > > keystore_password: cassandra > > truststore: conf/.truststore > > truststore_password: cassandra > {noformat} > I propose we eliminate {{enabled}} and just use {{optional}} and > {{internode_encryption}} to determine the listener setup. I also propose we > change the default of {{optional}} to true. We could also re-name > {{optional}} since it's a new option but I think it's good to stay consistent > with the client and use {{optional}}. > ||optional||internode_encryption||description|| > |true|none|(default) No encryption is used but if a server reaches out with > it we'll use it| > |false|dc|Encryption is required for inter-dc communication, but not intra-dc| > |false|all|Encryption is required for all communication| > |false|none|We only listen for unencrypted connections| > |true|dc|Encryption is used for inter-dc communication but is not required| > |true|all|Encryption is used for all communication but is not required| > From these states it is clear when we should be accepting TLS connections > (all except for false and none) as well as when we must enforce it. > To transition without downtime from an un-encrypted cluster to an encrypted > cluster the user would do the following: > 1. After adding valid truststores, change {{internode_encryption}} to the > desired level of encryption (recommended {{all}}) and restart Cassandra > 2. Change {{optional=false}} and restart Cassandra to enforce #1 > If {{optional}} defaulted to {{false}} as it does right now we'd need a third > restart to first change {{optional}} to {{true}}, which given my > understanding of the OptionalSslHandler isn't really relevant. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-15146) Transitional TLS server configuration options are overly complex
[ https://issues.apache.org/jira/browse/CASSANDRA-15146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17120380#comment-17120380 ] Ekaterina Dimitrova commented on CASSANDRA-15146: - I didn't hear anything from [~micarlise] but we had a quick discussion on Slack with Joey. Parameters changes will happen after CASSANDRA-15234 lands and we will close this ticket with that probably. > Transitional TLS server configuration options are overly complex > > > Key: CASSANDRA-15146 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15146 > Project: Cassandra > Issue Type: Bug > Components: Feature/Encryption, Local/Config >Reporter: Joey Lynch >Assignee: Ekaterina Dimitrova >Priority: Normal > Fix For: 4.0-alpha > > > It appears as part of the port from transitional client TLS to transitional > server TLS in CASSANDRA-10404 (the ability to switch a cluster to using > {{internode_encryption}} without listening on two ports and without downtime) > we carried the {{enabled}} setting over from the client implementation. I > believe that the {{enabled}} option is redundant to {{internode_encryption}} > and {{optional}} and it should therefore be removed prior to the 4.0 release > where we will have to start respecting that interface. > Current trunk yaml: > {noformat} > server_encryption_options: > > # set to true for allowing secure incoming connections > > enabled: false > > # If enabled and optional are both set to true, encrypted and unencrypted > connections are handled on the storage_port > optional: false > > > > > # if enabled, will open up an encrypted listening socket on > ssl_storage_port. Should be used > # during upgrade to 4.0; otherwise, set to false. > > enable_legacy_ssl_storage_port: false > > # on outbound connections, determine which type of peers to securely > connect to. 'enabled' must be set to true. > internode_encryption: none > > keystore: conf/.keystore > > keystore_password: cassandra > > truststore: conf/.truststore > > truststore_password: cassandra > {noformat} > I propose we eliminate {{enabled}} and just use {{optional}} and > {{internode_encryption}} to determine the listener setup. I also propose we > change the default of {{optional}} to true. We could also re-name > {{optional}} since it's a new option but I think it's good to stay consistent > with the client and use {{optional}}. > ||optional||internode_encryption||description|| > |true|none|(default) No encryption is used but if a server reaches out with > it we'll use it| > |false|dc|Encryption is required for inter-dc communication, but not intra-dc| > |false|all|Encryption is required for all communication| > |false|none|We only listen for unencrypted connections| > |true|dc|Encryption is used for inter-dc communication but is not required| > |true|all|Encryption is used for all communication but is not required| > From these states it is clear when we should be accepting TLS connections > (all except for false and none) as well as when we must enforce it. > To transition without downtime from an un-encrypted cluster to an encrypted > cluster the user would do the following: > 1. After adding valid truststores, change {{internode_encryption}} to the > desired level of encryption (recommended {{all}}) and restart Cassandra > 2. Change {{optional=false}} and restart Cassandra to enforce #1 > If {{optional}} defaulted to {{false}} as it does right now we'd need a third > restart to first change {{optional}} to {{true}}, which given my > understanding of the OptionalSslHandler isn't really relevant. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-15146) Transitional TLS server configuration options are overly complex
[ https://issues.apache.org/jira/browse/CASSANDRA-15146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17120298#comment-17120298 ] Josh McKenzie commented on CASSANDRA-15146: --- Going ahead and kicking this over to [~e.dimitrova] as we haven't heard from you [~micarlise] and this is blocking beta. Though I know you have a lot of beta blockers on your plate [~e.dimitrova] - we can raise a flag and find someone else to move this along if you need the assist. Let me or Ekaterina know if you were active on this [~micarlise] - happy to move assignee back over! > Transitional TLS server configuration options are overly complex > > > Key: CASSANDRA-15146 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15146 > Project: Cassandra > Issue Type: Bug > Components: Feature/Encryption, Local/Config >Reporter: Joey Lynch >Assignee: Ekaterina Dimitrova >Priority: Normal > Fix For: 4.0-alpha > > > It appears as part of the port from transitional client TLS to transitional > server TLS in CASSANDRA-10404 (the ability to switch a cluster to using > {{internode_encryption}} without listening on two ports and without downtime) > we carried the {{enabled}} setting over from the client implementation. I > believe that the {{enabled}} option is redundant to {{internode_encryption}} > and {{optional}} and it should therefore be removed prior to the 4.0 release > where we will have to start respecting that interface. > Current trunk yaml: > {noformat} > server_encryption_options: > > # set to true for allowing secure incoming connections > > enabled: false > > # If enabled and optional are both set to true, encrypted and unencrypted > connections are handled on the storage_port > optional: false > > > > > # if enabled, will open up an encrypted listening socket on > ssl_storage_port. Should be used > # during upgrade to 4.0; otherwise, set to false. > > enable_legacy_ssl_storage_port: false > > # on outbound connections, determine which type of peers to securely > connect to. 'enabled' must be set to true. > internode_encryption: none > > keystore: conf/.keystore > > keystore_password: cassandra > > truststore: conf/.truststore > > truststore_password: cassandra > {noformat} > I propose we eliminate {{enabled}} and just use {{optional}} and > {{internode_encryption}} to determine the listener setup. I also propose we > change the default of {{optional}} to true. We could also re-name > {{optional}} since it's a new option but I think it's good to stay consistent > with the client and use {{optional}}. > ||optional||internode_encryption||description|| > |true|none|(default) No encryption is used but if a server reaches out with > it we'll use it| > |false|dc|Encryption is required for inter-dc communication, but not intra-dc| > |false|all|Encryption is required for all communication| > |false|none|We only listen for unencrypted connections| > |true|dc|Encryption is used for inter-dc communication but is not required| > |true|all|Encryption is used for all communication but is not required| > From these states it is clear when we should be accepting TLS connections > (all except for false and none) as well as when we must enforce it. > To transition without downtime from an un-encrypted cluster to an encrypted > cluster the user would do the following: > 1. After adding valid truststores, change {{internode_encryption}} to the > desired level of encryption (recommended {{all}}) and restart Cassandra > 2. Change {{optional=false}} and restart Cassandra to enforce #1 > If {{optional}} defaulted to {{false}} as it does right now we'd need a third > restart to first change {{optional}} to {{true}}, which given my > understanding of the OptionalSslHandler isn't really relevant. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-15146) Transitional TLS server configuration options are overly complex
[ https://issues.apache.org/jira/browse/CASSANDRA-15146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17111588#comment-17111588 ] Ekaterina Dimitrova commented on CASSANDRA-15146: - [~micarlise], CASSANDRA-15234 is almost done. Please let me know if I can help you with this one. > Transitional TLS server configuration options are overly complex > > > Key: CASSANDRA-15146 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15146 > Project: Cassandra > Issue Type: Bug > Components: Feature/Encryption, Local/Config >Reporter: Joey Lynch >Assignee: M Carlise >Priority: Normal > Fix For: 4.0-alpha > > > It appears as part of the port from transitional client TLS to transitional > server TLS in CASSANDRA-10404 (the ability to switch a cluster to using > {{internode_encryption}} without listening on two ports and without downtime) > we carried the {{enabled}} setting over from the client implementation. I > believe that the {{enabled}} option is redundant to {{internode_encryption}} > and {{optional}} and it should therefore be removed prior to the 4.0 release > where we will have to start respecting that interface. > Current trunk yaml: > {noformat} > server_encryption_options: > > # set to true for allowing secure incoming connections > > enabled: false > > # If enabled and optional are both set to true, encrypted and unencrypted > connections are handled on the storage_port > optional: false > > > > > # if enabled, will open up an encrypted listening socket on > ssl_storage_port. Should be used > # during upgrade to 4.0; otherwise, set to false. > > enable_legacy_ssl_storage_port: false > > # on outbound connections, determine which type of peers to securely > connect to. 'enabled' must be set to true. > internode_encryption: none > > keystore: conf/.keystore > > keystore_password: cassandra > > truststore: conf/.truststore > > truststore_password: cassandra > {noformat} > I propose we eliminate {{enabled}} and just use {{optional}} and > {{internode_encryption}} to determine the listener setup. I also propose we > change the default of {{optional}} to true. We could also re-name > {{optional}} since it's a new option but I think it's good to stay consistent > with the client and use {{optional}}. > ||optional||internode_encryption||description|| > |true|none|(default) No encryption is used but if a server reaches out with > it we'll use it| > |false|dc|Encryption is required for inter-dc communication, but not intra-dc| > |false|all|Encryption is required for all communication| > |false|none|We only listen for unencrypted connections| > |true|dc|Encryption is used for inter-dc communication but is not required| > |true|all|Encryption is used for all communication but is not required| > From these states it is clear when we should be accepting TLS connections > (all except for false and none) as well as when we must enforce it. > To transition without downtime from an un-encrypted cluster to an encrypted > cluster the user would do the following: > 1. After adding valid truststores, change {{internode_encryption}} to the > desired level of encryption (recommended {{all}}) and restart Cassandra > 2. Change {{optional=false}} and restart Cassandra to enforce #1 > If {{optional}} defaulted to {{false}} as it does right now we'd need a third > restart to first change {{optional}} to {{true}}, which given my > understanding of the OptionalSslHandler isn't really relevant. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-15146) Transitional TLS server configuration options are overly complex
[ https://issues.apache.org/jira/browse/CASSANDRA-15146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17096015#comment-17096015 ] Ekaterina Dimitrova commented on CASSANDRA-15146: - 1. I believe this is already part of CASSANDRA-15262. 2. I can add these name changes in CASSANDRA-15234. The actual code for name change of parameters with backward compatibility is already implemented there. I have to complete the rest of the ticket this week. (working async on other things too but this is more or less done) For completeness, I will link CASSANDRA-15262 and CASSANDRA-15234 to this one. > Transitional TLS server configuration options are overly complex > > > Key: CASSANDRA-15146 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15146 > Project: Cassandra > Issue Type: Bug > Components: Feature/Encryption, Local/Config >Reporter: Joey Lynch >Assignee: M Carlise >Priority: Normal > Fix For: 4.0, 4.0-beta > > > It appears as part of the port from transitional client TLS to transitional > server TLS in CASSANDRA-10404 (the ability to switch a cluster to using > {{internode_encryption}} without listening on two ports and without downtime) > we carried the {{enabled}} setting over from the client implementation. I > believe that the {{enabled}} option is redundant to {{internode_encryption}} > and {{optional}} and it should therefore be removed prior to the 4.0 release > where we will have to start respecting that interface. > Current trunk yaml: > {noformat} > server_encryption_options: > > # set to true for allowing secure incoming connections > > enabled: false > > # If enabled and optional are both set to true, encrypted and unencrypted > connections are handled on the storage_port > optional: false > > > > > # if enabled, will open up an encrypted listening socket on > ssl_storage_port. Should be used > # during upgrade to 4.0; otherwise, set to false. > > enable_legacy_ssl_storage_port: false > > # on outbound connections, determine which type of peers to securely > connect to. 'enabled' must be set to true. > internode_encryption: none > > keystore: conf/.keystore > > keystore_password: cassandra > > truststore: conf/.truststore > > truststore_password: cassandra > {noformat} > I propose we eliminate {{enabled}} and just use {{optional}} and > {{internode_encryption}} to determine the listener setup. I also propose we > change the default of {{optional}} to true. We could also re-name > {{optional}} since it's a new option but I think it's good to stay consistent > with the client and use {{optional}}. > ||optional||internode_encryption||description|| > |true|none|(default) No encryption is used but if a server reaches out with > it we'll use it| > |false|dc|Encryption is required for inter-dc communication, but not intra-dc| > |false|all|Encryption is required for all communication| > |false|none|We only listen for unencrypted connections| > |true|dc|Encryption is used for inter-dc communication but is not required| > |true|all|Encryption is used for all communication but is not required| > From these states it is clear when we should be accepting TLS connections > (all except for false and none) as well as when we must enforce it. > To transition without downtime from an un-encrypted cluster to an encrypted > cluster the user would do the following: > 1. After adding valid truststores, change {{internode_encryption}} to the > desired level of encryption (recommended {{all}}) and restart Cassandra > 2. Change {{optional=false}} and restart Cassandra to enforce #1 > If {{optional}} defaulted to {{false}} as it does right now we'd need a third > restart to first change {{optional}} to {{true}}, which given my > understanding of the OptionalSslHandler isn't really relevant. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail:
[jira] [Commented] (CASSANDRA-15146) Transitional TLS server configuration options are overly complex
[ https://issues.apache.org/jira/browse/CASSANDRA-15146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16853264#comment-16853264 ] Joseph Lynch commented on CASSANDRA-15146: -- Alright, we hashed it out in [asf slack|https://the-asf.slack.com/archives/CK23JSY2K/p1559322494052200] and will take this in two steps: # Remove the `enabled` option so we have backwards compatible `yaml` (and probably switch `optional` to true by default) # Come up with a proposal for new encryption option names and implement them in a backwards compatible way. > Transitional TLS server configuration options are overly complex > > > Key: CASSANDRA-15146 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15146 > Project: Cassandra > Issue Type: Bug > Components: Local/Config >Reporter: Joseph Lynch >Assignee: Joseph Lynch >Priority: Normal > > It appears as part of the port from transitional client TLS to transitional > server TLS in CASSANDRA-10404 (the ability to switch a cluster to using > {{internode_encryption}} without listening on two ports and without downtime) > we carried the {{enabled}} setting over from the client implementation. I > believe that the {{enabled}} option is redundant to {{internode_encryption}} > and {{optional}} and it should therefore be removed prior to the 4.0 release > where we will have to start respecting that interface. > Current trunk yaml: > {noformat} > server_encryption_options: > > # set to true for allowing secure incoming connections > > enabled: false > > # If enabled and optional are both set to true, encrypted and unencrypted > connections are handled on the storage_port > optional: false > > > > > # if enabled, will open up an encrypted listening socket on > ssl_storage_port. Should be used > # during upgrade to 4.0; otherwise, set to false. > > enable_legacy_ssl_storage_port: false > > # on outbound connections, determine which type of peers to securely > connect to. 'enabled' must be set to true. > internode_encryption: none > > keystore: conf/.keystore > > keystore_password: cassandra > > truststore: conf/.truststore > > truststore_password: cassandra > {noformat} > I propose we eliminate {{enabled}} and just use {{optional}} and > {{internode_encryption}} to determine the listener setup. I also propose we > change the default of {{optional}} to true. We could also re-name > {{optional}} since it's a new option but I think it's good to stay consistent > with the client and use {{optional}}. > ||optional||internode_encryption||description|| > |true|none|(default) No encryption is used but if a server reaches out with > it we'll use it| > |false|dc|Encryption is required for inter-dc communication, but not intra-dc| > |false|all|Encryption is required for all communication| > |false|none|We only listen for unencrypted connections| > |true|dc|Encryption is used for inter-dc communication but is not required| > |true|all|Encryption is used for all communication but is not required| > From these states it is clear when we should be accepting TLS connections > (all except for false and none) as well as when we must enforce it. > To transition without downtime from an un-encrypted cluster to an encrypted > cluster the user would do the following: > 1. After adding valid truststores, change {{internode_encryption}} to the > desired level of encryption (recommended {{all}}) and restart Cassandra > 2. Change {{optional=false}} and restart Cassandra to enforce #1 > If {{optional}} defaulted to {{false}} as it does right now we'd need a third > restart to first change {{optional}} to {{true}}, which given my > understanding of the OptionalSslHandler isn't really relevant. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-15146) Transitional TLS server configuration options are overly complex
[ https://issues.apache.org/jira/browse/CASSANDRA-15146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16853022#comment-16853022 ] Jon Haddad commented on CASSANDRA-15146: I like this naming, [~benedict]. I think it improves the clarity a bit by matching the vocabulary we use elsewhere. > Transitional TLS server configuration options are overly complex > > > Key: CASSANDRA-15146 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15146 > Project: Cassandra > Issue Type: Bug > Components: Local/Config >Reporter: Joseph Lynch >Assignee: Joseph Lynch >Priority: Normal > > It appears as part of the port from transitional client TLS to transitional > server TLS in CASSANDRA-10404 (the ability to switch a cluster to using > {{internode_encryption}} without listening on two ports and without downtime) > we carried the {{enabled}} setting over from the client implementation. I > believe that the {{enabled}} option is redundant to {{internode_encryption}} > and {{optional}} and it should therefore be removed prior to the 4.0 release > where we will have to start respecting that interface. > Current trunk yaml: > {noformat} > server_encryption_options: > > # set to true for allowing secure incoming connections > > enabled: false > > # If enabled and optional are both set to true, encrypted and unencrypted > connections are handled on the storage_port > optional: false > > > > > # if enabled, will open up an encrypted listening socket on > ssl_storage_port. Should be used > # during upgrade to 4.0; otherwise, set to false. > > enable_legacy_ssl_storage_port: false > > # on outbound connections, determine which type of peers to securely > connect to. 'enabled' must be set to true. > internode_encryption: none > > keystore: conf/.keystore > > keystore_password: cassandra > > truststore: conf/.truststore > > truststore_password: cassandra > {noformat} > I propose we eliminate {{enabled}} and just use {{optional}} and > {{internode_encryption}} to determine the listener setup. I also propose we > change the default of {{optional}} to true. We could also re-name > {{optional}} since it's a new option but I think it's good to stay consistent > with the client and use {{optional}}. > ||optional||internode_encryption||description|| > |true|none|(default) No encryption is used but if a server reaches out with > it we'll use it| > |false|dc|Encryption is required for inter-dc communication, but not intra-dc| > |false|all|Encryption is required for all communication| > |false|none|We only listen for unencrypted connections| > |true|dc|Encryption is used for inter-dc communication but is not required| > |true|all|Encryption is used for all communication but is not required| > From these states it is clear when we should be accepting TLS connections > (all except for false and none) as well as when we must enforce it. > To transition without downtime from an un-encrypted cluster to an encrypted > cluster the user would do the following: > 1. After adding valid truststores, change {{internode_encryption}} to the > desired level of encryption (recommended {{all}}) and restart Cassandra > 2. Change {{optional=false}} and restart Cassandra to enforce #1 > If {{optional}} defaulted to {{false}} as it does right now we'd need a third > restart to first change {{optional}} to {{true}}, which given my > understanding of the OptionalSslHandler isn't really relevant. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-15146) Transitional TLS server configuration options are overly complex
[ https://issues.apache.org/jira/browse/CASSANDRA-15146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16852956#comment-16852956 ] Benedict commented on CASSANDRA-15146: -- Perhaps we should generally massage this a bit. Is {{server_encryption_options}} very clear, for instance? {{internode_encryption}} would be clearer to me. With perhaps a {{protect}} field accepting {{none}}, {{inter_dc}}, {{all}}? Should we consider getting rid of the {{_options}} for both (while still supporting {{_options}} for client indefinitely)? The word is redundant, given the context. > Transitional TLS server configuration options are overly complex > > > Key: CASSANDRA-15146 > URL: https://issues.apache.org/jira/browse/CASSANDRA-15146 > Project: Cassandra > Issue Type: Bug > Components: Local/Config >Reporter: Joseph Lynch >Assignee: Joseph Lynch >Priority: Normal > > It appears as part of the port from transitional client TLS to transitional > server TLS in CASSANDRA-10404 (the ability to switch a cluster to using > {{internode_encryption}} without listening on two ports and without downtime) > we carried the {{enabled}} setting over from the client implementation. I > believe that the {{enabled}} option is redundant to {{internode_encryption}} > and {{optional}} and it should therefore be removed prior to the 4.0 release > where we will have to start respecting that interface. > Current trunk yaml: > {noformat} > server_encryption_options: > > # set to true for allowing secure incoming connections > > enabled: false > > # If enabled and optional are both set to true, encrypted and unencrypted > connections are handled on the storage_port > optional: false > > > > > # if enabled, will open up an encrypted listening socket on > ssl_storage_port. Should be used > # during upgrade to 4.0; otherwise, set to false. > > enable_legacy_ssl_storage_port: false > > # on outbound connections, determine which type of peers to securely > connect to. 'enabled' must be set to true. > internode_encryption: none > > keystore: conf/.keystore > > keystore_password: cassandra > > truststore: conf/.truststore > > truststore_password: cassandra > {noformat} > I propose we eliminate {{enabled}} and just use {{optional}} and > {{internode_encryption}} to determine the listener setup. I also propose we > change the default of {{optional}} to true. We could also re-name > {{optional}} since it's a new option but I think it's good to stay consistent > with the client and use {{optional}}. > ||optional||internode_encryption||description|| > |true|none|(default) No encryption is used but if a server reaches out with > it we'll use it| > |false|dc|Encryption is required for inter-dc communication, but not intra-dc| > |false|all|Encryption is required for all communication| > |false|none|We only listen for unencrypted connections| > |true|dc|Encryption is used for inter-dc communication but is not required| > |true|all|Encryption is used for all communication but is not required| > From these states it is clear when we should be accepting TLS connections > (all except for false and none) as well as when we must enforce it. > To transition without downtime from an un-encrypted cluster to an encrypted > cluster the user would do the following: > 1. After adding valid truststores, change {{internode_encryption}} to the > desired level of encryption (recommended {{all}}) and restart Cassandra > 2. Change {{optional=false}} and restart Cassandra to enforce #1 > If {{optional}} defaulted to {{false}} as it does right now we'd need a third > restart to first change {{optional}} to {{true}}, which given my > understanding of the OptionalSslHandler isn't really relevant. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: