[beam] branch master updated: Remove conscrypt as security provider. (#7056)

[al...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

altay pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/beam.git


The following commit(s) were added to refs/heads/master by this push:
     new 414916c  Remove conscrypt as security provider.  (#7056)
414916c is described below

commit 414916c17b2e63c8036a6ea1516b66f61b7fa888
Author: Ahmet Altay <aa...@gmail.com>
AuthorDate: Fri Nov 16 18:25:36 2018 -0800

    Remove conscrypt as security provider.  (#7056)
    
    * Add an experimental flag to disable conscrypt SSL.
---
 .../dataflow/worker/DataflowWorkerHarnessHelper.java    | 17 ++++++++++++++---
 .../beam/runners/dataflow/worker/ExperimentContext.java |  1 +
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/runners/google-cloud-dataflow-java/worker/src/main/java/org/apache/beam/runners/dataflow/worker/DataflowWorkerHarnessHelper.java b/runners/google-cloud-dataflow-java/worker/src/main/java/org/apache/beam/runners/dataflow/worker/DataflowWorkerHarnessHelper.java
index 027f3c1..aeeec33 100644
--- a/runners/google-cloud-dataflow-java/worker/src/main/java/org/apache/beam/runners/dataflow/worker/DataflowWorkerHarnessHelper.java
+++ b/runners/google-cloud-dataflow-java/worker/src/main/java/org/apache/beam/runners/dataflow/worker/DataflowWorkerHarnessHelper.java
@@ -27,6 +27,7 @@ import javax.annotation.Nullable;
 import org.apache.beam.model.pipeline.v1.Endpoints;
 import org.apache.beam.model.pipeline.v1.RunnerApi;
 import org.apache.beam.runners.dataflow.options.DataflowWorkerHarnessOptions;
+import org.apache.beam.runners.dataflow.worker.ExperimentContext.Experiment;
 import org.apache.beam.runners.dataflow.worker.logging.DataflowWorkerLoggingInitializer;
 import org.apache.beam.runners.dataflow.worker.logging.DataflowWorkerLoggingMDC;
 import org.apache.beam.vendor.grpc.v1_13_1.com.google.protobuf.TextFormat;
@@ -45,9 +46,6 @@ public final class DataflowWorkerHarnessHelper {
 
   public static DataflowWorkerHarnessOptions initializeGlobalStateAndPipelineOptions(
       Class<?> workerHarnessClass) throws Exception {
-    /* Enable fast SSL provider. */
-    Security.insertProviderAt(new OpenSSLProvider(), 1);
-
     /* Extract pipeline options. */
     DataflowWorkerHarnessOptions pipelineOptions =
         WorkerPipelineOptionsFactory.createFromSystemProperties();
@@ -57,6 +55,19 @@ public final class DataflowWorkerHarnessHelper {
     DataflowWorkerLoggingMDC.setJobId(pipelineOptions.getJobId());
     DataflowWorkerLoggingMDC.setWorkerId(pipelineOptions.getWorkerId());
 
+    ExperimentContext ec = ExperimentContext.parseFrom(pipelineOptions);
+
+    if (!ec.isEnabled(Experiment.DisableConscryptSecurityProvider)) {
+      /* Enable fast SSL provider. */
+      LOG.info(
+          "Dataflow runner uses conscrypt by default for SSL. To disable this feature, "
+              + "pass pipeline option --experiment=disable_conscrypt_security_provider");
+      Security.insertProviderAt(new OpenSSLProvider(), 1);
+    } else {
+      LOG.info(
+          "Experiment disable_conscrypt_security_provider specified, disabling conscrypt "
+              + "SSL. Note this is the default Java behavior, but may have reduced performance.");
+    }
     return pipelineOptions;
   }
 
diff --git a/runners/google-cloud-dataflow-java/worker/src/main/java/org/apache/beam/runners/dataflow/worker/ExperimentContext.java b/runners/google-cloud-dataflow-java/worker/src/main/java/org/apache/beam/runners/dataflow/worker/ExperimentContext.java
index 14e84b6..3ce1e08 100644
--- a/runners/google-cloud-dataflow-java/worker/src/main/java/org/apache/beam/runners/dataflow/worker/ExperimentContext.java
+++ b/runners/google-cloud-dataflow-java/worker/src/main/java/org/apache/beam/runners/dataflow/worker/ExperimentContext.java
@@ -36,6 +36,7 @@ public class ExperimentContext {
 
   /** Enumeration of all known experiments. */
   public enum Experiment {
+    DisableConscryptSecurityProvider("disable_conscrypt_security_provider"),
     IntertransformIO("intertransform_io"), // Intertransform metrics for Shuffle IO (insights)
     SideInputIOMetrics("sideinput_io_metrics"); // Intertransform metrics for Side Input IO