From 82b76fc9eb080a05ebac7054228e54ed3dbfdbe8 Mon Sep 17 00:00:00 2001 From: walnuts1018 Date: Fri, 9 Jan 2026 23:41:00 +0900 Subject: [PATCH 1/3] feat: add TLS configuration options for Cassandra2 store Signed-off-by: walnuts1018 --- weed/command/scaffold/filer.toml | 6 ++++++ weed/filer/cassandra2/cassandra_store.go | 13 ++++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/weed/command/scaffold/filer.toml b/weed/command/scaffold/filer.toml index a685d50d8..41c44e092 100644 --- a/weed/command/scaffold/filer.toml +++ b/weed/command/scaffold/filer.toml @@ -186,6 +186,12 @@ hosts = [ ] username = "" password = "" +# Set the CA certificate path +tls_ca_file="" +# Set the client certificate path +tls_client_crt_file="" +# Set the client private key path +tls_client_key_file="" # This changes the data layout. Only add new directories. Removing/Updating will cause data loss. superLargeDirectories = [] # Name of the datacenter local to this filer, used as host selection fallback. diff --git a/weed/filer/cassandra2/cassandra_store.go b/weed/filer/cassandra2/cassandra_store.go index 7ce3d32c1..2260d32a1 100644 --- a/weed/filer/cassandra2/cassandra_store.go +++ b/weed/filer/cassandra2/cassandra_store.go @@ -34,6 +34,9 @@ func (store *Cassandra2Store) Initialize(configuration util.Configuration, prefi configuration.GetStringSlice(prefix+"hosts"), configuration.GetString(prefix+"username"), configuration.GetString(prefix+"password"), + configuration.GetString(prefix+"tls_ca_file"), + configuration.GetString(prefix+"tls_client_crt_file"), + configuration.GetString(prefix+"tls_client_key_file"), configuration.GetStringSlice(prefix+"superLargeDirectories"), configuration.GetString(prefix+"localDC"), configuration.GetInt(prefix+"connection_timeout_millisecond"), @@ -45,11 +48,19 @@ func (store *Cassandra2Store) isSuperLargeDirectory(dir string) (dirHash string, return } -func (store *Cassandra2Store) initialize(keyspace string, hosts []string, username string, password string, superLargeDirectories []string, localDC string, timeout int) (err error) { +func (store *Cassandra2Store) initialize(keyspace string, hosts []string, username string, password string, tlsCaFile string, tlsClientCrtFile string, tlsClientKeyFile string, superLargeDirectories []string, localDC string, timeout int) (err error) { store.cluster = gocql.NewCluster(hosts...) if username != "" && password != "" { store.cluster.Authenticator = gocql.PasswordAuthenticator{Username: username, Password: password} } + if tlsCaFile != "" || tlsClientCrtFile != "" || tlsClientKeyFile != "" { + store.cluster.SslOpts = &gocql.SslOptions{ + CaPath: tlsCaFile, + CertPath: tlsClientCrtFile, + KeyPath: tlsClientKeyFile, + EnableHostVerification: true, + } + } store.cluster.Keyspace = keyspace store.cluster.Timeout = time.Duration(timeout) * time.Millisecond glog.V(0).Infof("timeout = %d", timeout) From 8682b3cd9f3e1b1f83e4d44ff7003cb5a93f9876 Mon Sep 17 00:00:00 2001 From: walnuts1018 Date: Sat, 10 Jan 2026 18:50:07 +0900 Subject: [PATCH 2/3] fix: use 9142 port in tls connection Signed-off-by: walnuts1018 --- weed/filer/cassandra2/cassandra_store.go | 1 + 1 file changed, 1 insertion(+) diff --git a/weed/filer/cassandra2/cassandra_store.go b/weed/filer/cassandra2/cassandra_store.go index 2260d32a1..1d1d10366 100644 --- a/weed/filer/cassandra2/cassandra_store.go +++ b/weed/filer/cassandra2/cassandra_store.go @@ -60,6 +60,7 @@ func (store *Cassandra2Store) initialize(keyspace string, hosts []string, userna KeyPath: tlsClientKeyFile, EnableHostVerification: true, } + store.cluster.Port = 9142 } store.cluster.Keyspace = keyspace store.cluster.Timeout = time.Duration(timeout) * time.Millisecond From 0e16c4aaa6b80d1c0a7d5539eb59de587b64aa0b Mon Sep 17 00:00:00 2001 From: walnuts1018 Date: Sun, 11 Jan 2026 00:28:49 +0900 Subject: [PATCH 3/3] Align the setting field names with gocql's SSLOpts. Signed-off-by: walnuts1018 --- weed/command/scaffold/filer.toml | 6 +++--- weed/filer/cassandra2/cassandra_store.go | 16 ++++++++-------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/weed/command/scaffold/filer.toml b/weed/command/scaffold/filer.toml index 41c44e092..dcaba8232 100644 --- a/weed/command/scaffold/filer.toml +++ b/weed/command/scaffold/filer.toml @@ -187,11 +187,11 @@ hosts = [ username = "" password = "" # Set the CA certificate path -tls_ca_file="" +ssl_ca_path = "" # Set the client certificate path -tls_client_crt_file="" +ssl_cert_path = "" # Set the client private key path -tls_client_key_file="" +ssl_key_path = "" # This changes the data layout. Only add new directories. Removing/Updating will cause data loss. superLargeDirectories = [] # Name of the datacenter local to this filer, used as host selection fallback. diff --git a/weed/filer/cassandra2/cassandra_store.go b/weed/filer/cassandra2/cassandra_store.go index 1d1d10366..abcac26f3 100644 --- a/weed/filer/cassandra2/cassandra_store.go +++ b/weed/filer/cassandra2/cassandra_store.go @@ -34,9 +34,9 @@ func (store *Cassandra2Store) Initialize(configuration util.Configuration, prefi configuration.GetStringSlice(prefix+"hosts"), configuration.GetString(prefix+"username"), configuration.GetString(prefix+"password"), - configuration.GetString(prefix+"tls_ca_file"), - configuration.GetString(prefix+"tls_client_crt_file"), - configuration.GetString(prefix+"tls_client_key_file"), + configuration.GetString(prefix+"ssl_ca_path"), + configuration.GetString(prefix+"ssl_cert_path"), + configuration.GetString(prefix+"ssl_key_path"), configuration.GetStringSlice(prefix+"superLargeDirectories"), configuration.GetString(prefix+"localDC"), configuration.GetInt(prefix+"connection_timeout_millisecond"), @@ -48,16 +48,16 @@ func (store *Cassandra2Store) isSuperLargeDirectory(dir string) (dirHash string, return } -func (store *Cassandra2Store) initialize(keyspace string, hosts []string, username string, password string, tlsCaFile string, tlsClientCrtFile string, tlsClientKeyFile string, superLargeDirectories []string, localDC string, timeout int) (err error) { +func (store *Cassandra2Store) initialize(keyspace string, hosts []string, username string, password string, sslCaPath string, sslCertPath string, sslKeyPath string, superLargeDirectories []string, localDC string, timeout int) (err error) { store.cluster = gocql.NewCluster(hosts...) if username != "" && password != "" { store.cluster.Authenticator = gocql.PasswordAuthenticator{Username: username, Password: password} } - if tlsCaFile != "" || tlsClientCrtFile != "" || tlsClientKeyFile != "" { + if sslCaPath != "" || sslCertPath != "" || sslKeyPath != "" { store.cluster.SslOpts = &gocql.SslOptions{ - CaPath: tlsCaFile, - CertPath: tlsClientCrtFile, - KeyPath: tlsClientKeyFile, + CaPath: sslCaPath, + CertPath: sslCertPath, + KeyPath: sslKeyPath, EnableHostVerification: true, } store.cluster.Port = 9142