From 917aef1dcc14638f95e76a12fe6e9898897fddc3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joshua=20M=C3=BChlfort?= Date: Fri, 27 Mar 2020 18:26:43 +0100 Subject: [PATCH 1/3] Fix Cassandra TLS host verification MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Refs #2007 Signed-off-by: Joshua Mühlfort --- pkg/chunk/cassandra/storage_client.go | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/pkg/chunk/cassandra/storage_client.go b/pkg/chunk/cassandra/storage_client.go index 3c2e6f40712..ee21b5fb5f8 100644 --- a/pkg/chunk/cassandra/storage_client.go +++ b/pkg/chunk/cassandra/storage_client.go @@ -3,6 +3,7 @@ package cassandra import ( "bytes" "context" + "crypto/tls" "flag" "fmt" "io/ioutil" @@ -116,10 +117,23 @@ func (cfg *Config) session() (*gocql.Session, error) { func (cfg *Config) setClusterConfig(cluster *gocql.ClusterConfig) error { cluster.DisableInitialHostLookup = cfg.DisableInitialHostLookup + serverNames := strings.Split(cfg.Addresses, ",") if cfg.SSL { - cluster.SslOpts = &gocql.SslOptions{ - CaPath: cfg.CAPath, - EnableHostVerification: cfg.HostVerification, + if cfg.HostVerification { + if len(serverNames) != 1 { + return errors.New("host verification is only possible for a single host") + } + cluster.SslOpts = &gocql.SslOptions{ + CaPath: cfg.CAPath, + EnableHostVerification: true, + Config: &tls.Config{ + ServerName: serverNames[0], + }, + } + } else { + cluster.SslOpts = &gocql.SslOptions{ + EnableHostVerification: false, + } } } if cfg.Auth { From 0fe234772e8a2db6e6527e3c75fbb03e897ede62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joshua=20M=C3=BChlfort?= Date: Fri, 27 Mar 2020 18:27:53 +0100 Subject: [PATCH 2/3] Add changelog entry for Cassandra TLS verification fix MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Joshua Mühlfort --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 29e257ad61a..a9c9bdd2d1a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -61,6 +61,7 @@ * [BUGFIX] Fixed etcd client keepalive settings. #2278 * [BUGFIX] Fixed bug in updating last element of FIFO cache. #2270 * [BUGFIX] Register the metrics of the WAL. #2295 +* [BUGFIX] Cassandra Storage: Fix endpoint TLS host verification. #2109 ### config file breaking changes From 68d50670323a7c92bd07e0f4d03c2b7f67c61af9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joshua=20M=C3=BChlfort?= Date: Mon, 30 Mar 2020 12:38:20 +0200 Subject: [PATCH 3/3] Move check for number of cassandra hosts to cfg.Validate() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Joshua Mühlfort --- pkg/chunk/cassandra/storage_client.go | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/pkg/chunk/cassandra/storage_client.go b/pkg/chunk/cassandra/storage_client.go index ee21b5fb5f8..f2c308b3fdb 100644 --- a/pkg/chunk/cassandra/storage_client.go +++ b/pkg/chunk/cassandra/storage_client.go @@ -68,6 +68,9 @@ func (cfg *Config) Validate() error { if cfg.Password.Value != "" && cfg.PasswordFile != "" { return errors.Errorf("The password and password_file config options are mutually exclusive.") } + if cfg.SSL && cfg.HostVerification && len(strings.Split(cfg.Addresses, ",")) != 1 { + return errors.Errorf("Host verification is only possible for a single host.") + } return nil } @@ -117,17 +120,13 @@ func (cfg *Config) session() (*gocql.Session, error) { func (cfg *Config) setClusterConfig(cluster *gocql.ClusterConfig) error { cluster.DisableInitialHostLookup = cfg.DisableInitialHostLookup - serverNames := strings.Split(cfg.Addresses, ",") if cfg.SSL { if cfg.HostVerification { - if len(serverNames) != 1 { - return errors.New("host verification is only possible for a single host") - } cluster.SslOpts = &gocql.SslOptions{ CaPath: cfg.CAPath, EnableHostVerification: true, Config: &tls.Config{ - ServerName: serverNames[0], + ServerName: strings.Split(cfg.Addresses, ",")[0], }, } } else {