You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pinot.apache.org by GitBox <gi...@apache.org> on 2021/10/29 01:58:02 UTC

[GitHub] [pinot] apucher commented on a change in pull request #7653: Adding config for keystore types, switching tls to native implementation, and adding authorization for server-broker tls channel

apucher commented on a change in pull request #7653:
URL: https://github.com/apache/pinot/pull/7653#discussion_r738882026



##########
File path: pinot-core/src/main/java/org/apache/pinot/server/access/AccessControl.java
##########
@@ -27,6 +28,13 @@
 @InterfaceStability.Stable
 public interface AccessControl {
 
+  /**
+   *
+   * @param channelHandlerContext netty tls context
+   * @return Whether the client has access to query server
+   */
+  boolean hasQueryServerAccess(ChannelHandlerContext channelHandlerContext);
+

Review comment:
       would you mind giving me some additional context about why this is required? IIRC the netty connection is already configured with 2-way TLS, meaning that both server and broker need to trust the other's respective cert.

##########
File path: pinot-core/src/main/java/org/apache/pinot/core/util/TlsUtils.java
##########
@@ -101,23 +112,26 @@ public static TlsConfig extractTlsConfig(PinotConfiguration pinotConfig, String
    * @return KeyManagerFactory
    */
   public static KeyManagerFactory createKeyManagerFactory(TlsConfig tlsConfig) {
-    return createKeyManagerFactory(tlsConfig.getKeyStorePath(), tlsConfig.getKeyStorePassword());
+    return createKeyManagerFactory(tlsConfig.getKeyStorePath(),
+        tlsConfig.getKeyStorePassword(), tlsConfig.getKeyStoreType());
   }
 
   /**
    * Create a KeyManagerFactory instance for a given path and key password
    *
    * @param keyStorePath store path
    * @param keyStorePassword password
-   *
+   * @param keyStoreType keystore type for keystore
    * @return KeyManagerFactory
    */
-  public static KeyManagerFactory createKeyManagerFactory(String keyStorePath, String keyStorePassword) {
+  public static KeyManagerFactory createKeyManagerFactory(String keyStorePath, String keyStorePassword,
+      String keyStoreType) {
     Preconditions.checkNotNull(keyStorePath, "key store path must not be null");
     Preconditions.checkNotNull(keyStorePassword, "key store password must not be null");
+    keyStoreType = StringUtils.isBlank(keyStoreType) ? KeyStore.getDefaultType() : keyStoreType;
 
     try {
-      KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+      KeyStore keyStore = KeyStore.getInstance(keyStoreType);

Review comment:
       if `keyStoreType` is null, what happens?

##########
File path: pinot-core/src/main/java/org/apache/pinot/core/transport/QueryServer.java
##########
@@ -110,7 +119,9 @@ private void attachSSLHandler(SocketChannel ch) {
         throw new IllegalArgumentException("Must provide key store path for secured server");
       }
 
-      SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(TlsUtils.createKeyManagerFactory(_tlsConfig));
+      SslContextBuilder sslContextBuilder = SslContextBuilder
+          .forServer(TlsUtils.createKeyManagerFactory(_tlsConfig))
+          .sslProvider(SslProvider.OPENSSL);

Review comment:
       I'm all for using a native implementation. I wonder if SSLContext creation should be streamlined with a utility method in `TlsUtils`. I'd imagine that any access, even via rest, would benefit from the performance improvement.
   
   This would imply that the ssl provider becomes a property of TLsConfig as well.

##########
File path: pinot-core/pom.xml
##########
@@ -32,6 +32,7 @@
   <name>Pinot Core</name>
   <url>https://pinot.apache.org/</url>
   <properties>
+    <netty-tcnative.version>2.0.36.Final</netty-tcnative.version>

Review comment:
       imo dependency management should be handled in the root pom, if possible.

##########
File path: pinot-core/src/main/java/org/apache/pinot/core/transport/QueryServer.java
##########
@@ -56,9 +60,11 @@
    * @param port bind port
    * @param queryScheduler query scheduler
    * @param serverMetrics server metrics
+   * @param accessControlFactory access control factory for netty channel
    */
-  public QueryServer(int port, QueryScheduler queryScheduler, ServerMetrics serverMetrics) {
-    this(port, queryScheduler, serverMetrics, null);
+  public QueryServer(int port, QueryScheduler queryScheduler, ServerMetrics serverMetrics,

Review comment:
       we may want to consider either removing this constructor entirely, or retaining one for non-tls use without both TLS related configs

##########
File path: pinot-connectors/presto-pinot-driver/src/main/java/org/apache/pinot/connector/presto/PinotScatterGatherQueryClient.java
##########
@@ -98,10 +97,14 @@ public ErrorCode getErrorCode() {
 
     private final boolean _clientAuthEnabled;
 
+    private final String _trustStoreType;
+
     private final String _trustStorePath;
 
     private final String _trustStorePassword;
 
+    private final String _keyStoreType;
+
     private final String _keyStorePath;
 
     private final String _keyStorePassword;

Review comment:
       I'd suggest to store all these properties inside a `TlsConfig` container instance directly.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For additional commands, e-mail: commits-help@pinot.apache.org