[jira] [Comment Edited] (CASSANDRA-20484) Bulkloader requires truststore path even when required_client_auth is false in cassandra.yaml

[Maulin Vasavada (Jira)]

    [ 
https://issues.apache.org/jira/browse/CASSANDRA-20484?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17939856#comment-17939856
 ] 

Maulin Vasavada edited comment on CASSANDRA-20484 at 4/1/25 1:39 AM:
---------------------------------------------------------------------

Hi [~niketba...@gmail.com] I saw the code/documentation you linked here prior 
to your post already. The issue seems that even though documentation and code 
seem to be using client_encryption_options, actually it doesn't seem to be. If 
you look at 
[this|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/tools/BulkLoader.java#L305]
 line it passes the sslOptions (that are loaded from either command line or the 
config file client_encryption_options) to the parent class but 
[this|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/tools/BulkLoader.java#L311]
 line overrides getConnectionFactory() method in the parent class which seem to 
be ultimately used 
[here|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/io/sstable/SSTableLoader.java#L200].
 So my take at this point is - I feel that server_encryption_options via the 
config file is the best route to test from your side (I'd do it if I had a way 
to test it but I don't have it right now). 

Why don't you try this way and see if it gives you what you are looking for? 
Otherwise I would need more help to see how to test this out to validate. 


was (Author: maulin.vasavada):
Hi [~niketba...@gmail.com] I saw the code/documentation you linked here prior 
to your post already. The issue seems that eventhough documentation and code 
seem to be using client_encryption_options, actually it doesn't seem to be. If 
you look at 
[this|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/tools/BulkLoader.java#L305]
 line it passes the sslOptions (that are loaded from either command line or the 
config file client_encryption_options) to the parent class but 
[this|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/tools/BulkLoader.java#L311]
 line overrides getConnectionFactory() method in the parent class which seem to 
be ultimately used 
[here|https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/io/sstable/SSTableLoader.java#L200].
 So my take at this point is - I feel that server_encryption_options via the 
config file is the best route to test from your side (I'd do it if I had a way 
to test it but I don't have it right now). 

Why don't you try this way and see if it gives you what you are looking for? 
Otherwise I would need more help to see how to test this out to validate. 

> Bulkloader requires truststore path even when required_client_auth is false 
> in cassandra.yaml
> ---------------------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-20484
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-20484
>             Project: Apache Cassandra
>          Issue Type: Bug
>          Components: Tool/bulk load
>            Reporter: Niket Vilas Bagwe
>            Assignee: Maulin Vasavada
>            Priority: Normal
>
> If client_encryption_options are enabled in cassandra.yaml with 
> require_client_auth false *and* Sstableloader command is used with -f option 
> (for cassandra.yaml path), sstableloader fails with "NoSuchFileException: 
> conf/.truststore".
> Sample sstableloader command is as follows.
> |sstableloader /opt/cassandra/data/keyspace/table -d 127.0.0.1 -p 9042 -ssp 
> 7001 -sp 7000 -f */opt/nosql/clusters/cassandra-6382/conf/cassandra.yaml* -u 
> "caas" -pw *******|
> Exception encountered is as follows:
>  
> {code:java}
> Exception in thread "main" java.lang.RuntimeException: Could not create SSL 
> Context.
>         at 
> org.apache.cassandra.tools.BulkLoader.buildSSLOptions(BulkLoader.java:271)
>         at org.apache.cassandra.tools.BulkLoader.load(BulkLoader.java:72)
>         at org.apache.cassandra.tools.BulkLoader.main(BulkLoader.java:58)
> Caused by: javax.net.ssl.SSLException: failed to build trust manager store 
> for secure connections
>         at 
> org.apache.cassandra.security.FileBasedSslContextFactory.buildTrustManagerFactory(FileBasedSslContextFactory.java:196)
>         at 
> org.apache.cassandra.security.AbstractSslContextFactory.createJSSESslContext(AbstractSslContextFactory.java:155)
>         at 
> org.apache.cassandra.security.SSLFactory.createSSLContext(SSLFactory.java:127)
>         at 
> org.apache.cassandra.tools.BulkLoader.buildSSLOptions(BulkLoader.java:267)
>         ... 2 more
> Caused by: java.nio.file.NoSuchFileException: conf/.truststore
>         at 
> java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
>         at 
> java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
>         at 
> java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:116)
>         at 
> java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:219)
>         at java.base/java.nio.file.Files.newByteChannel(Files.java:371)
>         at java.base/java.nio.file.Files.newByteChannel(Files.java:422)
>         at 
> java.base/java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:420)
>         at java.base/java.nio.file.Files.newInputStream(Files.java:156)
>         at 
> org.apache.cassandra.security.FileBasedSslContextFactory.buildTrustManagerFactory(FileBasedSslContextFactory.java:183)
>         ... 5 more {code}
> The reason for this is that sslcontext for native connection in BulkLoader is 
> always created with EncryptionOptions.ClientAuth set to true at 
> [line|https://github.com/apache/cassandra/blob/f278f6774fc76465c182041e081982105c3e7dbb/src/java/org/apache/cassandra/tools/BulkLoader.java#L267]
>  irrespective of the value of require_client_auth present in cassandra.yaml. 
> Because of this BulkLoader always expects to have a truststore file inorder 
> to verify the client certificates. Copying below the errorneous code block 
> for reference.
> {code:java}
>     private static SSLOptions buildSSLOptions(EncryptionOptions 
> clientEncryptionOptions)
>     {        if (!clientEncryptionOptions.getEnabled())
>         {
>             return null;
>         }        SSLContext sslContext;
>         try
>         {
> ################ problematic line
>             sslContext = SSLFactory.createSSLContext(clientEncryptionOptions, 
> true);
> ################
>         }
>         catch (IOException e)
>         {
>             throw new RuntimeException("Could not create SSL Context.", e);
>         } {code}
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org