Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cassandra: Fix TLS host verification #2109

Merged
merged 4 commits into from
Apr 3, 2020
Merged

Cassandra: Fix TLS host verification #2109

merged 4 commits into from
Apr 3, 2020

Conversation

joshmue
Copy link
Contributor

@joshmue joshmue commented Feb 11, 2020
edited
Loading

Signed-off-by: Joshua Mühlfort [email protected]

What this PR does:
Enable TLS host verification for the cassandra storage backend while handling other setups as well.

Which issue(s) this PR fixes:
Fixes #2007
Refs #2013

Checklist

  • No documentation added, as there are no changes regarding flags etc.
  • CHANGELOG.md updated - the order of entries should be [CHANGE], [FEATURE], [ENHANCEMENT], [BUGFIX]

Cases to cover

  • Single endpoint; TLS enabled; Host verification enabled
  • Single endpoint; TLS enabled; Host verification disabled
  • Single endpoint; TLS disabled
  • Multiple endpoints; TLS enabled; Host verification disabled (Not tested; Should work in theory)
  • Multiple endpoints; TLS disabled (Not tested; Should work in theory)

According to my understanding, the following case will not work with the current gocql API design:

  • Multiple endpoints; TLS enabled; Host verification enabled

@joshmue joshmue mentioned this pull request Feb 11, 2020
Merged
@joshmue
Copy link
Contributor Author

joshmue commented Feb 11, 2020

@pracucci @VineethReddy02

Do you think implementing and testing the above cases would be sufficient? I am a little bit concerned about the possibility of unknowingly breaking existing setups...

@pull-request-size pull-request-size bot added size/S and removed size/M labels Mar 27, 2020
@joshmue joshmue marked this pull request as ready for review March 27, 2020 17:58
@joshmue
Copy link
Contributor Author

joshmue commented Mar 27, 2020
edited
Loading

@pracucci @VineethReddy02

I just rebased and squashed the previous commits to fewer ones and removed the draft status from the PR. Please note the updated PR description. I hadn't the time to test all cases but can't think of a way this code could break these untested cases.

Would you like to wait for implementation of #2137 or review this PR right away? Are there some other things to consider?

pracucci
pracucci approved these changes Mar 30, 2020
View reviewed changes
Copy link
Contributor

@pracucci pracucci left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for working on it! LGTM. I just left a minor comment.

@joshmue joshmue requested a review from pracucci March 30, 2020 13:53
pstibrany
pstibrany reviewed Apr 3, 2020
View reviewed changes
Copy link
Contributor

@pstibrany pstibrany left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your contribution! Please take a look at comments I've left.

@pstibrany pstibrany merged commit 4b51ecf into cortexproject:master Apr 3, 2020
@joshmue joshmue deleted the cassandra_tls_verification branch April 6, 2020 16:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pstibrany pstibrany pstibrany left review comments

@woodsaj woodsaj woodsaj left review comments

@pracucci pracucci pracucci approved these changes

Assignees
No one assigned
Labels
size/S
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Cassandra: Failing host verification without IP SANs
4 participants
@joshmue @pstibrany @pracucci @woodsaj