You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kyuubi.apache.org by ch...@apache.org on 2022/07/29 08:24:59 UTC

[incubator-kyuubi] branch master updated: [KYUUBI #3104] Support SSL for Etcd

This is an automated email from the ASF dual-hosted git repository.

chengpan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-kyuubi.git


The following commit(s) were added to refs/heads/master by this push:
     new c17829bf1 [KYUUBI #3104] Support SSL for Etcd
c17829bf1 is described below

commit c17829bf104e5515755aab3572b12c68b430ed4e
Author: hongdongdong <ho...@cmss.chinamobile.com>
AuthorDate: Fri Jul 29 16:24:50 2022 +0800

    [KYUUBI #3104] Support SSL for Etcd
    
    ### _Why are the changes needed?_
    
    Support SSL for Etcd
    
    ### _How was this patch tested?_
    - [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible
    
    - [ ] Add screenshots for manual tests if appropriate
    
    - [X] [Run test](https://kyuubi.apache.org/docs/latest/develop_tools/testing.html#running-tests) locally before make a pull request
    
    Closes #3105 from hddong/support-etcd-ssl.
    
    Closes #3104
    
    49aadb9c [hongdongdong] change enable to enabled
    87fa6269 [hongdongdong] [KYUUBI #3104] Support SSL for Etcd
    
    Authored-by: hongdongdong <ho...@cmss.chinamobile.com>
    Signed-off-by: Cheng Pan <ch...@apache.org>
---
 docs/deployment/settings.md                        |  4 +++
 .../apache/kyuubi/ha/HighAvailabilityConf.scala    | 28 +++++++++++++++++++
 .../ha/client/etcd/EtcdDiscoveryClient.scala       | 31 +++++++++++++++++++---
 3 files changed, 60 insertions(+), 3 deletions(-)

diff --git a/docs/deployment/settings.md b/docs/deployment/settings.md
index b1e055d72..085accc71 100644
--- a/docs/deployment/settings.md
+++ b/docs/deployment/settings.md
@@ -312,6 +312,10 @@ Key | Default | Meaning | Type | Since
 kyuubi.ha.addresses||The connection string for the discovery ensemble|string|1.6.0
 kyuubi.ha.client.class|org.apache.kyuubi.ha.client.zookeeper.ZookeeperDiscoveryClient|Class name for service discovery client.<ul> <li>Zookeeper: org.apache.kyuubi.ha.client.zookeeper.ZookeeperDiscoveryClient</li> <li>Etcd: org.apache.kyuubi.ha.client.etcd.EtcdDiscoveryClient</li></ul>|string|1.6.0
 kyuubi.ha.etcd.lease.timeout|PT10S|Timeout for etcd keep alive lease. The kyuubi server will known unexpected loss of engine after up to this seconds.|duration|1.6.0
+kyuubi.ha.etcd.ssl.ca.path|&lt;undefined&gt;|Where the etcd CA certificate file is stored.|string|1.6.0
+kyuubi.ha.etcd.ssl.client.certificate.path|&lt;undefined&gt;|Where the etcd SSL certificate file is stored.|string|1.6.0
+kyuubi.ha.etcd.ssl.client.key.path|&lt;undefined&gt;|Where the etcd SSL key file is stored.|string|1.6.0
+kyuubi.ha.etcd.ssl.enabled|false|When set to true, will build a ssl secured etcd client.|boolean|1.6.0
 kyuubi.ha.namespace|kyuubi|The root directory for the service to deploy its instance uri|string|1.6.0
 kyuubi.ha.zookeeper.acl.enabled|false|Set to true if the zookeeper ensemble is kerberized|boolean|1.0.0
 kyuubi.ha.zookeeper.auth.digest|&lt;undefined&gt;|The digest auth string is used for zookeeper authentication, like: username:password.|string|1.3.2
diff --git a/kyuubi-ha/src/main/scala/org/apache/kyuubi/ha/HighAvailabilityConf.scala b/kyuubi-ha/src/main/scala/org/apache/kyuubi/ha/HighAvailabilityConf.scala
index 317ecd76d..830b2eb35 100644
--- a/kyuubi-ha/src/main/scala/org/apache/kyuubi/ha/HighAvailabilityConf.scala
+++ b/kyuubi-ha/src/main/scala/org/apache/kyuubi/ha/HighAvailabilityConf.scala
@@ -191,4 +191,32 @@ object HighAvailabilityConf {
       .timeConf
       .checkValue(_ > 0, "Must be positive")
       .createWithDefault(Duration.ofSeconds(10).toMillis)
+
+  val HA_ETCD_SSL_ENABLED: ConfigEntry[Boolean] =
+    buildConf("kyuubi.ha.etcd.ssl.enabled")
+      .doc("When set to true, will build a ssl secured etcd client.")
+      .version("1.6.0")
+      .booleanConf
+      .createWithDefault(false)
+
+  val HA_ETCD_SSL_CA_PATH: OptionalConfigEntry[String] =
+    buildConf("kyuubi.ha.etcd.ssl.ca.path")
+      .doc("Where the etcd CA certificate file is stored.")
+      .version("1.6.0")
+      .stringConf
+      .createOptional
+
+  val HA_ETCD_SSL_CLINET_CRT_PATH: OptionalConfigEntry[String] =
+    buildConf("kyuubi.ha.etcd.ssl.client.certificate.path")
+      .doc("Where the etcd SSL certificate file is stored.")
+      .version("1.6.0")
+      .stringConf
+      .createOptional
+
+  val HA_ETCD_SSL_CLINET_KEY_PATH: OptionalConfigEntry[String] =
+    buildConf("kyuubi.ha.etcd.ssl.client.key.path")
+      .doc("Where the etcd SSL key file is stored.")
+      .version("1.6.0")
+      .stringConf
+      .createOptional
 }
diff --git a/kyuubi-ha/src/main/scala/org/apache/kyuubi/ha/client/etcd/EtcdDiscoveryClient.scala b/kyuubi-ha/src/main/scala/org/apache/kyuubi/ha/client/etcd/EtcdDiscoveryClient.scala
index fcbdbf76a..56545bf9e 100644
--- a/kyuubi-ha/src/main/scala/org/apache/kyuubi/ha/client/etcd/EtcdDiscoveryClient.scala
+++ b/kyuubi-ha/src/main/scala/org/apache/kyuubi/ha/client/etcd/EtcdDiscoveryClient.scala
@@ -17,6 +17,7 @@
 
 package org.apache.kyuubi.ha.client.etcd
 
+import java.io.File
 import java.nio.charset.StandardCharsets.UTF_8
 import java.util.concurrent.TimeUnit
 
@@ -36,6 +37,7 @@ import io.etcd.jetcd.options.GetOption
 import io.etcd.jetcd.options.PutOption
 import io.etcd.jetcd.watch.WatchEvent
 import io.etcd.jetcd.watch.WatchResponse
+import io.grpc.netty.GrpcSslContexts
 import io.grpc.stub.StreamObserver
 
 import org.apache.kyuubi.KYUUBI_VERSION
@@ -44,7 +46,7 @@ import org.apache.kyuubi.KyuubiSQLException
 import org.apache.kyuubi.config.KyuubiConf
 import org.apache.kyuubi.config.KyuubiConf.ENGINE_INIT_TIMEOUT
 import org.apache.kyuubi.ha.HighAvailabilityConf
-import org.apache.kyuubi.ha.HighAvailabilityConf.HA_ENGINE_REF_ID
+import org.apache.kyuubi.ha.HighAvailabilityConf._
 import org.apache.kyuubi.ha.client.DiscoveryClient
 import org.apache.kyuubi.ha.client.DiscoveryPaths
 import org.apache.kyuubi.ha.client.ServiceDiscovery
@@ -63,9 +65,32 @@ class EtcdDiscoveryClient(conf: KyuubiConf) extends DiscoveryClient {
 
   var leaseTTL: Long = _
 
+  private def buildClient(): Client = {
+    val endpoints = conf.get(HA_ADDRESSES).split(",")
+    val sslEnabled = conf.get(HA_ETCD_SSL_ENABLED)
+    if (!sslEnabled) {
+      Client.builder.endpoints(endpoints: _*).build
+    } else {
+      val caPath = conf.getOption(HA_ETCD_SSL_CA_PATH.key).getOrElse(
+        throw new IllegalArgumentException(s"${HA_ETCD_SSL_CA_PATH.key} is not defined"))
+      val crtPath = conf.getOption(HA_ETCD_SSL_CLINET_CRT_PATH.key).getOrElse(
+        throw new IllegalArgumentException(s"${HA_ETCD_SSL_CLINET_CRT_PATH.key} is not defined"))
+      val keyPath = conf.getOption(HA_ETCD_SSL_CLINET_KEY_PATH.key).getOrElse(
+        throw new IllegalArgumentException(s"${HA_ETCD_SSL_CLINET_KEY_PATH.key} is not defined"))
+
+      val context = GrpcSslContexts.forClient()
+        .trustManager(new File(caPath))
+        .keyManager(new File(crtPath), new File(keyPath))
+        .build()
+      Client.builder()
+        .endpoints(endpoints: _*)
+        .sslContext(context)
+        .build()
+    }
+  }
+
   def createClient(): Unit = {
-    val endpoints = conf.get(HighAvailabilityConf.HA_ADDRESSES).split(",")
-    client = Client.builder.endpoints(endpoints: _*).build
+    client = buildClient()
     kvClient = client.getKVClient()
     lockClient = client.getLockClient()
     leaseClient = client.getLeaseClient()