You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@calcite.apache.org by li...@apache.org on 2023/04/28 03:32:59 UTC
[calcite] branch main updated: [CALCITE-5671] Add option to disable SSL certificate validation to ES adapter
This is an automated email from the ASF dual-hosted git repository.
libenchao pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/calcite.git
The following commit(s) were added to refs/heads/main by this push:
new dd8fa24a6a [CALCITE-5671] Add option to disable SSL certificate validation to ES adapter
dd8fa24a6a is described below
commit dd8fa24a6a662e7e82780a940af4b3036c2adb23
Author: Charles Givre <cg...@apache.org>
AuthorDate: Wed Apr 26 10:58:55 2023 -0400
[CALCITE-5671] Add option to disable SSL certificate validation to ES adapter
Close apache/calcite#3174
---
.../util/UnsafeX509ExtendedTrustManager.java | 75 ++++++++++++++++++++++
.../elasticsearch/ElasticsearchSchemaFactory.java | 58 +++++++++++++++--
.../elasticsearch/ElasticSearchAdapterTest.java | 29 +++++++++
3 files changed, 158 insertions(+), 4 deletions(-)
diff --git a/core/src/main/java/org/apache/calcite/util/UnsafeX509ExtendedTrustManager.java b/core/src/main/java/org/apache/calcite/util/UnsafeX509ExtendedTrustManager.java
new file mode 100644
index 0000000000..5fb2eb9336
--- /dev/null
+++ b/core/src/main/java/org/apache/calcite/util/UnsafeX509ExtendedTrustManager.java
@@ -0,0 +1,75 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to you under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.calcite.util;
+
+import java.net.Socket;
+import java.security.cert.X509Certificate;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.X509ExtendedTrustManager;
+
+/**
+ * This class is used to disable SSL Certificate Verification in Calcite adapters that make http
+ * calls. This trust manager will validate any SSL certificate, whether valid or not. This should
+ * <b>not</b> be used in production environments.
+ */
+@SuppressWarnings("java:S4830")
+public final class UnsafeX509ExtendedTrustManager extends X509ExtendedTrustManager {
+
+ /**
+ * Return a new instance of the unsafe, all-trusting trust manager.
+ */
+ static final X509ExtendedTrustManager INSTANCE = new UnsafeX509ExtendedTrustManager();
+ private static final X509Certificate[] EMPTY_CERTIFICATES = new X509Certificate[0];
+
+ private UnsafeX509ExtendedTrustManager() {}
+
+ public static X509ExtendedTrustManager getInstance() {
+ return INSTANCE;
+ }
+
+ @Override public void checkClientTrusted(X509Certificate[] certificates, String authType) {
+ // No op
+ }
+
+ @Override public void checkClientTrusted(X509Certificate[] certificates,
+ String authType, Socket socket) {
+ // No op
+ }
+
+ @Override public void checkClientTrusted(X509Certificate[] certificates,
+ String authType, SSLEngine sslEngine) {
+ // No op
+ }
+
+ @Override public void checkServerTrusted(X509Certificate[] certificates, String authType) {
+ // No op
+ }
+
+ @Override public void checkServerTrusted(X509Certificate[] certificates,
+ String authType, Socket socket) {
+ // No op
+ }
+
+ @Override public void checkServerTrusted(X509Certificate[] certificates,
+ String authType, SSLEngine sslEngine) {
+ // No op
+ }
+
+ @Override public X509Certificate[] getAcceptedIssuers() {
+ return EMPTY_CERTIFICATES;
+ }
+}
diff --git a/elasticsearch/src/main/java/org/apache/calcite/adapter/elasticsearch/ElasticsearchSchemaFactory.java b/elasticsearch/src/main/java/org/apache/calcite/adapter/elasticsearch/ElasticsearchSchemaFactory.java
index 4f580309e4..d1cc87f721 100644
--- a/elasticsearch/src/main/java/org/apache/calcite/adapter/elasticsearch/ElasticsearchSchemaFactory.java
+++ b/elasticsearch/src/main/java/org/apache/calcite/adapter/elasticsearch/ElasticsearchSchemaFactory.java
@@ -19,6 +19,7 @@ package org.apache.calcite.adapter.elasticsearch;
import org.apache.calcite.schema.Schema;
import org.apache.calcite.schema.SchemaFactory;
import org.apache.calcite.schema.SchemaPlus;
+import org.apache.calcite.util.UnsafeX509ExtendedTrustManager;
import org.apache.http.HttpHost;
import org.apache.http.auth.AuthScope;
@@ -43,12 +44,17 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.IOException;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
import java.util.List;
+import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutionException;
import java.util.stream.Collectors;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
/**
* Factory that creates an {@link ElasticsearchSchema}.
@@ -93,6 +99,27 @@ public class ElasticsearchSchemaFactory implements SchemaFactory {
public ElasticsearchSchemaFactory() {
}
+ /**
+ * Create an ElasticSearch {@link Schema}.
+ * The operand property accepts the following key/value pairs:
+ *
+ * <ul>
+ * <li><b>username</b>: The username for the ES cluster</li>
+ * <li><b>password</b>: The password for the ES cluster</li>
+ * <li><b>hosts</b>: A {@link List} of hosts for the ES cluster. Either the hosts or
+ * coordinates must be populated.</li>
+ * <li><b>coordinates</b>: A {@link List} of coordinates for the ES cluster. Either the hosts
+ * list or
+ * the coordinates list must be populated.</li>
+ * <li><b>disableSSLVerification</b>: A boolean parameter to disable SSL verification. Defaults
+ * to false. This should always be set to false for production systems.</li>
+ * </ul>
+ *
+ * @param parentSchema Parent schema
+ * @param name Name of this schema
+ * @param operand The "operand" JSON property
+ * @return Returns a {@link Schema} for the ES cluster.
+ */
@Override public Schema create(SchemaPlus parentSchema, String name,
Map<String, Object> operand) {
@@ -131,10 +158,21 @@ public class ElasticsearchSchemaFactory implements SchemaFactory {
("Both 'coordinates' and 'hosts' is missing in configuration. Provide one of them.");
}
final String pathPrefix = (String) map.get("pathPrefix");
+
+ // Enable or Disable SSL Verification
+ boolean disableSSLVerification;
+ if (map.containsKey("disableSSLVerification")) {
+ String temp = (String) map.get("disableSSLVerification");
+ disableSSLVerification = Boolean.getBoolean(temp.toLowerCase(Locale.ROOT));
+ } else {
+ disableSSLVerification = false;
+ }
+
// create client
String username = (String) map.get("username");
String password = (String) map.get("password");
- final RestClient client = connect(hosts, pathPrefix, username, password);
+ final RestClient client =
+ connect(hosts, pathPrefix, username, password, disableSSLVerification);
final String index = (String) map.get("index");
return new ElasticsearchSchema(client, new ObjectMapper(), index);
@@ -151,18 +189,20 @@ public class ElasticsearchSchemaFactory implements SchemaFactory {
* @param password the password of ES
* @return new or cached low-level rest http client for ES
*/
+ @SuppressWarnings({"java:S4830", "java:S5527"})
private static RestClient connect(List<HttpHost> hosts, String pathPrefix,
- String username, String password) {
+ String username, String password,
+ boolean disableSSLVerification) {
Objects.requireNonNull(hosts, "hosts or coordinates");
Preconditions.checkArgument(!hosts.isEmpty(), "no ES hosts specified");
// Two lists are considered equal when all of their corresponding elements are equal
- // making a list of RestClient parms a suitable cache key.
+ // making a list of RestClient params a suitable cache key.
List cacheKey = ImmutableList.of(hosts, pathPrefix, username, password);
try {
return REST_CLIENTS.get(cacheKey, new Callable<RestClient>() {
- @Override public RestClient call() {
+ @Override public RestClient call() throws NoSuchAlgorithmException, KeyManagementException {
RestClientBuilder builder = RestClient.builder(hosts.toArray(new HttpHost[hosts.size()]));
if (!Strings.isNullOrEmpty(username) && !Strings.isNullOrEmpty(password)) {
@@ -173,6 +213,16 @@ public class ElasticsearchSchemaFactory implements SchemaFactory {
httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider));
}
+ if (disableSSLVerification) {
+ SSLContext sslContext = SSLContext.getInstance("TLS");
+ sslContext.init(null, new TrustManager[] {UnsafeX509ExtendedTrustManager.getInstance()},
+ null);
+
+ builder.setHttpClientConfigCallback(httpClientBuilder ->
+ httpClientBuilder.setSSLContext(sslContext)
+ .setSSLHostnameVerifier((host, session) -> true));
+ }
+
if (pathPrefix != null && !pathPrefix.isEmpty()) {
builder.setPathPrefix(pathPrefix);
}
diff --git a/elasticsearch/src/test/java/org/apache/calcite/adapter/elasticsearch/ElasticSearchAdapterTest.java b/elasticsearch/src/test/java/org/apache/calcite/adapter/elasticsearch/ElasticSearchAdapterTest.java
index 28ebcbb2eb..88f73e9595 100644
--- a/elasticsearch/src/test/java/org/apache/calcite/adapter/elasticsearch/ElasticSearchAdapterTest.java
+++ b/elasticsearch/src/test/java/org/apache/calcite/adapter/elasticsearch/ElasticSearchAdapterTest.java
@@ -18,6 +18,7 @@ package org.apache.calcite.adapter.elasticsearch;
import org.apache.calcite.jdbc.CalciteConnection;
import org.apache.calcite.rel.RelFieldCollation;
+import org.apache.calcite.schema.Schema;
import org.apache.calcite.schema.SchemaPlus;
import org.apache.calcite.schema.impl.ViewTable;
import org.apache.calcite.test.CalciteAssert;
@@ -45,11 +46,14 @@ import java.sql.SQLException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
+import java.util.HashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.function.Consumer;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+
import static java.util.Objects.requireNonNull;
/**
@@ -152,6 +156,31 @@ class ElasticSearchAdapterTest {
.returnsCount(0);
}
+ @Test void testDisableSSL() throws SQLException {
+ Connection connection =
+ DriverManager.getConnection("jdbc:calcite:lex=JAVA");
+ final SchemaPlus root =
+ connection.unwrap(CalciteConnection.class).getRootSchema();
+
+ final CalciteConnection calciteConnection =
+ connection.unwrap(CalciteConnection.class);
+
+ final ElasticsearchSchemaFactory esSchemaFactory = new ElasticsearchSchemaFactory();
+ Map<String, Object> options = new HashMap<>();
+ String hosts = "[\"" + NODE.restClient().getNodes()
+ .get(0).getHost().toString() + "\"]";
+ options.put("username", "user1");
+ options.put("password", "password");
+ options.put("pathPrefix", "");
+ options.put("disableSSLVerification", "true");
+ options.put("hosts", hosts);
+
+ final Schema esSchmea =
+ esSchemaFactory.create(calciteConnection.getRootSchema(), "es_no_ssl", options);
+
+ assertNotNull(esSchmea);
+ }
+
@Test void basic() {
CalciteAssert.that()
.with(ElasticSearchAdapterTest::createConnection)