Add option for enabling internode encryption.

* ccmlib/cluster.py (Cluster.enable_internode_ssl): new method. * ccmlib/cmds/cluster_cmds.py (CreateClusterCmd.get_parser): add `--node-ssl` option. (CreateClusterCmd.run): set up internode encryption if needed. * ssl/truststore.jks: new file.
scylladb · May 5, 2015 · 9001183 · 9001183
1 parent 9a5c08e
commit 9001183
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 0 deletions.
diff --git a/ccmlib/cluster.py b/ccmlib/cluster.py
@@ -465,3 +465,17 @@ def enable_ssl(self, ssl_path, require_client_auth):
 
         self._config_options['client_encryption_options'] = ssl_options
         self._update_config()
+
+    def enable_internode_ssl(self, node_ssl_path):
+        shutil.copyfile(os.path.join(node_ssl_path, 'keystore.jks'), os.path.join(self.get_path(), 'internode-keystore.jks'))
+        shutil.copyfile(os.path.join(node_ssl_path, 'truststore.jks'), os.path.join(self.get_path(), 'internode-truststore.jks'))
+        node_ssl_options = {
+            'internode_encryption': 'all',
+            'keystore': os.path.join(self.get_path(), 'internode-keystore.jks'),
+            'keystore_password': 'cassandra',
+            'truststore': os.path.join(self.get_path(), 'internode-truststore.jks'),
+            'truststore_password': 'cassandra'
+        }
+
+        self._config_options['server_encryption_options'] = node_ssl_options
+        self._update_config()
diff --git a/ccmlib/cmds/cluster_cmds.py b/ccmlib/cmds/cluster_cmds.py
@@ -100,6 +100,8 @@ def get_parser(self):
             help="Path to keystore.jks and cassandra.crt files (and truststore.jks [not required])", default=None)
         parser.add_option('--require_client_auth', action="store_true", dest="require_client_auth",
             help="Enable client authentication (only vaid with --ssl)", default=False)
+        parser.add_option('--node-ssl', type="string", dest="node_ssl_path",
+            help="Path to keystore.jks and truststore.jks for internode encryption", default=None)
         return parser
 
     def validate(self, parser, options, args):
@@ -151,6 +153,9 @@ def run(self):
 
         if self.options.ssl_path:
             cluster.enable_ssl(self.options.ssl_path, self.options.require_client_auth)
+
+        if self.options.node_ssl_path:
+            cluster.enable_internode_ssl(self.options.node_ssl_path)
 
         if self.nodes is not None:
             try:

diff --git a/ssl/truststore.jks b/ssl/truststore.jks