[jira] [Comment Edited] (CASSANDRA-20484) Bulkloader requires truststore path even when required_client_auth is false in cassandra.yaml

Mon, 31 Mar 2025 22:00:09 -0700 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-20484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17939856#comment-17939856
 ] 

Maulin Vasavada edited comment on CASSANDRA-20484 at 4/1/25 4:59 AM:
---------------------------------------------------------------------

Hi [~niketba...@gmail.com] I saw the code/documentation you linked here prior 
to your post already. The issue seems that even though documentation and code 
seem to be using client_encryption_options, actually it doesn't. If you look at 
[this|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/tools/BulkLoader.java#L305]
 line it passes the sslOptions (that are loaded from either command line or the 
config file client_encryption_options) to the parent class but 
[this|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/tools/BulkLoader.java#L311]
 line overrides getConnectionFactory() method in the parent class which seem to 
be ultimately used 
[here|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/io/sstable/SSTableLoader.java#L200].
 So my take at this point is - I feel that server_encryption_options via the 
config file is the best route to test from your side (I'd do it if I had a way 
to test it but I don't have it right now). 

All in all- I would be confused if the code needs both - client AND server 
encryption options. I think it should need only one - since the loader should 
connect to the nodes as client (as my original question). Of course, I am not 
super familiar with this part of the code. I just ended up making some changes 
recently due to refactoring in the EncryptionOptions class.

Let me try to see if BulkLoaderTest has enough code to test this out and check. 
Meanwhile, you can try out with server_encryption_options.


was (Author: maulin.vasavada):
Hi [~niketba...@gmail.com] I saw the code/documentation you linked here prior 
to your post already. The issue seems that even though documentation and code 
seem to be using client_encryption_options, actually it doesn't. If you look at 
[this|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/tools/BulkLoader.java#L305]
 line it passes the sslOptions (that are loaded from either command line or the 
config file client_encryption_options) to the parent class but 
[this|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/tools/BulkLoader.java#L311]
 line overrides getConnectionFactory() method in the parent class which seem to 
be ultimately used 
[here|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/io/sstable/SSTableLoader.java#L200].
 So my take at this point is - I feel that server_encryption_options via the 
config file is the best route to test from your side (I'd do it if I had a way 
to test it but I don't have it right now). 

All in all- I would be confused if the code needs both - client AND server 
encryption options. I would think it should need only one - since the loader 
should connect to the nodes as client (as my original question). Of course, I 
am not super familiar with this part of the code. I just ended up making some 
changes recently due to refactoring in the EncryptionOptions class.

Let me try to see if BulkLoaderTest has enough code to test this out and check. 
Meanwhile, you can try out with server_encryption_options.

> Bulkloader requires truststore path even when required_client_auth is false 
> in cassandra.yaml
> ---------------------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-20484
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-20484
>             Project: Apache Cassandra
>          Issue Type: Bug
>          Components: Tool/bulk load
>            Reporter: Niket Vilas Bagwe
>            Assignee: Maulin Vasavada
>            Priority: Normal
>
> If client_encryption_options are enabled in cassandra.yaml with 
> require_client_auth false *and* Sstableloader command is used with -f option 
> (for cassandra.yaml path), sstableloader fails with "NoSuchFileException: 
> conf/.truststore".
> Sample sstableloader command is as follows.
> |sstableloader /opt/cassandra/data/keyspace/table -d 127.0.0.1 -p 9042 -ssp 
> 7001 -sp 7000 -f */opt/nosql/clusters/cassandra-6382/conf/cassandra.yaml* -u 
> "caas" -pw *******|
> Exception encountered is as follows:
>  
> {code:java}
> Exception in thread "main" java.lang.RuntimeException: Could not create SSL 
> Context.
>         at 
> org.apache.cassandra.tools.BulkLoader.buildSSLOptions(BulkLoader.java:271)
>         at org.apache.cassandra.tools.BulkLoader.load(BulkLoader.java:72)
>         at org.apache.cassandra.tools.BulkLoader.main(BulkLoader.java:58)
> Caused by: javax.net.ssl.SSLException: failed to build trust manager store 
> for secure connections
>         at 
> org.apache.cassandra.security.FileBasedSslContextFactory.buildTrustManagerFactory(FileBasedSslContextFactory.java:196)
>         at 
> org.apache.cassandra.security.AbstractSslContextFactory.createJSSESslContext(AbstractSslContextFactory.java:155)
>         at 
> org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:127)
>         at 
> org.apache.cassandra.tools.BulkLoader.buildSSLOptions(BulkLoader.java:267)
>         ... 2 more
> Caused by: java.nio.file.NoSuchFileException: conf/.truststore
>         at 
> java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
>         at 
> java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
>         at 
> java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:116)
>         at 
> java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:219)
>         at java.base/java.nio.file.Files.newByteChannel(Files.java:371)
>         at java.base/java.nio.file.Files.newByteChannel(Files.java:422)
>         at 
> java.base/java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:420)
>         at java.base/java.nio.file.Files.newInputStream(Files.java:156)
>         at 
> org.apache.cassandra.security.FileBasedSslContextFactory.buildTrustManagerFactory(FileBasedSslContextFactory.java:183)
>         ... 5 more {code}
> The reason for this is that sslcontext for native connection in BulkLoader is 
> always created with EncryptionOptions.ClientAuth set to true at 
> [line|https://github.com/apache/cassandra/blob/f278f6774fc76465c182041e081982105c3e7dbb/src/java/org/apache/cassandra/tools/BulkLoader.java#L267]
>  irrespective of the value of require_client_auth present in cassandra.yaml. 
> Because of this BulkLoader always expects to have a truststore file inorder 
> to verify the client certificates. Copying below the errorneous code block 
> for reference.
> {code:java}
>     private static SSLOptions buildSSLOptions(EncryptionOptions 
> clientEncryptionOptions)
>     {        if (!clientEncryptionOptions.getEnabled())
>         {
>             return null;
>         }        SSLContext sslContext;
>         try
>         {
> ################ problematic line
>             sslContext = SSLFactory.createSSLContext(clientEncryptionOptions, 
> true);
> ################
>         }
>         catch (IOException e)
>         {
>             throw new RuntimeException("Could not create SSL Context.", e);
>         } {code}
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to