Remove native_transport_port_ssl

patch by Stefan Miklosovic; reviewed by Brandon Williams for CASSANDRA-19397

CHANGES.txt

@@ -1,4 +1,5 @@
 5.1
+ * Remove native_transport_port_ssl (CASSANDRA-19397)
  * Make nodetool reconfigurecms sync by default and add --cancel to be able to cancel ongoing reconfigurations (CASSANDRA-19216)
  * Expose auth mode in system_views.clients, nodetool clientstats, metrics (CASSANDRA-19366)
  * Remove sealed_periods and last_sealed_period tables (CASSANDRA-19189)

NEWS.txt

@@ -141,6 +141,11 @@ Upgrading
     which come up during or after an election will learn of the elected first CMS node and direct metadata updates to
     it. It is important to remember that at the completion of the election, the CMS still only comprises a single
     member. Just as in the upgrade case, operators should add further members as soon as possible.
+    - native_transport_port_ssl property was removed. Please transition to using one port only. Encrypted communication
+    may be optional by setting `optional` flag in `client_encryption_options` to `true` and it should be set only
+    while in unencrypted or transitional operation. Please consult `client_encryption_options` in cassandra.yaml
+    for more information.
+
 
 Deprecation
 -----------

conf/cassandra.yaml

@@ -933,15 +933,6 @@ start_native_transport: true
 # port for the CQL native transport to listen for clients on
 # For security reasons, you should not expose this port to the internet.  Firewall it if needed.
 native_transport_port: 9042
-# Enabling native transport encryption in client_encryption_options allows you to either use
-# encryption for the standard port or to use a dedicated, additional port along with the unencrypted
-# standard native_transport_port.
-# Enabling client encryption and keeping native_transport_port_ssl disabled will use encryption
-# for native_transport_port. Setting native_transport_port_ssl to a different value
-# from native_transport_port will use encryption for native_transport_port_ssl while
-# keeping native_transport_port unencrypted.
-# This feature is deprecated since Cassandra 5.0 and will be removed. Please consult deprecation section in NEWS.txt.
-# native_transport_port_ssl: 9142
 # The maximum threads for handling requests (note that idle threads are stopped
 # after 30 seconds so there is not corresponding minimum setting).
 # native_transport_max_threads: 128

doc/modules/cassandra/pages/managing/operating/security.adoc

@@ -162,6 +162,11 @@ requirements demand it. To do so, set `optional` to false and use the
 `native_transport_port_ssl` setting in `cassandra.yaml` to specify the
 port to be used for secure client communication.
 
+[NOTE]
+====
+`native_transport_port_ssl` property was deprecated in Cassandra 5.0.
+====
+
 [[operation-roles]]
 == Roles
 

src/java/org/apache/cassandra/config/Config.java

@@ -284,9 +284,6 @@ public MemtableOptions()
 
     public boolean start_native_transport = true;
     public int native_transport_port = 9042;
-    /** @deprecated See CASSANDRA-19392 */
-    @Deprecated(since = "5.0")
-    public Integer native_transport_port_ssl = null;
     public int native_transport_max_threads = 128;
     @Replaces(oldName = "native_transport_max_frame_size_in_mb", converter = Converters.MEBIBYTES_DATA_STORAGE_INT, deprecated = true)
     public DataStorageSpec.IntMebibytesBound native_transport_max_frame_size = new DataStorageSpec.IntMebibytesBound("16MiB");

src/java/org/apache/cassandra/config/DatabaseDescriptor.java

@@ -903,25 +903,8 @@ else if (conf.commitlog_segment_size.toKibibytes() < 2 * conf.max_mutation_size.
 
         // native transport encryption options
         if (conf.client_encryption_options != null)
-        {
             conf.client_encryption_options.applyConfig();
 
-            if (conf.native_transport_port_ssl != null)
-            {
-                logger.warn("Usage of dual ports (native_transport_port together with native_transport_port_ssl) is " +
-                            "deprecated since Cassandra 5.0 and it will be removed in next releases. Please consider to use one port only " +
-                            "(native_transport_port) which can support unencrypted as well as encrypted traffic. This feature " +
-                            "is effectively not functioning properly except a corner-case of having a cluster " +
-                            "consisting of just one node. For more information, please consult deprecation " +
-                            "section in NEWS.txt");
-                if (conf.native_transport_port_ssl != conf.native_transport_port
-                    && (conf.client_encryption_options.tlsEncryptionPolicy() == EncryptionOptions.TlsEncryptionPolicy.UNENCRYPTED))
-                {
-                    throw new ConfigurationException("Encryption must be enabled in client_encryption_options for native_transport_port_ssl", false);
-                }
-            }
-        }
-
         if (conf.snapshot_links_per_second < 0)
             throw new ConfigurationException("snapshot_links_per_second must be >= 0");
 
@@ -2986,17 +2969,6 @@ public static void setNativeTransportPort(int port)
         conf.native_transport_port = port;
     }
 
-    public static int getNativeTransportPortSSL()
-    {
-        return conf.native_transport_port_ssl == null ? getNativeTransportPort() : conf.native_transport_port_ssl;
-    }
-
-    @VisibleForTesting
-    public static void setNativeTransportPortSSL(Integer port)
-    {
-        conf.native_transport_port_ssl = port;
-    }
-
     public static int getNativeTransportMaxThreads()
     {
         return conf.native_transport_max_threads;

src/java/org/apache/cassandra/metrics/ClientMetrics.java

@@ -19,8 +19,6 @@
 package org.apache.cassandra.metrics;
 
 import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Collections;
 import java.util.Comparator;
 import java.util.HashMap;
 import java.util.List;
@@ -54,7 +52,7 @@ public final class ClientMetrics
     private static final MetricNameFactory factory = new DefaultNameFactory("Client");
 
     private volatile boolean initialized = false;
-    private Collection<Server> servers = Collections.emptyList();
+    private Server server = null;
 
     @VisibleForTesting
     Meter authSuccess;
@@ -148,7 +146,7 @@ public List<ConnectedClient> allConnectedClients()
     {
         List<ConnectedClient> clients = new ArrayList<>();
 
-        for (Server server : servers)
+        if (server != null)
             clients.addAll(server.getConnectedClients());
 
         return clients;
@@ -164,12 +162,12 @@ public void markUnknownException()
         unknownException.mark();
     }
 
-    public synchronized void init(Collection<Server> servers)
+    public synchronized void init(Server servers)
     {
         if (initialized)
             return;
 
-        this.servers = servers;
+        this.server = servers;
 
         // deprecated the lower-cased initial letter metric names in 4.0
         connectedNativeClients = registerGauge(CONNECTED_NATIVE_CLIENTS, "connectedNativeClients", this::countConnectedClients);
@@ -225,23 +223,16 @@ public long getCount()
 
     private int countConnectedClients()
     {
-        int count = 0;
-
-        for (Server server : servers)
-            count += server.countConnectedClients();
-
-        return count;
+        return server == null ? 0 : server.countConnectedClients();
     }
 
     private Map<String, Integer> countConnectedClientsByUser()
     {
         Map<String, Integer> counts = new HashMap<>();
 
-        for (Server server : servers)
-        {
+        if (server != null)
             server.countConnectedClientsByUser()
                   .forEach((username, count) -> counts.put(username, counts.getOrDefault(username, 0) + count));
-        }
 
         return counts;
     }
@@ -250,32 +241,31 @@ private List<Map<String, String>> connectedClients()
     {
         List<Map<String, String>> clients = new ArrayList<>();
 
-        for (Server server : servers)
+        if (server != null)
+        {
             for (ConnectedClient client : server.getConnectedClients())
                 clients.add(client.asMap());
+        }
 
         return clients;
     }
 
     private int countConnectedClients(Predicate<ServerConnection> predicate)
     {
-        int count = 0;
-
-        for (Server server : servers)
-            count += server.countConnectedClients(predicate);
-
-        return count;
+        return server == null ? 0 : server.countConnectedClients(predicate);
     }
 
     private List<Map<String, String>> recentClientStats()
     {
         List<Map<String, String>> stats = new ArrayList<>();
 
-        for (Server server : servers)
+        if (server != null)
+        {
             for (ClientStat stat : server.recentClientStats())
                 stats.add(new HashMap<>(stat.asMap())); // asMap returns guava, so need to convert to java for jmx
 
-        stats.sort(Comparator.comparing(map -> map.get(ClientStat.PROTOCOL_VERSION)));
+            stats.sort(Comparator.comparing(map -> map.get(ClientStat.PROTOCOL_VERSION)));
+        }
 
         return stats;
     }

src/java/org/apache/cassandra/service/NativeTransportService.java

@@ -18,9 +18,6 @@
 package org.apache.cassandra.service;
 
 import java.net.InetAddress;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.Collections;
 import java.util.concurrent.TimeUnit;
 
 import com.google.common.annotations.VisibleForTesting;
@@ -50,7 +47,7 @@ public class NativeTransportService
 
     private static final Logger logger = LoggerFactory.getLogger(NativeTransportService.class);
 
-    private Collection<Server> servers = Collections.emptyList();
+    private Server server = null;
 
     private boolean initialized = false;
     private EventLoopGroup workerGroup;
@@ -76,70 +73,37 @@ synchronized void initialize()
         }
 
         int nativePort = DatabaseDescriptor.getNativeTransportPort();
-        int nativePortSSL = DatabaseDescriptor.getNativeTransportPortSSL();
         InetAddress nativeAddr = DatabaseDescriptor.getRpcAddress();
 
         org.apache.cassandra.transport.Server.Builder builder = new org.apache.cassandra.transport.Server.Builder()
                                                                 .withEventLoopGroup(workerGroup)
                                                                 .withHost(nativeAddr);
 
         EncryptionOptions.TlsEncryptionPolicy encryptionPolicy = DatabaseDescriptor.getNativeProtocolEncryptionOptions().tlsEncryptionPolicy();
-        Server regularPortServer;
-        Server tlsPortServer = null;
+        server = builder.withTlsEncryptionPolicy(encryptionPolicy).withPort(nativePort).build();
 
-        // If an SSL port is separately supplied for the native transport, listen for unencrypted connections on the
-        // regular port, and encryption / optionally encrypted connections on the ssl port.
-        if (nativePort != nativePortSSL)
-        {
-            regularPortServer = builder.withTlsEncryptionPolicy(EncryptionOptions.TlsEncryptionPolicy.UNENCRYPTED).withPort(nativePort).build();
-            switch(encryptionPolicy)
-            {
-                case OPTIONAL: // FALLTHRU - encryption is optional on the regular port, but encrypted on the tls port.
-                case ENCRYPTED:
-                    tlsPortServer = builder.withTlsEncryptionPolicy(encryptionPolicy).withPort(nativePortSSL).build();
-                    break;
-                case UNENCRYPTED: // Should have been caught by DatabaseDescriptor.applySimpleConfig
-                    throw new IllegalStateException("Encryption must be enabled in client_encryption_options for native_transport_port_ssl");
-                default:
-                    throw new IllegalStateException("Unrecognized TLS encryption policy: " + encryptionPolicy);
-            }
-        }
-        // Otherwise, if only the regular port is supplied, listen as the encryption policy specifies
-        else
-        {
-            regularPortServer = builder.withTlsEncryptionPolicy(encryptionPolicy).withPort(nativePort).build();
-        }
-
-        if (tlsPortServer == null)
-        {
-            servers = Collections.singleton(regularPortServer);
-        }
-        else
-        {
-            servers = Collections.unmodifiableList(Arrays.asList(regularPortServer, tlsPortServer));
-        }
-
-        ClientMetrics.instance.init(servers);
+        ClientMetrics.instance.init(server);
 
         initialized = true;
     }
 
     /**
-     * Starts native transport servers.
+     * Starts native transport server.
      */
     public void start()
     {
         logger.info("Using Netty Version: {}", Version.identify().entrySet());
         initialize();
-        servers.forEach(Server::start);
+        server.start();
     }
 
     /**
-     * Stops currently running native transport servers.
+     * Stops currently running native transport server.
      */
     public void stop()
     {
-        servers.forEach(Server::stop);
+        if (server != null)
+            server.stop();
     }
 
     /**
@@ -148,7 +112,7 @@ public void stop()
     public void destroy()
     {
         stop();
-        servers = Collections.emptyList();
+        server = null;
 
         // shutdown executors used by netty for native transport server
         if (workerGroup != null)
@@ -175,9 +139,7 @@ public static boolean useEpoll()
      */
     public boolean isRunning()
     {
-        for (Server server : servers)
-            if (server.isRunning()) return true;
-        return false;
+        return server != null && server.isRunning();
     }
 
     @VisibleForTesting
@@ -187,14 +149,13 @@ EventLoopGroup getWorkerGroup()
     }
 
     @VisibleForTesting
-    Collection<Server> getServers()
+    Server getServer()
     {
-        return servers;
+        return server;
     }
 
     public void clearConnectionHistory()
     {
-        for (Server server : servers)
-            server.clearConnectionHistory();
+        server.clearConnectionHistory();
     }
 }

src/java/org/apache/cassandra/tools/LoaderOptions.java

@@ -556,16 +556,9 @@ public Builder parseArgs(String cmdArgs[])
                 serverEncOptions.applyConfig();
 
                 if (cmd.hasOption(NATIVE_PORT_OPTION))
-                {
                     nativePort = Integer.parseInt(cmd.getOptionValue(NATIVE_PORT_OPTION));
-                }
                 else
-                {
-                    if (config.native_transport_port_ssl != null && (config.client_encryption_options.getEnabled() || clientEncOptions.getEnabled()))
-                        nativePort = config.native_transport_port_ssl;
-                    else
-                        nativePort = config.native_transport_port;
-                }
+                    nativePort = config.native_transport_port;
 
                 if (cmd.hasOption(INITIAL_HOST_ADDRESS_OPTION))
                 {

test/burn/org/apache/cassandra/transport/SimpleClientBurnTest.java

@@ -103,7 +103,7 @@ protected ClientResourceLimits.ResourceProvider resourceProvider(ClientResourceL
                                             .withPort(port)
                                             .withPipelineConfigurator(configurator)
                                             .build();
-        ClientMetrics.instance.init(Collections.singleton(server));
+        ClientMetrics.instance.init(server);
         server.start();
 
         Message.Type.QUERY.unsafeSetCodec(new Message.Codec<QueryMessage>()

test/burn/org/apache/cassandra/transport/SimpleClientPerfTest.java

@@ -159,7 +159,7 @@ public void perfTest(SizeCaps requestCaps, SizeCaps responseCaps, AssertUtil.Thr
                                             .withPort(port)
                                             .build();
 
-        ClientMetrics.instance.init(Collections.singleton(server));
+        ClientMetrics.instance.init(server);
         server.start();
 
         Message.Type.QUERY.unsafeSetCodec(new Message.Codec<QueryMessage>()

test/conf/unit-test-conf/test-native-port.yaml

@@ -18,7 +18,7 @@ listen_address: 127.0.0.1
 storage_port: 7010
 ssl_storage_port: 7011
 start_native_transport: true
-native_transport_port_ssl: 9142
+native_transport_port: 9142
 column_index_size: 4KiB
 saved_caches_directory: build/test/cassandra/saved_caches
 data_file_directories: