Hi all -

My team would like to enable mTLS among JanusGraph and the backend components we use today: CQL, Solr and ZooKeeper.  From what I can gather, there are a few missing pieces (please correct me if I'm mistaken):

• Client authentication with JanusGraph and Cassandra (CQL)  
• I see in CQLStoreManager.java#L268 that the sslContext is initialized with null for the first parameter ("KeyManager[]").  Based on my investigation, it appears this would be the natural place to pass details about a Keystore used for client authentication.
• To support this feature, I believe JanusGraph would need to offer three additional configuration properties (I've borrowed nomenclature from the ElasticSearch configuration parameters):
• storage.cql.ssl.keystore.location
• storage.cql.ssl.keystore.keypassword
• storage.cql.ssl.keystore.storepassword
• We'd like to submit a patch for this imminently.  I'll kick off the usual administrative developer agreement and whatnot soon; should I also open an issue?

As for SolrCloud and ZooKeeper, I think I might be able to get this working without changes to JanusGraph.  This would only be a workaround though and I believe the correct long term solution would provide configuration directly through JanusGraph's existing configuration facility.  Should I open issues for these as well?

• mTLS support between JanusGraph and SolrCloud
• mTLS support between JanusGraph and ZooKeeper

It looks like version compatibility would not be an issue for CQL or Solr.  ZooKeeper only implemented support for this in 3.5.1, 3.6.0 and it appears even the latest Solr versions have yet to upgrade to these versions of ZooKeeper.  So it's probably best to stick with a workaround until Solr pulls in a version of ZooKeeper that offers these features.

Any thoughts on this?

Thanks,

jeff.

Hi Jeff,

Thank you for your initiative. In order to contribute you should sign a CLA. We just switched to automated CLA signing mechanism. If your should contribute from your company then your company (CLA manager) should sign a CCLA. Instructions are here: https://github.com/swinslow/cla-tool-docs/blob/master/walkthroughs/4-CLA-Manager.md

When the company signed CCLA, the contributors should follow the next instructions: https://github.com/swinslow/cla-tool-docs/blob/master/walkthroughs/3-Corporate-Contributor-first-for-company.md 

If you are contributing as an individual, you should follow the next instructions: https://github.com/swinslow/cla-tool-docs/blob/master/walkthroughs/1-Individual-Contributor.md

About CQL authentication. I am not sure if it is related but you may also check this issue: https://github.com/JanusGraph/janusgraph/issues/1673
If this isn't related, I think it is wise to open an issue.

For mTLS support between JanusGraph and SolrCloud and mTLS support between JanusGraph and ZooKeeper, I think you should also open separate issues.

Best regards,

Oleksandr

On Tuesday, August 20, 2019 at 9:59:42 PM UTC+3, Jeff Callahan wrote:

Hi all -

My team would like to enable mTLS among JanusGraph and the backend components we use today: CQL, Solr and ZooKeeper.  From what I can gather, there are a few missing pieces (please correct me if I'm mistaken):

• Client authentication with JanusGraph and Cassandra (CQL)  
• I see in CQLStoreManager.java#L268 that the sslContext is initialized with null for the first parameter ("KeyManager[]").  Based on my investigation, it appears this would be the natural place to pass details about a Keystore used for client authentication.
• To support this feature, I believe JanusGraph would need to offer three additional configuration properties (I've borrowed nomenclature from the ElasticSearch configuration parameters):
• storage.cql.ssl.keystore.location
• storage.cql.ssl.keystore.keypassword
• storage.cql.ssl.keystore.storepassword
• We'd like to submit a patch for this imminently.  I'll kick off the usual administrative developer agreement and whatnot soon; should I also open an issue?

As for SolrCloud and ZooKeeper, I think I might be able to get this working without changes to JanusGraph.  This would only be a workaround though and I believe the correct long term solution would provide configuration directly through JanusGraph's existing configuration facility.  Should I open issues for these as well?

• mTLS support between JanusGraph and SolrCloud
• mTLS support between JanusGraph and ZooKeeper

It looks like version compatibility would not be an issue for CQL or Solr.  ZooKeeper only implemented support for this in 3.5.1, 3.6.0 and it appears even the latest Solr versions have yet to upgrade to these versions of ZooKeeper.  So it's probably best to stick with a workaround until Solr pulls in a version of ZooKeeper that offers these features.

Any thoughts on this?

Thanks,

jeff.

Thanks Oleksandr.  I am working with my organization to get the CCLA completed.

I'll open issues to track the three items I mentioned.  After having a look at the issue you linked, I believe it is similar but unrelated to my specific issue (since it is username/password authentication in the janusgraph hadoop project, rather than transport level key based authentication in CQL).

Cheers,

jeff.

On Wednesday, August 21, 2019 at 12:01:12 AM UTC-7, Oleksandr Porunov wrote:

Hi Jeff,

Thank you for your initiative. In order to contribute you should sign a CLA. We just switched to automated CLA signing mechanism. If your should contribute from your company then your company (CLA manager) should sign a CCLA. Instructions are here: https://github.com/swinslow/cla-tool-docs/blob/master/walkthroughs/4-CLA-Manager.md

When the company signed CCLA, the contributors should follow the next instructions: https://github.com/swinslow/cla-tool-docs/blob/master/walkthroughs/3-Corporate-Contributor-first-for-company.md 

If you are contributing as an individual, you should follow the next instructions: https://github.com/swinslow/cla-tool-docs/blob/master/walkthroughs/1-Individual-Contributor.md

About CQL authentication. I am not sure if it is related but you may also check this issue: https://github.com/JanusGraph/janusgraph/issues/1673
If this isn't related, I think it is wise to open an issue.

For mTLS support between JanusGraph and SolrCloud and mTLS support between JanusGraph and ZooKeeper, I think you should also open separate issues.

Best regards,

Oleksandr

On Tuesday, August 20, 2019 at 9:59:42 PM UTC+3, Jeff Callahan wrote:

Hi all -

My team would like to enable mTLS among JanusGraph and the backend components we use today: CQL, Solr and ZooKeeper.  From what I can gather, there are a few missing pieces (please correct me if I'm mistaken):

• Client authentication with JanusGraph and Cassandra (CQL)  
• I see in CQLStoreManager.java#L268 that the sslContext is initialized with null for the first parameter ("KeyManager[]").  Based on my investigation, it appears this would be the natural place to pass details about a Keystore used for client authentication.
• To support this feature, I believe JanusGraph would need to offer three additional configuration properties (I've borrowed nomenclature from the ElasticSearch configuration parameters):
• storage.cql.ssl.keystore.location
• storage.cql.ssl.keystore.keypassword
• storage.cql.ssl.keystore.storepassword
• We'd like to submit a patch for this imminently.  I'll kick off the usual administrative developer agreement and whatnot soon; should I also open an issue?

As for SolrCloud and ZooKeeper, I think I might be able to get this working without changes to JanusGraph.  This would only be a workaround though and I believe the correct long term solution would provide configuration directly through JanusGraph's existing configuration facility.  Should I open issues for these as well?

• mTLS support between JanusGraph and SolrCloud
• mTLS support between JanusGraph and ZooKeeper

It looks like version compatibility would not be an issue for CQL or Solr.  ZooKeeper only implemented support for this in 3.5.1, 3.6.0 and it appears even the latest Solr versions have yet to upgrade to these versions of ZooKeeper.  So it's probably best to stick with a workaround until Solr pulls in a version of ZooKeeper that offers these features.

Any thoughts on this?

Thanks,

jeff.