Better logging for endpoint verification #6314
Conversation
Generate changelog in
|
…d when configured to do so.
| thriftSocket = tSocketFactory.create(socket); | ||
| verifyEndpoint(cassandraServer, socket, clientConfig.enableEndpointVerification()); |
There was a problem hiding this comment.
Noticed this "bug" when revisiting things -- our initial reach-out will not include the thrift options we later set on the socket. It's probably OK for us to ignore this, but from a code "safety" point-of-view we should really just set the options for consistency reasons.
There was a problem hiding this comment.
yeah this makes sense, would recommend updating the PR description :)
There was a problem hiding this comment.
ah yes, I should do that!
| boolean endpointVerified = | ||
| endpointsToCheck.stream().anyMatch(address -> hostnameVerifier.verify(address, socket.getSession())); | ||
| if (socket.isClosed()) { | ||
| if (throwOnFailure) { |
| endpointsToCheck.stream().anyMatch(address -> hostnameVerifier.verify(address, socket.getSession())); | ||
| if (socket.isClosed()) { | ||
| if (throwOnFailure) { | ||
| throw new SocketException("Unable to verify hostnames as socket is closed."); |
There was a problem hiding this comment.
Wonder if we should wrap this exception in SafeSSLPeerUnverifiedException.
Not too fussed either way, whichever way is more uniform in this class.
There was a problem hiding this comment.
Sounds good to me
| thriftSocket = tSocketFactory.create(socket); | ||
| verifyEndpoint(cassandraServer, socket, clientConfig.enableEndpointVerification()); |
There was a problem hiding this comment.
yeah this makes sense, would recommend updating the PR description :)
bulldozer-bot
bot
deleted the
skramer/better-logging-for-host-verification
branch
|
Released 0.741.0 |
General
Before this PR:
The exact endpoints in which we check for in the certificate chain are not logged. In addition, if the hostname/ip address are duplicates, then we check them twice in the failure case. In addition, the hostname verification check would initiate the socket's connection, before setting Thrift socket settings. In practice this had little effect, but may cause confusion later on.
After this PR:
Log the exact endpoints we checked when performing hostname verification, and only logs if this the socket has not closed. If the socket has closed, and
throwOnExceptionis true, thenSafeSSLPeerUnverifiedExceptionwill throw. Only verify endpoints after thrift socket settings have been applied.==COMMIT_MSG==
When verifying endpoints, throw a separate exception if the socket is closed, and de-dupcliate hostname/ip if they're identical.
==COMMIT_MSG==
Priority:
P1
Concerns / possible downsides (what feedback would you like?):
Is documentation needed?:
No
Compatibility
Does this PR create any API breaks (e.g. at the Java or HTTP layers) - if so, do we have compatibility?:
No
Does this PR change the persisted format of any data - if so, do we have forward and backward compatibility?:
No
The code in this PR may be part of a blue-green deploy. Can upgrades from previous versions safely coexist? (Consider restarts of blue or green nodes.):
Yes
Does this PR rely on statements being true about other products at a deployment - if so, do we have correct product dependencies on these products (or other ways of verifying that these statements are true)?:
No
Does this PR need a schema migration?
No
Testing and Correctness
What, if any, assumptions are made about the current state of the world? If they change over time, how will we find out?:
N/A
What was existing testing like? What have you done to improve it?:
Before we did not test set deduplication explicitly.
If this PR contains complex concurrent or asynchronous code, is it correct? The onus is on the PR writer to demonstrate this.:
N/A
If this PR involves acquiring locks or other shared resources, how do we ensure that these are always released?:
N/A
Execution
How would I tell this PR works in production? (Metrics, logs, etc.):
Logs
Has the safety of all log arguments been decided correctly?:
Yes
Will this change significantly affect our spending on metrics or logs?:
No
How would I tell that this PR does not work in production? (monitors, etc.):
Logs
If this PR does not work as expected, how do I fix that state? Would rollback be straightforward?:
Rollback
If the above plan is more complex than “recall and rollback”, please tag the support PoC here (if it is the end of the week, tag both the current and next PoC): N/A
Scale
Would this PR be expected to pose a risk at scale? Think of the shopping product at our largest stack.:
No
Would this PR be expected to perform a large number of database calls, and/or expensive database calls (e.g., row range scans, concurrent CAS)?:
No
Would this PR ever, with time and scale, become the wrong thing to do - and if so, how would we know that we need to do something differently?:
No
Development Process
Where should we start reviewing?:
Now
If this PR is in excess of 500 lines excluding versions lock-files, why does it not make sense to split it?:
Please tag any other people who should be aware of this PR:
@jeremyk-91
@sverma30
@raiju