Uploaded image for project: 'Cassandra'
  1. Cassandra
  2. CASSANDRA-15146

Transitional TLS server configuration options are overly complex



    • Correctness
    • Low
    • Low Hanging Fruit
    • User Report
    • All
    • None


      It appears as part of the port from transitional client TLS to transitional server TLS in CASSANDRA-10404 (the ability to switch a cluster to using internode_encryption without listening on two ports and without downtime) we carried the enabled setting over from the client implementation. I believe that the enabled option is redundant to internode_encryption and optional and it should therefore be removed prior to the 4.0 release where we will have to start respecting that interface. 

      Current trunk yaml:

          # set to true for allowing secure incoming connections                      
          enabled: false                                                              
          # If enabled and optional are both set to true, encrypted and unencrypted connections are handled on the storage_port
          optional: false                                                                                                                                                                                                                                                                                                                             
          # if enabled, will open up an encrypted listening socket on ssl_storage_port. Should be used
          # during upgrade to 4.0; otherwise, set to false.                           
          enable_legacy_ssl_storage_port: false                                       
          # on outbound connections, determine which type of peers to securely connect to. 'enabled' must be set to true.
          internode_encryption: none                                                  
          keystore: conf/.keystore                                                    
          keystore_password: cassandra                                                
          truststore: conf/.truststore                                                
          truststore_password: cassandra            

      I propose we eliminate enabled and just use optional and internode_encryption to determine the listener setup. I also propose we change the default of optional to true. We could also re-name optional since it's a new option but I think it's good to stay consistent with the client and use optional.

      optional internode_encryption description
      true none (default) No encryption is used but if a server reaches out with it we'll use it
      false dc Encryption is required for inter-dc communication, but not intra-dc
      false all Encryption is required for all communication
      false none We only listen for unencrypted connections
      true dc Encryption is used for inter-dc communication but is not required
      true all Encryption is used for all communication but is not required

      From these states it is clear when we should be accepting TLS connections (all except for false and none) as well as when we must enforce it.

      To transition without downtime from an un-encrypted cluster to an encrypted cluster the user would do the following:

      1. After adding valid truststores, change internode_encryption to the desired level of encryption (recommended all) and restart Cassandra
      2. Change optional=false and restart Cassandra to enforce #1

      If optional defaulted to false as it does right now we'd need a third restart to first change optional to true, which given my understanding of the OptionalSslHandler isn't really relevant.


        Issue Links



              e.dimitrova Ekaterina Dimitrova
              jolynch Joey Lynch
              Ekaterina Dimitrova
              0 Vote for this issue
              12 Start watching this issue