You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pinot.apache.org by "zhtaoxiang (via GitHub)" <gi...@apache.org> on 2023/11/08 01:04:33 UTC

[PR] add an option to skip controller cert validation in AddTableCommand [pinot]

zhtaoxiang opened a new pull request, #11967:
URL: https://github.com/apache/pinot/pull/11967

   When trying to add a table using `AddTableCommand`, we need to install a cert in order to validate the pinot controller cert if tls is enabled. Otherwise, we will get the following error:
   ```
   javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
   	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:130)
   	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:371)
   	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
   	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:309)
   	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
   	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
   	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
   	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
   	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
   	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)
   	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)
   	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
   	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510)
   	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425)
   	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
   	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
   	at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:578)
   	at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:187)
   	at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1429)
   	at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1400)
   	at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:220)
   	at org.apache.pinot.tools.admin.command.AbstractBaseAdminCommand.sendRequest(AbstractBaseAdminCommand.java:107)
   	at org.apache.pinot.tools.admin.command.AddTableCommand.sendTableCreationRequest(AddTableCommand.java:196)
   	at org.apache.pinot.tools.admin.command.AddTableCommand.execute(AddTableCommand.java:274)
   	at org.apache.pinot.tools.Command.call(Command.java:33)
   	at org.apache.pinot.tools.Command.call(Command.java:29)
   	at picocli.CommandLine.executeUserObject(CommandLine.java:1953)
   	at picocli.CommandLine.access$1300(CommandLine.java:145)
   	at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2352)
   	at picocli.CommandLine$RunLast.handle(CommandLine.java:2346)
   	at picocli.CommandLine$RunLast.handle(CommandLine.java:2311)
   	at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2179)
   	at picocli.CommandLine.execute(CommandLine.java:2078)
   	at org.apache.pinot.tools.admin.PinotAdministrator.execute(PinotAdministrator.java:171)
   	at org.apache.pinot.tools.admin.PinotAdministrator.main(PinotAdministrator.java:202)
   Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
   	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:388)
   	at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:271)
   	at java.base/sun.security.validator.Validator.validate(Validator.java:256)
   	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
   	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
   	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
   	... 30 more
   Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
   	at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
   	at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
   	at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
   	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:383)
   	... 35 more
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For additional commands, e-mail: commits-help@pinot.apache.org

Re: [PR] add an option to skip controller cert validation in AddTableCommand [pinot]

Posted by "Jackie-Jiang (via GitHub)" <gi...@apache.org>.

Jackie-Jiang merged PR #11967:
URL: https://github.com/apache/pinot/pull/11967


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For additional commands, e-mail: commits-help@pinot.apache.org

Re: [PR] add an option to skip controller cert validation in AddTableCommand [pinot]

Posted by "zhtaoxiang (via GitHub)" <gi...@apache.org>.

zhtaoxiang commented on code in PR #11967:
URL: https://github.com/apache/pinot/pull/11967#discussion_r1386174661


##########
pinot-tools/src/main/java/org/apache/pinot/tools/admin/command/AddTableCommand.java:
##########
@@ -76,13 +79,17 @@ public class AddTableCommand extends AbstractBaseAdminCommand implements Command
   @CommandLine.Option(names = {"-controllerProtocol"}, required = false, description = "protocol for controller.")
   private String _controllerProtocol = CommonConstants.HTTP_PROTOCOL;
 
-  @CommandLine.Option(names = {"-update"}, required = false,
-      description = "Update the existing table instead of creating new one")
+  @CommandLine.Option(names = {"-update"}, required = false, description = "Update the existing table instead of "
+      + "creating new one")
   private boolean _update = false;
 
   @CommandLine.Option(names = {"-exec"}, required = false, description = "Execute the command.")
   private boolean _exec;
 
+  @CommandLine.Option(names = {"-skipControllerCertValidation"}, required = false, description = "Whether to skip"

Review Comment:
   Sounds good, will add similar options in other PRs



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For additional commands, e-mail: commits-help@pinot.apache.org

Re: [PR] add an option to skip controller cert validation in AddTableCommand [pinot]

Posted by "codecov-commenter (via GitHub)" <gi...@apache.org>.

codecov-commenter commented on PR #11967:
URL: https://github.com/apache/pinot/pull/11967#issuecomment-1800868913

   ## [Codecov](https://app.codecov.io/gh/apache/pinot/pull/11967?src=pr&el=h1&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) Report
   > Merging [#11967](https://app.codecov.io/gh/apache/pinot/pull/11967?src=pr&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) (48d6bba) into [master](https://app.codecov.io/gh/apache/pinot/commit/9092244e0be9f27158320c987833bdb3b6179bdd?el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) (9092244) will **decrease** coverage by `61.42%`.
   > The diff coverage is `n/a`.
   
   ```diff
   @@              Coverage Diff              @@
   ##             master   #11967       +/-   ##
   =============================================
   - Coverage     61.41%    0.00%   -61.42%     
   =============================================
     Files          2385     2309       -76     
     Lines        129151   125403     -3748     
     Branches      19995    19437      -558     
   =============================================
   - Hits          79313        0    -79313     
   - Misses        44084   125403    +81319     
   + Partials       5754        0     -5754     
   ```
   
   | [Flag](https://app.codecov.io/gh/apache/pinot/pull/11967/flags?src=pr&el=flags&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) | Coverage Δ | |
   |---|---|---|
   | [custom-integration1](https://app.codecov.io/gh/apache/pinot/pull/11967/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) | `?` | |
   | [integration](https://app.codecov.io/gh/apache/pinot/pull/11967/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) | `0.00% <ø> (-0.01%)` | :arrow_down: |
   | [integration1](https://app.codecov.io/gh/apache/pinot/pull/11967/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) | `?` | |
   | [integration2](https://app.codecov.io/gh/apache/pinot/pull/11967/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) | `0.00% <ø> (ø)` | |
   | [java-11](https://app.codecov.io/gh/apache/pinot/pull/11967/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) | `?` | |
   | [java-21](https://app.codecov.io/gh/apache/pinot/pull/11967/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) | `0.00% <ø> (-61.28%)` | :arrow_down: |
   | [skip-bytebuffers-false](https://app.codecov.io/gh/apache/pinot/pull/11967/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) | `0.00% <ø> (-61.38%)` | :arrow_down: |
   | [skip-bytebuffers-true](https://app.codecov.io/gh/apache/pinot/pull/11967/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) | `?` | |
   | [temurin](https://app.codecov.io/gh/apache/pinot/pull/11967/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) | `0.00% <ø> (-61.42%)` | :arrow_down: |
   | [unittests](https://app.codecov.io/gh/apache/pinot/pull/11967/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) | `?` | |
   | [unittests1](https://app.codecov.io/gh/apache/pinot/pull/11967/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) | `?` | |
   | [unittests2](https://app.codecov.io/gh/apache/pinot/pull/11967/flags?src=pr&el=flag&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache) | `?` | |
   
   Flags with carried forward coverage won't be shown. [Click here](https://docs.codecov.io/docs/carryforward-flags?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache#carryforward-flags-in-the-pull-request-comment) to find out more.
   
   [see 1993 files with indirect coverage changes](https://app.codecov.io/gh/apache/pinot/pull/11967/indirect-changes?src=pr&el=tree-more&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=apache)
   
   :mega: Codecov offers a browser extension for seamless coverage viewing on GitHub. Try it in [Chrome](https://chrome.google.com/webstore/detail/codecov/gedikamndpbemklijjkncpnolildpbgo) or [Firefox](https://addons.mozilla.org/en-US/firefox/addon/codecov/) today!
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For additional commands, e-mail: commits-help@pinot.apache.org

Re: [PR] add an option to skip controller cert validation in AddTableCommand [pinot]

Posted by "xiangfu0 (via GitHub)" <gi...@apache.org>.

xiangfu0 commented on code in PR #11967:
URL: https://github.com/apache/pinot/pull/11967#discussion_r1386098061


##########
pinot-tools/src/main/java/org/apache/pinot/tools/admin/command/AddTableCommand.java:
##########
@@ -76,13 +79,17 @@ public class AddTableCommand extends AbstractBaseAdminCommand implements Command
   @CommandLine.Option(names = {"-controllerProtocol"}, required = false, description = "protocol for controller.")
   private String _controllerProtocol = CommonConstants.HTTP_PROTOCOL;
 
-  @CommandLine.Option(names = {"-update"}, required = false,
-      description = "Update the existing table instead of creating new one")
+  @CommandLine.Option(names = {"-update"}, required = false, description = "Update the existing table instead of "
+      + "creating new one")
   private boolean _update = false;
 
   @CommandLine.Option(names = {"-exec"}, required = false, description = "Execute the command.")
   private boolean _exec;
 
+  @CommandLine.Option(names = {"-skipControllerCertValidation"}, required = false, description = "Whether to skip"

Review Comment:
   I think we should also add this for all http based commands like AddSchema, AddTenant, UploadSegment etc



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For additional commands, e-mail: commits-help@pinot.apache.org