Niket Vilas Bagwe created CASSANDRA-20484:
---------------------------------------------
Summary: Bulkloader requires truststore path even when
required_client_auth is false in cassandra.yaml
Key: CASSANDRA-20484
URL: https://issues.apache.org/jira/browse/CASSANDRA-20484
Project: Apache Cassandra
Issue Type: Bug
Components: Tool/bulk load
Reporter: Niket Vilas Bagwe
If client_encryption_options are enabled in cassandra.yaml with
require_client_auth false *and* Sstableloader command is used with -f option
(for cassandra.yaml path), sstableloader fails with "NoSuchFileException:
conf/.truststore".
Sample sstableloader command is as follows.
|sstableloader /opt/cassandra/data/keyspace/table -d 127.0.0.1 -p 9042 -ssp
7001 -sp 7000 -f */opt/nosql/clusters/cassandra-6382/conf/cassandra.yaml* -u
"caas" -pw *******|
Exception encountered is as follows:
{code:java}
Exception in thread "main" java.lang.RuntimeException: Could not create SSL
Context.
at
org.apache.cassandra.tools.BulkLoader.buildSSLOptions(BulkLoader.java:271)
at org.apache.cassandra.tools.BulkLoader.load(BulkLoader.java:72)
at org.apache.cassandra.tools.BulkLoader.main(BulkLoader.java:58)
Caused by: javax.net.ssl.SSLException: failed to build trust manager store for
secure connections
at
org.apache.cassandra.security.FileBasedSslContextFactory.buildTrustManagerFactory(FileBasedSslContextFactory.java:196)
at
org.apache.cassandra.security.AbstractSslContextFactory.createJSSESslContext(AbstractSslContextFactory.java:155)
at
org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:127)
at
org.apache.cassandra.tools.BulkLoader.buildSSLOptions(BulkLoader.java:267)
... 2 more
Caused by: java.nio.file.NoSuchFileException: conf/.truststore
at
java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
at
java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
at
java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:116)
at
java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:219)
at java.base/java.nio.file.Files.newByteChannel(Files.java:371)
at java.base/java.nio.file.Files.newByteChannel(Files.java:422)
at
java.base/java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:420)
at java.base/java.nio.file.Files.newInputStream(Files.java:156)
at
org.apache.cassandra.security.FileBasedSslContextFactory.buildTrustManagerFactory(FileBasedSslContextFactory.java:183)
... 5 more {code}
The reason for this is that sslcontext for native connection in BulkLoader is
always created with EncryptionOptions.ClientAuth set to true at
[line|https://github.com/apache/cassandra/blob/f278f6774fc76465c182041e081982105c3e7dbb/src/java/org/apache/cassandra/tools/BulkLoader.java#L267]
irrespective of the value of require_client_auth present in cassandra.yaml.
Because of this BulkLoader always expects to have a truststore file inorder to
verify the client certificates. Copying below the errorneous code block for
reference.
{code:java}
private static SSLOptions buildSSLOptions(EncryptionOptions
clientEncryptionOptions)
{ if (!clientEncryptionOptions.getEnabled())
{
return null;
} SSLContext sslContext;
try
{
################ problematic line
sslContext = SSLFactory.createSSLContext(clientEncryptionOptions,
true);
################
}
catch (IOException e)
{
throw new RuntimeException("Could not create SSL Context.", e);
} {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
