akka-persistence-cassandra
akka-persistence-cassandra copied to clipboard
krasserm
Make all SSL settings optional.
One don't need a keystore unless you use client-authentication. We should not force the user to configure stuff (s)he doesn't need.
Okay, but then I've to do another conversation, because the Java API needs an array :-/
I've no idea, why the "A PersistentActor's performance - must measure: persist()-ing 10000 events" test is failing. If this is a flaky test: How can I re-trigger it?
yeah, that should not be related to this PR. I don't know how to trigger a rebuild with travis, but I would like that you squashed the two commits to one, and then it will rebuild when you push.
It looks like we have had some problems with that spec in the cassandra-3.x branch and increased the timeouts there: https://github.com/krasserm/akka-persistence-cassandra/blob/cassandra-3.x/src/test/scala/akka/persistence/cassandra/journal/CassandraJournalSpec.scala
Please do the same here, i.e.
akka.test.single-expect-default = 20s
cassandra-journal.circuit-breaker.call-timeout = 20s
override def awaitDurationMillis: Long = 20.seconds.toMillis
cry
Couldn't you just fix it in the master and I'll rebase it into my branch?
okey, that was another test that failed this time. I have increased the timeouts for both in https://github.com/krasserm/akka-persistence-cassandra/pull/152 merged, so please rebase
Since I was the original author of the SSL setup code I have some comments.
I agree that I missed the case where client authentication is optional, good catch! However I do have some issues with the implementation as it stands now.
- All config values in the config ssl-block are now optional. This is incorrect. If a keystore/truststore is present then passwords are mandatory. You've even dangerously added a default "changeme" password that will cause runtime errors instead. Don't allow the application to start with a broken config!
- You've bypassed the fact that the ssl-blocks means that some SSL-config is mandatory. Because of this you've had to compensate by making unnecessary code changes. It is now possible for the config to contain empty ssl-blocks. The
config.hasPath("ssl")check is already in place. SSL on the server side at least implies a trust store must be present. Don't allow duplicate checks by making trust store configuration optional!.
These are my suggestions:
- Revert code (sorry, not trying to be rude but I think you went wrong early on and had to compensate too much)
- In
if (config.hasPath("ssl"))-block check for config pathssl.keystoreto be present. - If present then both
ssl.keystore.pathandssl.keystore.passwordare mandatory config values. - Instead of passing
trustStorePath,trustStorePW,keyStorePath,keyStorePWarguments individually, consider passing them as tuples or a case classes so you can passOption[(String,String)]to manage thatssl.keystorecould be missing. - In
SSLSetup.constructContextskip creating the trust manager factory and replace the call totmf.getTrustManagerswith empty array ifssl.keystorewas empty.
I hope above helps. I do realize it might seem harsh to ask for what is almost a complete overhaul, but I mean it in a constructive way. :)
when completing this, please open PR at https://github.com/akka/akka-persistence-cassandra, which is the new home for akka-persistence-cassandra
I have actually implemented my own suggestions above. Right now I'm looking into the SSL tests which are still failing. Will do PR afterwards.
I do. :) Probably have to finish it during the weekend though. I have no idea why test would fail so I need to install cassandra or spin up something to test it out.