OpenContrail

Enable TLS encryption between API server and Cassandra

Bug #1727500 reported by Piyush Srivastava
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R3.2
Fix Committed
High
Piyush Srivastava
Juniper Openstack r3.2.9.0
R4.0
Fix Committed
Undecided
Sahil Sabharwal
Juniper Openstack r4.0.3.0
R4.1
Fix Committed
Undecided
Sahil Sabharwal
Juniper Openstack r4.1.1.0
Trunk
Fix Committed
Undecided
Sahil Sabharwal
Juniper Openstack r5.0.0
OpenContrail
Fix Committed
Undecided
Sahil Sabharwal

Bug Description

Release 3.2.x

We are presently deploying Contrail API and Cassandra on different nodes. There is a security requirement in our data centers to have API -> Cassandra communication and Cassandra -> Cassandra communication encrypted.

It seems like there is no TLS support for Contrail API -> Cassandra communication. Contrail uses pycassa for interfacing with Cassandra.
It is possible to estabilsh ssl connection to Cassandra using pycassa
by providing it a SSL socket factory. Pycassa already has a helper function that can be used to create a ssl socket factory.

Here's the code snippet I used to get pycassa connect securely to a SSL
enabled Cassandra.

```
        import pycassa

        """
        Create a SSL socket factory. This returns a factory
        function that can be used by pycassa to create ssl sockets
        """
        ssl_socket_factory = pycassa.connection.make_ssl_socket_factory(
            '/root/rootCa.crt', validate=True)

        # Create a connection pool to a system_auth keyspace
        pool = pycassa.ConnectionPool('system_auth',
                                      ['10.140.66.73:9160'],
                                      socket_factory=ssl_socket_factory)
```

Inter node encryption between Cassandra nodes in a cluster works.

See original description
Tags: analytics wpc
Piyush Srivastava (piyush0101)
description: updated
Fawad (fshaikh)
tags: added: wpc
Megh Bhatt (meghb)
tags: added: analytics
Piyush Srivastava (piyush0101)
Changed in opencontrail:
assignee: nobody → Piyush Srivastava (piyush0101)
Piyush Srivastava (piyush0101)
Changed in opencontrail:
status: New → In Progress
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.2

Review in progress for https://review.opencontrail.org/38530
Submitter: Piyush Srivastava (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/38530
Committed: http://github.com/Juniper/contrail-controller/commit/c5a128c4b6575201cc3431ddfa76859626ad293b
Submitter: Zuul (<email address hidden>)
Branch: R3.2

commit c5a128c4b6575201cc3431ddfa76859626ad293b
Author: Piyush Srivastava <email address hidden>
Date: Tue Dec 19 11:35:33 2017 -0800

Adding TLS support for config services to cassandra

This change adds support for TLS encrypted communication between config
services and Cassandra. Following arguments are added to enable TLS
support -

`cassandra_use_ssl` - when set to true, enables tls communication
`cassandra_ca_certs` - path to ca certs to use to perform ssl validation

Both of the above parameters are optional, service connects to Cassandra
using an uncrypted connection when the above parameters are not
specified.

TLS for cassandra is enabled for the following config services -

schema-transformer
api-server
svc-monitor
device-manager
discovery

Closes-Bug: 1727500
Change-Id: I929e0f563f7076b5ada13b6f4e7adad339c47534

Sundaresan Rajangam (srajanga)
Changed in opencontrail:
assignee: Piyush Srivastava (piyush0101) → Sachin Bansal (sbansal)
Sachin Bansal (sbansal)
Changed in opencontrail:
assignee: Sachin Bansal (sbansal) → Sahil Sabharwal (ssabharwal)
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/40454
Submitter: <email address hidden> (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.1

Review in progress for https://review.opencontrail.org/40572
Submitter: <email address hidden> (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.0

Review in progress for https://review.opencontrail.org/40610
Submitter: <email address hidden> (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/40454
Committed: http://github.com/Juniper/contrail-controller/commit/e320efb04db7797ce550e796cd24baa3efdbf1ce
Submitter: Zuul v3 CI (<email address hidden>)
Branch: master

commit e320efb04db7797ce550e796cd24baa3efdbf1ce
Author: Sahil <email address hidden>
Date: Thu Mar 8 13:11:53 2018 -0800

Adding TLS support for config services to cassandra

This change adds support for TLS encrypted communication between config
services and Cassandra. Following arguments are added to enable TLS
support -

'cassandra_use_ssl' - when set to true, enables tls communication
'cassandra_ca_certs' - path to ca certs to use to perform ssl validation

Both of the above parameters are optional, service connects to Cassandra
using an uncrypted connection when the above parameters are not
specified.

TLS for cassandra is enabled for the following config services -

schema-transformer
api-server
svc-monitor
device-manager

Change-Id: I427660a096a3e58e5e74af6ec00f48302e146ce7
Closes-Bug: #1727500

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/40610
Committed: http://github.com/Juniper/contrail-controller/commit/a2825966e3a97354a8b438ed3ca495c14cda263c
Submitter: Zuul (<email address hidden>)
Branch: R4.0

commit a2825966e3a97354a8b438ed3ca495c14cda263c
Author: Sahil <email address hidden>
Date: Thu Mar 8 13:11:53 2018 -0800

Adding TLS support for config services to cassandra

This change adds support for TLS encrypted communication between config
services and Cassandra. Following arguments are added to enable TLS
support -

'cassandra_use_ssl' - when set to true, enables tls communication
'cassandra_ca_certs' - path to ca certs to use to perform ssl validation

Both of the above parameters are optional, service connects to Cassandra
using an uncrypted connection when the above parameters are not
specified.

TLS for cassandra is enabled for the following config services -

schema-transformer
api-server
svc-monitor
device-manager

Change-Id: I427660a096a3e58e5e74af6ec00f48302e146ce7
Closes-Bug: #1727500

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/40572
Committed: http://github.com/Juniper/contrail-controller/commit/db59d6949ecba1a66c50c43a9a3183df8d2894ad
Submitter: Zuul (<email address hidden>)
Branch: R4.1

commit db59d6949ecba1a66c50c43a9a3183df8d2894ad
Author: Sahil <email address hidden>
Date: Thu Mar 8 13:11:53 2018 -0800

Adding TLS support for config services to cassandra

This change adds support for TLS encrypted communication between config
services and Cassandra. Following arguments are added to enable TLS
support -

'cassandra_use_ssl' - when set to true, enables tls communication
'cassandra_ca_certs' - path to ca certs to use to perform ssl validation

Both of the above parameters are optional, service connects to Cassandra
using an uncrypted connection when the above parameters are not
specified.

TLS for cassandra is enabled for the following config services -

schema-transformer
api-server
svc-monitor
device-manager

Change-Id: I427660a096a3e58e5e74af6ec00f48302e146ce7
Closes-Bug: #1727500

Sachin Bansal (sbansal)
Changed in opencontrail:
status: In Progress → Fix Committed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.