[jira] [Commented] (CASSANDRA-18681) Internode legacy SSL storage port certificate is not hot reloaded on update
[
https://issues.apache.org/jira/browse/CASSANDRA-18681?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17770519#comment-17770519
]
Jon Meredith commented on CASSANDRA-18681:
--
Reran against 5.0 branch. Clean runs.
java11_separate_tests
https://app.circleci.com/pipelines/github/jonmeredith/cassandra/958/workflows/906a8642-f525-4d52-a981-eba879717aaa
java17_separate_tests
https://app.circleci.com/pipelines/github/jonmeredith/cassandra/958/workflows/11af46d5-c996-409e-b9c2-4e1aea2a5881
> Internode legacy SSL storage port certificate is not hot reloaded on update
> ---
>
> Key: CASSANDRA-18681
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18681
> Project: Cassandra
> Issue Type: Bug
> Components: Messaging/Internode
>Reporter: Jon Meredith
>Assignee: Jon Meredith
>Priority: Normal
> Fix For: 4.1.4, 5.0-alpha2
>
>
> In CASSANDRA-1 the SSLContext cache was changed to clear individual
> {{EncryptionOptions}} from the SslContext cache if they needed reloading to
> reduce resource consumption. Before the change if ANY cert needed hot
> reloading, the SSLContext cache would be cleared for ALL certs.
> If the legacy SSL storage port is configured, a new {{EncryptionOptions}}
> object is created in {{org.apache.cassandra.net.InboundSockets#addBindings}}
> just for binding the socket, but never gets cleared as the change in port
> means it no longer matches the configuration retrieved from
> {{DatabaseDescriptor}} in
> {{org.apache.cassandra.net.MessagingServiceMBeanImpl#reloadSslCertificates}}.
> This is unlikely to be an issue in practice as the legacy SSL internode
> socket is only used in mixed version clusters with pre-4.0 nodes, so the cert
> only needs to stay valid until all nodes upgrade to 4.x or above.
> One way to avoid this class of failures is to just check the entries present
> in the SSLContext cache.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18681) Internode legacy SSL storage port certificate is not hot reloaded on update
[
https://issues.apache.org/jira/browse/CASSANDRA-18681?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17770372#comment-17770372
]
Andres de la Peña commented on CASSANDRA-18681:
---
None of the above CircleCI runs contains the repeated runs of the modified
files ({{DefaultSslContextFactoryTest}}, {{PEMBasedSslContextFactoryTest}} and
{{SSLFactoryTest}}). I think this is due to a bug in the non-public script used
to generate the CircleCI config file.
Those repeated runs can be generated with the project's
[{{.circleci/generate.sh}}|https://github.com/apache/cassandra/blob/trunk/.circleci/generate.sh]
script.
The absence of repeated runs can be easily detected by looking at the CI
results, in the workflow view. If the patch contains any changes on tests there
should be jobs named with the {{_repeat}} suffix. One can also check whether
the pushed {{.circleci/config.yml}} file contains the names of relevant tests.
> Internode legacy SSL storage port certificate is not hot reloaded on update
> ---
>
> Key: CASSANDRA-18681
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18681
> Project: Cassandra
> Issue Type: Bug
> Components: Messaging/Internode
>Reporter: Jon Meredith
>Assignee: Jon Meredith
>Priority: Normal
> Fix For: 4.1.4, 5.0-alpha2
>
>
> In CASSANDRA-1 the SSLContext cache was changed to clear individual
> {{EncryptionOptions}} from the SslContext cache if they needed reloading to
> reduce resource consumption. Before the change if ANY cert needed hot
> reloading, the SSLContext cache would be cleared for ALL certs.
> If the legacy SSL storage port is configured, a new {{EncryptionOptions}}
> object is created in {{org.apache.cassandra.net.InboundSockets#addBindings}}
> just for binding the socket, but never gets cleared as the change in port
> means it no longer matches the configuration retrieved from
> {{DatabaseDescriptor}} in
> {{org.apache.cassandra.net.MessagingServiceMBeanImpl#reloadSslCertificates}}.
> This is unlikely to be an issue in practice as the legacy SSL internode
> socket is only used in mixed version clusters with pre-4.0 nodes, so the cert
> only needs to stay valid until all nodes upgrade to 4.x or above.
> One way to avoid this class of failures is to just check the entries present
> in the SSLContext cache.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18681) Internode legacy SSL storage port certificate is not hot reloaded on update
[
https://issues.apache.org/jira/browse/CASSANDRA-18681?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17767747#comment-17767747
]
Jon Meredith commented on CASSANDRA-18681:
--
Refactored to just explicitly add initialize the legacy ssl encryption options.
CI Results (pending):
||Branch||Source||Circle CI||Jenkins||
|cassandra-4.1|[branch|https://github.com/jonmeredith/cassandra/tree/commit_remote_branch/CASSANDRA-18681-cassandra-4.1-B319E212-DEE9-4BD5-8FA1-CEB9D630C414]|[build|https://app.circleci.com/pipelines/github/jonmeredith/cassandra?branch=commit_remote_branch%2FCASSANDRA-18681-cassandra-4.1-B319E212-DEE9-4BD5-8FA1-CEB9D630C414]|[build|https://ci-cassandra.apache.org/job/Cassandra-devbranch/2598/]|
|cassandra-5.0|[branch|https://github.com/jonmeredith/cassandra/tree/commit_remote_branch/CASSANDRA-18681-cassandra-5.0-B319E212-DEE9-4BD5-8FA1-CEB9D630C414]|[build|https://app.circleci.com/pipelines/github/jonmeredith/cassandra?branch=commit_remote_branch%2FCASSANDRA-18681-cassandra-5.0-B319E212-DEE9-4BD5-8FA1-CEB9D630C414]|[build|https://ci-cassandra.apache.org/job/Cassandra-devbranch/2599/]|
|trunk|[branch|https://github.com/jonmeredith/cassandra/tree/commit_remote_branch/CASSANDRA-18681-trunk-B319E212-DEE9-4BD5-8FA1-CEB9D630C414]|[build|https://app.circleci.com/pipelines/github/jonmeredith/cassandra?branch=commit_remote_branch%2FCASSANDRA-18681-trunk-B319E212-DEE9-4BD5-8FA1-CEB9D630C414]|[build|unknown]|
> Internode legacy SSL storage port certificate is not hot reloaded on update
> ---
>
> Key: CASSANDRA-18681
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18681
> Project: Cassandra
> Issue Type: Bug
> Components: Messaging/Internode
>Reporter: Jon Meredith
>Assignee: Jon Meredith
>Priority: Normal
>
> In CASSANDRA-1 the SSLContext cache was changed to clear individual
> {{EncryptionOptions}} from the SslContext cache if they needed reloading to
> reduce resource consumption. Before the change if ANY cert needed hot
> reloading, the SSLContext cache would be cleared for ALL certs.
> If the legacy SSL storage port is configured, a new {{EncryptionOptions}}
> object is created in {{org.apache.cassandra.net.InboundSockets#addBindings}}
> just for binding the socket, but never gets cleared as the change in port
> means it no longer matches the configuration retrieved from
> {{DatabaseDescriptor}} in
> {{org.apache.cassandra.net.MessagingServiceMBeanImpl#reloadSslCertificates}}.
> This is unlikely to be an issue in practice as the legacy SSL internode
> socket is only used in mixed version clusters with pre-4.0 nodes, so the cert
> only needs to stay valid until all nodes upgrade to 4.x or above.
> One way to avoid this class of failures is to just check the entries present
> in the SSLContext cache.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18681) Internode legacy SSL storage port certificate is not hot reloaded on update
[
https://issues.apache.org/jira/browse/CASSANDRA-18681?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17767662#comment-17767662
]
Francisco Guerrero commented on CASSANDRA-18681:
+1, looks good to me
> Internode legacy SSL storage port certificate is not hot reloaded on update
> ---
>
> Key: CASSANDRA-18681
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18681
> Project: Cassandra
> Issue Type: Bug
> Components: Messaging/Internode
>Reporter: Jon Meredith
>Assignee: Jon Meredith
>Priority: Normal
>
> In CASSANDRA-1 the SSLContext cache was changed to clear individual
> {{EncryptionOptions}} from the SslContext cache if they needed reloading to
> reduce resource consumption. Before the change if ANY cert needed hot
> reloading, the SSLContext cache would be cleared for ALL certs.
> If the legacy SSL storage port is configured, a new {{EncryptionOptions}}
> object is created in {{org.apache.cassandra.net.InboundSockets#addBindings}}
> just for binding the socket, but never gets cleared as the change in port
> means it no longer matches the configuration retrieved from
> {{DatabaseDescriptor}} in
> {{org.apache.cassandra.net.MessagingServiceMBeanImpl#reloadSslCertificates}}.
> This is unlikely to be an issue in practice as the legacy SSL internode
> socket is only used in mixed version clusters with pre-4.0 nodes, so the cert
> only needs to stay valid until all nodes upgrade to 4.x or above.
> One way to avoid this class of failures is to just check the entries present
> in the SSLContext cache.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18681) Internode legacy SSL storage port certificate is not hot reloaded on update
[
https://issues.apache.org/jira/browse/CASSANDRA-18681?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17767219#comment-17767219
]
Jon Meredith commented on CASSANDRA-18681:
--
I've remembered why I did it this way. The legacy ssl storage port encryption
options are not registered for hot reloading, so you have to match invalidate
if the original encryption options shouldReload returned true.
> Internode legacy SSL storage port certificate is not hot reloaded on update
> ---
>
> Key: CASSANDRA-18681
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18681
> Project: Cassandra
> Issue Type: Bug
> Components: Messaging/Internode
>Reporter: Jon Meredith
>Assignee: Jon Meredith
>Priority: Normal
>
> In CASSANDRA-1 the SSLContext cache was changed to clear individual
> {{EncryptionOptions}} from the SslContext cache if they needed reloading to
> reduce resource consumption. Before the change if ANY cert needed hot
> reloading, the SSLContext cache would be cleared for ALL certs.
> If the legacy SSL storage port is configured, a new {{EncryptionOptions}}
> object is created in {{org.apache.cassandra.net.InboundSockets#addBindings}}
> just for binding the socket, but never gets cleared as the change in port
> means it no longer matches the configuration retrieved from
> {{DatabaseDescriptor}} in
> {{org.apache.cassandra.net.MessagingServiceMBeanImpl#reloadSslCertificates}}.
> This is unlikely to be an issue in practice as the legacy SSL internode
> socket is only used in mixed version clusters with pre-4.0 nodes, so the cert
> only needs to stay valid until all nodes upgrade to 4.x or above.
> One way to avoid this class of failures is to just check the entries present
> in the SSLContext cache.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18681) Internode legacy SSL storage port certificate is not hot reloaded on update
[
https://issues.apache.org/jira/browse/CASSANDRA-18681?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17766996#comment-17766996
]
Dinesh Joshi commented on CASSANDRA-18681:
--
+1, thanks for the patch!
> Internode legacy SSL storage port certificate is not hot reloaded on update
> ---
>
> Key: CASSANDRA-18681
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18681
> Project: Cassandra
> Issue Type: Bug
> Components: Messaging/Internode
>Reporter: Jon Meredith
>Assignee: Jon Meredith
>Priority: Normal
>
> In CASSANDRA-1 the SSLContext cache was changed to clear individual
> {{EncryptionOptions}} from the SslContext cache if they needed reloading to
> reduce resource consumption. Before the change if ANY cert needed hot
> reloading, the SSLContext cache would be cleared for ALL certs.
> If the legacy SSL storage port is configured, a new {{EncryptionOptions}}
> object is created in {{org.apache.cassandra.net.InboundSockets#addBindings}}
> just for binding the socket, but never gets cleared as the change in port
> means it no longer matches the configuration retrieved from
> {{DatabaseDescriptor}} in
> {{org.apache.cassandra.net.MessagingServiceMBeanImpl#reloadSslCertificates}}.
> This is unlikely to be an issue in practice as the legacy SSL internode
> socket is only used in mixed version clusters with pre-4.0 nodes, so the cert
> only needs to stay valid until all nodes upgrade to 4.x or above.
> One way to avoid this class of failures is to just check the entries present
> in the SSLContext cache.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-18681) Internode legacy SSL storage port certificate is not hot reloaded on update
[
https://issues.apache.org/jira/browse/CASSANDRA-18681?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17765882#comment-17765882
]
Jon Meredith commented on CASSANDRA-18681:
--
4.1 [Branch|https://github.com/jonmeredith/cassandra/tree/C18681-4.1]
[PR|https://github.com/apache/cassandra/pull/2693]
5.0 [Branch|https://github.com/jonmeredith/cassandra/tree/C18681-5.0]
[PR|https://github.com/apache/cassandra/pull/2694]
Trunk [Branch|https://github.com/jonmeredith/cassandra/tree/C18681-trunk]
[PR|https://github.com/apache/cassandra/pull/2695]
CI Results (pending):
||Branch||Source||Circle CI||Jenkins||
|cassandra-4.1|[branch|https://github.com/jonmeredith/cassandra/tree/commit_remote_branch/CASSANDRA-18681-cassandra-4.1-27E812B5-58D5-44D7-8C5E-3B0D3AA5F767]|[build|https://app.circleci.com/pipelines/github/jonmeredith/cassandra?branch=commit_remote_branch%2FCASSANDRA-18681-cassandra-4.1-27E812B5-58D5-44D7-8C5E-3B0D3AA5F767]|[build|https://ci-cassandra.apache.org/job/Cassandra-devbranch/2595/]|
|cassandra-5.0|[branch|https://github.com/jonmeredith/cassandra/tree/commit_remote_branch/CASSANDRA-18681-cassandra-5.0-27E812B5-58D5-44D7-8C5E-3B0D3AA5F767]|[build|https://app.circleci.com/pipelines/github/jonmeredith/cassandra?branch=commit_remote_branch%2FCASSANDRA-18681-cassandra-5.0-27E812B5-58D5-44D7-8C5E-3B0D3AA5F767]|[build|https://ci-cassandra.apache.org/job/Cassandra-devbranch/2596/]|
|trunk|[branch|https://github.com/jonmeredith/cassandra/tree/commit_remote_branch/CASSANDRA-18681-trunk-27E812B5-58D5-44D7-8C5E-3B0D3AA5F767]|[build|https://app.circleci.com/pipelines/github/jonmeredith/cassandra?branch=commit_remote_branch%2FCASSANDRA-18681-trunk-27E812B5-58D5-44D7-8C5E-3B0D3AA5F767]|[build|unknown]|
> Internode legacy SSL storage port certificate is not hot reloaded on update
> ---
>
> Key: CASSANDRA-18681
> URL: https://issues.apache.org/jira/browse/CASSANDRA-18681
> Project: Cassandra
> Issue Type: Bug
> Components: Messaging/Internode
>Reporter: Jon Meredith
>Assignee: Jon Meredith
>Priority: Normal
>
> In CASSANDRA-1 the SSLContext cache was changed to clear individual
> {{EncryptionOptions}} from the SslContext cache if they needed reloading to
> reduce resource consumption. Before the change if ANY cert needed hot
> reloading, the SSLContext cache would be cleared for ALL certs.
> If the legacy SSL storage port is configured, a new {{EncryptionOptions}}
> object is created in {{org.apache.cassandra.net.InboundSockets#addBindings}}
> just for binding the socket, but never gets cleared as the change in port
> means it no longer matches the configuration retrieved from
> {{DatabaseDescriptor}} in
> {{org.apache.cassandra.net.MessagingServiceMBeanImpl#reloadSslCertificates}}.
> This is unlikely to be an issue in practice as the legacy SSL internode
> socket is only used in mixed version clusters with pre-4.0 nodes, so the cert
> only needs to stay valid until all nodes upgrade to 4.x or above.
> One way to avoid this class of failures is to just check the entries present
> in the SSLContext cache.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
-
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
