Add Support For Secure Connection Bundle #1487
Conversation
Due to the way connection bundles work we can't disable initial host lookup. It is required.
|
@Zariel @martin-sucha hi my team has been using this gocql driver for a few years now. Recently, we switched our database to a Datastax enterprise, which required us to make some updates to the initialization functionality to allow for connections to be made using secure connect bundles. We're using our forked version now and are interested in contributing it. I was wondering if someone might be able to share some insight as to the issues in the build as it's not clear from the build logs what issue occurred, if that is a blocker in us getting this code merged in. |
|
I noticed all the tests that failed had AUTH=false which likely has something to do with it |
|
@Zariel @martin-sucha found the issue and fixed :) |
|
Im not happy with adding more and more specialisation to the driver at this point, it is becoming bloated and difficult to maintain. If this can't be implemented outside of the tree then I would like to know why and fix the driver so that it can be. |
|
@Zariel I'm not sure of any way how to do that. Basically we need to use SNI and not rely on each host having its own specific IPADDRESS, instead they are identified by their Cassdandra node DB host id (not related to connect ipaddress or dns host names). This requires changes in the client due to how it initializes connections |
|
Hi. @Zariel Any thoughts? We think this is a good improvement to the driver, as it makes it compatible to work with more Cassandra instances, for example the Cassandra instance of the Datastax cassandra, which is a major provider of Cassandra. |
|
(Full disclosure, I work at DataStax) Hi @Zariel thanks for all your work with this driver. Been using a bunch more c* and golang lately and it's been good to work with. I wanted to point out that the SNI proxy functionality in this patch (thank you @giltohar!) is not DataStax Astra specific. As more and more folks use c* with k8s a desire to get at the database from a single endpoint is desirable and SNI is a nice way to achieve that and still maintain token awareness. Here's how you would set up Cassandra with listio and SNI: https://www.solo.io/blog/step-by-step-datastax-cassandra-with-istio-and-sni-routing/ In general I think this patch is a nice addition given the changing cloud native landscape and a good way to help expand the reach of gocql to more users. |
|
@Zariel any thoughts? :) |
|
I think that it would be useful to have this functionality in this repository (as opposed to an external one). But we should add it in a way so that the implementation is isolated in one place, for example in a sub-package and could be theoretically implemented in an external package. We currently have So what about an interface that would look similar to this (I don't have a better name than Dialer2 at the moment): type Dialer2 interface {
// Dial establishes new connection to host.
// It is responsibility of Dial to setup TLS if necessary.
Dial(ctx context.Context, host *HostInfo) (net.Conn, error)
}Interface like Dialer2 could be used to replace current type TranslatorDialer struct {
dialer Dialer2
}
func (td *TranslatorDialer) Dial(ctx context.Context, host *HostInfo) (net.Conn, error) {
newHost := host.Clone()
newHost.HostName = "192.0.2.1"
return td.dialer.Dial(ctx, newHost)
} |
|
|
||
| // add each file from bundle to the directory | ||
| for _, f := range r.File { | ||
| fpath := filepath.Join(dir, f.Name) |
There was a problem hiding this comment.
Extracting a file like this is a security issue - if the zip was malicious, it could replace any file it wanted. The documentation for Name says:
// It is the caller's responsibility to sanitize it as
// appropriate, including canonicalizing slash directions,
// validating that paths are relative, and preventing path
// traversal through filenames ("../../../").
| // b) 'key' file | ||
| // c) 'ca.crt' file | ||
|
|
||
| dir, err := ioutil.TempDir("", "securezip") |
There was a problem hiding this comment.
We definitely shouldn't write to disk in gocql. It's a network client so nobody expects it will write to disk. We cannot even assume that it's possible to write to disk, that could be forbidden for example due to host app's security policy.
It is not necessary to write to disk to setup tls.Config either, we could just:
- Find entries in zip for
cert,keyandca.crtand read the contents to memory - Use tls.X509KeyPair to parse the PEM key pair and put the result to
tlsConfig.Certificates - Create new cert pool
x509.NewCertPool()and add the CA certificate to it using it'sAppendCertsFromPEM, put this totlsConfig.RootCAs
| } | ||
| defer resp.Body.Close() | ||
| if resp.StatusCode > 299 { | ||
| // err := utils.NewError(resp.StatusCode, msg) |
There was a problem hiding this comment.
We should probably handle the case here.
|
My main concern is this touches so much of the codebase and that to me tells me the abstractions are wrong. On top of that passing in path to parse the data from is just plain wrong and should be accepted in a way the user does the setup work. Also I would rather more functionality is not added to the main gocql package where possible. I think in general these sort of PR's could do with some design work and planning through issues. |
|
We've build a proxy, called cql-proxy that allows gocql (or any other CQL driver) to work without this patch. It allows gocql applications to connect without any or very little modification. |
|
Interesting, thank you for the link to the proxy! Today I learned that https://github.com/datastax/go-cassandra-native-protocol exists :) I still think it would be useful to be be able to use the connection bundle with gocql directly. However, we need to use the correct abstractions to keep gocql maintainable. Something like the dialer based on @mpenick Do you happen to have some simple server setup in docker-compose (or something similar) for testing on a local machine? Or would you be willing to contribute a patch? I'd be happy to review it. |
|
#1629 implements interface similar to the one suggested in #1487 (comment), so it should now be possible to implement the secure connection bundle in an external package. |
|
Closing this pull request as #1629 is now merged. It should be possible to implement this in an external package using the new |
|
@martin-sucha Great work on the |
|
@mpenick Nice! Feel free to add a link to the gocqlastra library to gocql's README. |
There is no existing gocql driver support for connecting to Cassandra Databases via Secure Connection Bundle, which our team at IBM required. IBM Cassandra is switching to Secure Connection Bundles and this will be needed for anyone using this golang driver to connect to them. We've been using this gocql driver now for a long time to connect to our previous Cassandra instance, and made the updates required to add connectivity support for Cassandra databases which use the Secure Connection Bundle.