[
https://issues.apache.org/jira/browse/CASSANDRA-20484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17953590#comment-17953590
]
Maulin Vasavada commented on CASSANDRA-20484:
---------------------------------------------
I agree with your thoughts [~Jyothsnakonisa] . However, the documentation for
sstableloader
([link|https://cassandra.apache.org/doc/4.0/cassandra/tools/sstable/sstableloader.html])
seems confusing. It says that if the SSL is enabled in the cluster, use
{{cassandra.yaml}} 's {{server_encryption_options}} instead of command line
params.
However, to me that is super confusing since ALL the command line params refers
to {{Client SSL}} and then the documentation recommends to use server options
if we want to use the config file instead of command line parameters. The
sstableloader tool's code has two paths - one using the
{{client_encryption_options}} for native connection to the cluster (for
metadata fetch etc) AND using {{server_encryption_options}} for the streaming
protocol communication to the cluster nodes directly. My opinion is that - from
the sstableloader perspective it will be better to have a first class
encryption option configs that are clearly saying what they are for. e.g. We
could have {{native_connection_encryption_options}} and
{{streaming_protocol_encryption_options}} with just the configs that allow SSL
related configs and dont' confuse us with client/server terminology. The links
to both of this code paths are in the JIRA discussion.
> Bulkloader requires truststore path even when required_client_auth is false
> in cassandra.yaml
> ---------------------------------------------------------------------------------------------
>
> Key: CASSANDRA-20484
> URL: https://issues.apache.org/jira/browse/CASSANDRA-20484
> Project: Apache Cassandra
> Issue Type: Bug
> Components: Tool/bulk load
> Reporter: Niket Vilas Bagwe
> Assignee: Maulin Vasavada
> Priority: Normal
> Attachments: image-2025-05-13-23-42-19-536.png
>
>
> If client_encryption_options are enabled in cassandra.yaml with
> require_client_auth false *and* Sstableloader command is used with -f option
> (for cassandra.yaml path), sstableloader fails with "NoSuchFileException:
> conf/.truststore".
> Sample sstableloader command is as follows.
> |sstableloader /opt/cassandra/data/keyspace/table -d 127.0.0.1 -p 9042 -ssp
> 7001 -sp 7000 -f */opt/nosql/clusters/cassandra-6382/conf/cassandra.yaml* -u
> "caas" -pw *******|
> Exception encountered is as follows:
>
> {code:java}
> Exception in thread "main" java.lang.RuntimeException: Could not create SSL
> Context.
> at
> org.apache.cassandra.tools.BulkLoader.buildSSLOptions(BulkLoader.java:271)
> at org.apache.cassandra.tools.BulkLoader.load(BulkLoader.java:72)
> at org.apache.cassandra.tools.BulkLoader.main(BulkLoader.java:58)
> Caused by: javax.net.ssl.SSLException: failed to build trust manager store
> for secure connections
> at
> org.apache.cassandra.security.FileBasedSslContextFactory.buildTrustManagerFactory(FileBasedSslContextFactory.java:196)
> at
> org.apache.cassandra.security.AbstractSslContextFactory.createJSSESslContext(AbstractSslContextFactory.java:155)
> at
> org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:127)
> at
> org.apache.cassandra.tools.BulkLoader.buildSSLOptions(BulkLoader.java:267)
> ... 2 more
> Caused by: java.nio.file.NoSuchFileException: conf/.truststore
> at
> java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
> at
> java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
> at
> java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:116)
> at
> java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:219)
> at java.base/java.nio.file.Files.newByteChannel(Files.java:371)
> at java.base/java.nio.file.Files.newByteChannel(Files.java:422)
> at
> java.base/java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:420)
> at java.base/java.nio.file.Files.newInputStream(Files.java:156)
> at
> org.apache.cassandra.security.FileBasedSslContextFactory.buildTrustManagerFactory(FileBasedSslContextFactory.java:183)
> ... 5 more {code}
> The reason for this is that sslcontext for native connection in BulkLoader is
> always created with EncryptionOptions.ClientAuth set to true at
> [line|https://github.com/apache/cassandra/blob/f278f6774fc76465c182041e081982105c3e7dbb/src/java/org/apache/cassandra/tools/BulkLoader.java#L267]
> irrespective of the value of require_client_auth present in cassandra.yaml.
> Because of this BulkLoader always expects to have a truststore file inorder
> to verify the client certificates. Copying below the errorneous code block
> for reference.
> {code:java}
> private static SSLOptions buildSSLOptions(EncryptionOptions
> clientEncryptionOptions)
> { if (!clientEncryptionOptions.getEnabled())
> {
> return null;
> } SSLContext sslContext;
> try
> {
> ################ problematic line
> sslContext = SSLFactory.createSSLContext(clientEncryptionOptions,
> true);
> ################
> }
> catch (IOException e)
> {
> throw new RuntimeException("Could not create SSL Context.", e);
> } {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
