You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kyuubi.apache.org by ch...@apache.org on 2022/07/29 08:24:59 UTC
[incubator-kyuubi] branch master updated: [KYUUBI #3104] Support SSL for Etcd
This is an automated email from the ASF dual-hosted git repository.
chengpan pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-kyuubi.git
The following commit(s) were added to refs/heads/master by this push:
new c17829bf1 [KYUUBI #3104] Support SSL for Etcd
c17829bf1 is described below
commit c17829bf104e5515755aab3572b12c68b430ed4e
Author: hongdongdong <ho...@cmss.chinamobile.com>
AuthorDate: Fri Jul 29 16:24:50 2022 +0800
[KYUUBI #3104] Support SSL for Etcd
### _Why are the changes needed?_
Support SSL for Etcd
### _How was this patch tested?_
- [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible
- [ ] Add screenshots for manual tests if appropriate
- [X] [Run test](https://kyuubi.apache.org/docs/latest/develop_tools/testing.html#running-tests) locally before make a pull request
Closes #3105 from hddong/support-etcd-ssl.
Closes #3104
49aadb9c [hongdongdong] change enable to enabled
87fa6269 [hongdongdong] [KYUUBI #3104] Support SSL for Etcd
Authored-by: hongdongdong <ho...@cmss.chinamobile.com>
Signed-off-by: Cheng Pan <ch...@apache.org>
---
docs/deployment/settings.md | 4 +++
.../apache/kyuubi/ha/HighAvailabilityConf.scala | 28 +++++++++++++++++++
.../ha/client/etcd/EtcdDiscoveryClient.scala | 31 +++++++++++++++++++---
3 files changed, 60 insertions(+), 3 deletions(-)
diff --git a/docs/deployment/settings.md b/docs/deployment/settings.md
index b1e055d72..085accc71 100644
--- a/docs/deployment/settings.md
+++ b/docs/deployment/settings.md
@@ -312,6 +312,10 @@ Key | Default | Meaning | Type | Since
kyuubi.ha.addresses||The connection string for the discovery ensemble|string|1.6.0
kyuubi.ha.client.class|org.apache.kyuubi.ha.client.zookeeper.ZookeeperDiscoveryClient|Class name for service discovery client.<ul> <li>Zookeeper: org.apache.kyuubi.ha.client.zookeeper.ZookeeperDiscoveryClient</li> <li>Etcd: org.apache.kyuubi.ha.client.etcd.EtcdDiscoveryClient</li></ul>|string|1.6.0
kyuubi.ha.etcd.lease.timeout|PT10S|Timeout for etcd keep alive lease. The kyuubi server will known unexpected loss of engine after up to this seconds.|duration|1.6.0
+kyuubi.ha.etcd.ssl.ca.path|<undefined>|Where the etcd CA certificate file is stored.|string|1.6.0
+kyuubi.ha.etcd.ssl.client.certificate.path|<undefined>|Where the etcd SSL certificate file is stored.|string|1.6.0
+kyuubi.ha.etcd.ssl.client.key.path|<undefined>|Where the etcd SSL key file is stored.|string|1.6.0
+kyuubi.ha.etcd.ssl.enabled|false|When set to true, will build a ssl secured etcd client.|boolean|1.6.0
kyuubi.ha.namespace|kyuubi|The root directory for the service to deploy its instance uri|string|1.6.0
kyuubi.ha.zookeeper.acl.enabled|false|Set to true if the zookeeper ensemble is kerberized|boolean|1.0.0
kyuubi.ha.zookeeper.auth.digest|<undefined>|The digest auth string is used for zookeeper authentication, like: username:password.|string|1.3.2
diff --git a/kyuubi-ha/src/main/scala/org/apache/kyuubi/ha/HighAvailabilityConf.scala b/kyuubi-ha/src/main/scala/org/apache/kyuubi/ha/HighAvailabilityConf.scala
index 317ecd76d..830b2eb35 100644
--- a/kyuubi-ha/src/main/scala/org/apache/kyuubi/ha/HighAvailabilityConf.scala
+++ b/kyuubi-ha/src/main/scala/org/apache/kyuubi/ha/HighAvailabilityConf.scala
@@ -191,4 +191,32 @@ object HighAvailabilityConf {
.timeConf
.checkValue(_ > 0, "Must be positive")
.createWithDefault(Duration.ofSeconds(10).toMillis)
+
+ val HA_ETCD_SSL_ENABLED: ConfigEntry[Boolean] =
+ buildConf("kyuubi.ha.etcd.ssl.enabled")
+ .doc("When set to true, will build a ssl secured etcd client.")
+ .version("1.6.0")
+ .booleanConf
+ .createWithDefault(false)
+
+ val HA_ETCD_SSL_CA_PATH: OptionalConfigEntry[String] =
+ buildConf("kyuubi.ha.etcd.ssl.ca.path")
+ .doc("Where the etcd CA certificate file is stored.")
+ .version("1.6.0")
+ .stringConf
+ .createOptional
+
+ val HA_ETCD_SSL_CLINET_CRT_PATH: OptionalConfigEntry[String] =
+ buildConf("kyuubi.ha.etcd.ssl.client.certificate.path")
+ .doc("Where the etcd SSL certificate file is stored.")
+ .version("1.6.0")
+ .stringConf
+ .createOptional
+
+ val HA_ETCD_SSL_CLINET_KEY_PATH: OptionalConfigEntry[String] =
+ buildConf("kyuubi.ha.etcd.ssl.client.key.path")
+ .doc("Where the etcd SSL key file is stored.")
+ .version("1.6.0")
+ .stringConf
+ .createOptional
}
diff --git a/kyuubi-ha/src/main/scala/org/apache/kyuubi/ha/client/etcd/EtcdDiscoveryClient.scala b/kyuubi-ha/src/main/scala/org/apache/kyuubi/ha/client/etcd/EtcdDiscoveryClient.scala
index fcbdbf76a..56545bf9e 100644
--- a/kyuubi-ha/src/main/scala/org/apache/kyuubi/ha/client/etcd/EtcdDiscoveryClient.scala
+++ b/kyuubi-ha/src/main/scala/org/apache/kyuubi/ha/client/etcd/EtcdDiscoveryClient.scala
@@ -17,6 +17,7 @@
package org.apache.kyuubi.ha.client.etcd
+import java.io.File
import java.nio.charset.StandardCharsets.UTF_8
import java.util.concurrent.TimeUnit
@@ -36,6 +37,7 @@ import io.etcd.jetcd.options.GetOption
import io.etcd.jetcd.options.PutOption
import io.etcd.jetcd.watch.WatchEvent
import io.etcd.jetcd.watch.WatchResponse
+import io.grpc.netty.GrpcSslContexts
import io.grpc.stub.StreamObserver
import org.apache.kyuubi.KYUUBI_VERSION
@@ -44,7 +46,7 @@ import org.apache.kyuubi.KyuubiSQLException
import org.apache.kyuubi.config.KyuubiConf
import org.apache.kyuubi.config.KyuubiConf.ENGINE_INIT_TIMEOUT
import org.apache.kyuubi.ha.HighAvailabilityConf
-import org.apache.kyuubi.ha.HighAvailabilityConf.HA_ENGINE_REF_ID
+import org.apache.kyuubi.ha.HighAvailabilityConf._
import org.apache.kyuubi.ha.client.DiscoveryClient
import org.apache.kyuubi.ha.client.DiscoveryPaths
import org.apache.kyuubi.ha.client.ServiceDiscovery
@@ -63,9 +65,32 @@ class EtcdDiscoveryClient(conf: KyuubiConf) extends DiscoveryClient {
var leaseTTL: Long = _
+ private def buildClient(): Client = {
+ val endpoints = conf.get(HA_ADDRESSES).split(",")
+ val sslEnabled = conf.get(HA_ETCD_SSL_ENABLED)
+ if (!sslEnabled) {
+ Client.builder.endpoints(endpoints: _*).build
+ } else {
+ val caPath = conf.getOption(HA_ETCD_SSL_CA_PATH.key).getOrElse(
+ throw new IllegalArgumentException(s"${HA_ETCD_SSL_CA_PATH.key} is not defined"))
+ val crtPath = conf.getOption(HA_ETCD_SSL_CLINET_CRT_PATH.key).getOrElse(
+ throw new IllegalArgumentException(s"${HA_ETCD_SSL_CLINET_CRT_PATH.key} is not defined"))
+ val keyPath = conf.getOption(HA_ETCD_SSL_CLINET_KEY_PATH.key).getOrElse(
+ throw new IllegalArgumentException(s"${HA_ETCD_SSL_CLINET_KEY_PATH.key} is not defined"))
+
+ val context = GrpcSslContexts.forClient()
+ .trustManager(new File(caPath))
+ .keyManager(new File(crtPath), new File(keyPath))
+ .build()
+ Client.builder()
+ .endpoints(endpoints: _*)
+ .sslContext(context)
+ .build()
+ }
+ }
+
def createClient(): Unit = {
- val endpoints = conf.get(HighAvailabilityConf.HA_ADDRESSES).split(",")
- client = Client.builder.endpoints(endpoints: _*).build
+ client = buildClient()
kvClient = client.getKVClient()
lockClient = client.getLockClient()
leaseClient = client.getLeaseClient()