Deprecate native_transport_port_ssl

patch by Stefan Miklosovic; reviewed by Abe Ratnofsky, Brandon Williams for CASSANDRA-19392
apache · Feb 14, 2024 · 8b037a6 · 8b037a6
1 parent 69f735d
commit 8b037a6
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 4 deletions.
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -1,4 +1,5 @@
 5.0-beta2
+ * Deprecate native_transport_port_ssl (CASSANDRA-19392)
  * Update packaging shell includes (CASSANDRA-19283)
  * Fix data corruption in VectorCodec when using heap buffers (CASSANDRA-19167)
  * Avoid over-skipping of key iterators from static column indexes during mixed intersections (CASSANDRA-19278)

diff --git a/NEWS.txt b/NEWS.txt
@@ -265,6 +265,10 @@ Deprecation
       The old property is still supported for backward compatibility, but now it is disabled by default.
     - CloudstackSnitch is marked as deprecated and it is not actively maintained anymore. It is scheduled to be removed 
       in the next major version of Cassandra.
+    - Usage of dual native ports (native_transport_port and native_transport_port_ssl) is deprecated and will be removed
+      in a future release. A single native port can be used for both encrypted and unencrypted traffic; see CASSANDRA-10559.
+      Cluster hosts running with dual native ports were not correctly identified in the system.peers tables and server-sent EVENTs,
+      causing clients that encrypt traffic to fail to maintain correct connection pools. For more information, see CASSANDRA-19392.
 
 4.1
 ===

diff --git a/conf/cassandra.yaml b/conf/cassandra.yaml
@@ -940,6 +940,7 @@ native_transport_port: 9042
 # for native_transport_port. Setting native_transport_port_ssl to a different value
 # from native_transport_port will use encryption for native_transport_port_ssl while
 # keeping native_transport_port unencrypted.
+# This feature is deprecated since Cassandra 5.0 and will be removed. Please consult deprecation section in NEWS.txt.
 # native_transport_port_ssl: 9142
 # The maximum threads for handling requests (note that idle threads are stopped
 # after 30 seconds so there is not corresponding minimum setting).

diff --git a/src/java/org/apache/cassandra/config/Config.java b/src/java/org/apache/cassandra/config/Config.java
@@ -275,6 +275,8 @@ public MemtableOptions()
 
     public boolean start_native_transport = true;
     public int native_transport_port = 9042;
+    /** @deprecated See CASSANDRA-19392 */
+    @Deprecated(since = "5.0")
     public Integer native_transport_port_ssl = null;
     public int native_transport_max_threads = 128;
     @Replaces(oldName = "native_transport_max_frame_size_in_mb", converter = Converters.MEBIBYTES_DATA_STORAGE_INT, deprecated = true)

diff --git a/src/java/org/apache/cassandra/config/DatabaseDescriptor.java b/src/java/org/apache/cassandra/config/DatabaseDescriptor.java
@@ -895,11 +895,19 @@ else if (conf.commitlog_segment_size.toKibibytes() < 2 * conf.max_mutation_size.
         {
             conf.client_encryption_options.applyConfig();
 
-            if (conf.native_transport_port_ssl != null
-                && conf.native_transport_port_ssl != conf.native_transport_port
-                && conf.client_encryption_options.tlsEncryptionPolicy() == EncryptionOptions.TlsEncryptionPolicy.UNENCRYPTED)
+            if (conf.native_transport_port_ssl != null)
             {
-                throw new ConfigurationException("Encryption must be enabled in client_encryption_options for native_transport_port_ssl", false);
+                logger.warn("Usage of dual ports (native_transport_port together with native_transport_port_ssl) is " +
+                            "deprecated since Cassandra 5.0 and it will be removed in next releases. Please consider to use one port only " +
+                            "(native_transport_port) which can support unencrypted as well as encrypted traffic. This feature " +
+                            "is effectively not functioning properly except a corner-case of having a cluster " +
+                            "consisting of just one node. For more information, please consult deprecation " +
+                            "section in NEWS.txt");
+                if (conf.native_transport_port_ssl != conf.native_transport_port
+                    && (conf.client_encryption_options.tlsEncryptionPolicy() == EncryptionOptions.TlsEncryptionPolicy.UNENCRYPTED))
+                {
+                    throw new ConfigurationException("Encryption must be enabled in client_encryption_options for native_transport_port_ssl", false);
+                }
             }
         }