You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pinot.apache.org by ap...@apache.org on 2021/01/07 04:38:51 UTC
[incubator-pinot] branch pinot-internode-tls created (now b24bded)
This is an automated email from the ASF dual-hosted git repository.
apucher pushed a change to branch pinot-internode-tls
in repository https://gitbox.apache.org/repos/asf/incubator-pinot.git.
at b24bded unified client and internode TLS
This branch includes the following new commits:
new 468a65a more assertions
new b24bded unified client and internode TLS
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For additional commands, e-mail: commits-help@pinot.apache.org
[incubator-pinot] 02/02: unified client and internode TLS
Posted by ap...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
apucher pushed a commit to branch pinot-internode-tls
in repository https://gitbox.apache.org/repos/asf/incubator-pinot.git
commit b24bdeda8a5e702a0b82022ff42576b94bf31816
Author: Alexander Pucher <al...@alexpucher.com>
AuthorDate: Wed Jan 6 19:17:24 2021 -0800
unified client and internode TLS
---
.../broker/broker/BrokerAdminApiApplication.java | 28 ++---
.../broker/broker/helix/HelixBrokerStarter.java | 6 +-
.../SingleConnectionBrokerRequestHandler.java | 6 +-
.../LiteralOnlyBrokerRequestTest.java | 4 +-
.../spark/connector/PinotServerDataFetcher.scala | 1 +
.../apache/pinot/controller/ControllerStarter.java | 7 ++
.../api/ControllerAdminApiApplication.java | 34 +++---
.../controller/api/listeners/ListenerConfig.java | 39 +++---
.../controller/api/listeners/TlsConfiguration.java | 63 ----------
.../pinot/controller/util/ListenerConfigUtil.java | 29 ++---
.../controller/util/ListenerConfigUtilTest.java | 19 +--
.../apache/pinot/core/transport/QueryRouter.java | 19 +++
.../apache/pinot/core/transport/QueryServer.java | 53 +++++++++
.../pinot/core/transport/ServerChannels.java | 45 +++++++
.../org/apache/pinot/core/transport/TlsConfig.java | 61 ++++++++++
.../java/org/apache/pinot/core/util/TlsUtils.java | 132 +++++++++++++++++++++
.../org/apache/pinot/server/conf/ServerConf.java | 4 +
.../pinot/server/starter/ServerInstance.java | 11 +-
18 files changed, 408 insertions(+), 153 deletions(-)
diff --git a/pinot-broker/src/main/java/org/apache/pinot/broker/broker/BrokerAdminApiApplication.java b/pinot-broker/src/main/java/org/apache/pinot/broker/broker/BrokerAdminApiApplication.java
index 821e4aa..5d4b13a 100644
--- a/pinot-broker/src/main/java/org/apache/pinot/broker/broker/BrokerAdminApiApplication.java
+++ b/pinot-broker/src/main/java/org/apache/pinot/broker/broker/BrokerAdminApiApplication.java
@@ -29,6 +29,8 @@ import org.apache.pinot.broker.requesthandler.BrokerRequestHandler;
import org.apache.pinot.broker.routing.RoutingManager;
import org.apache.pinot.common.metrics.BrokerMetrics;
import org.apache.pinot.common.utils.CommonConstants;
+import org.apache.pinot.core.transport.TlsConfig;
+import org.apache.pinot.core.util.TlsUtils;
import org.apache.pinot.spi.env.PinotConfiguration;
import org.glassfish.grizzly.http.server.CLStaticHttpHandler;
import org.glassfish.grizzly.http.server.HttpHandler;
@@ -73,7 +75,6 @@ public class BrokerAdminApiApplication extends ResourceConfig {
Preconditions.checkArgument(brokerQueryPort > 0, "broker client port must be > 0");
_baseUri = URI.create(String.format("%s://0.0.0.0:%d/", getBrokerClientProtocol(brokerConf), brokerQueryPort));
-
_httpServer = buildHttpsServer(brokerConf);
setupSwagger();
}
@@ -81,31 +82,26 @@ public class BrokerAdminApiApplication extends ResourceConfig {
private HttpServer buildHttpsServer(PinotConfiguration brokerConf) {
boolean isSecure = CommonConstants.HTTPS_PROTOCOL.equals(getBrokerClientProtocol(brokerConf));
+ TlsConfig tlsConfig = TlsUtils.extractTlsConfig(brokerConf, "pinot.broker.client");
+ tlsConfig.setEnabled(isSecure);
+
if (isSecure) {
- return GrizzlyHttpServerFactory.createHttpServer(_baseUri, this, true, buildSSLConfig(brokerConf));
+ return GrizzlyHttpServerFactory.createHttpServer(_baseUri, this, true, buildSSLConfig(tlsConfig));
}
return GrizzlyHttpServerFactory.createHttpServer(_baseUri, this);
}
- private SSLEngineConfigurator buildSSLConfig(PinotConfiguration brokerConf) {
+ private SSLEngineConfigurator buildSSLConfig(TlsConfig tlsConfig) {
SSLContextConfigurator sslContextConfigurator = new SSLContextConfigurator();
- sslContextConfigurator.setKeyStoreFile(brokerConf.getProperty(
- CommonConstants.Broker.CONFIG_OF_BROKER_CLIENT_TLS_KEYSTORE_PATH));
- sslContextConfigurator.setKeyStorePass(brokerConf.getProperty(
- CommonConstants.Broker.CONFIG_OF_BROKER_CLIENT_TLS_KEYSTORE_PASSWORD));
- sslContextConfigurator.setTrustStoreFile(brokerConf.getProperty(
- CommonConstants.Broker.CONFIG_OF_BROKER_CLIENT_TLS_TRUSTSTORE_PATH));
- sslContextConfigurator.setTrustStorePass(brokerConf.getProperty(
- CommonConstants.Broker.CONFIG_OF_BROKER_CLIENT_TLS_TRUSTSTORE_PASSWORD));
-
- boolean requiresClientAuth = brokerConf.getProperty(
- CommonConstants.Broker.CONFIG_OF_BROKER_CLIENT_TLS_CLIENT_AUTH,
- CommonConstants.Broker.DEFAULT_BROKER_CLIENT_TLS_CLIENT_AUTH);
+ sslContextConfigurator.setKeyStoreFile(tlsConfig.getKeyStorePath());
+ sslContextConfigurator.setKeyStorePass(tlsConfig.getKeyStorePassword());
+ sslContextConfigurator.setTrustStoreFile(tlsConfig.getTrustStorePath());
+ sslContextConfigurator.setTrustStorePass(tlsConfig.getTrustStorePassword());
return new SSLEngineConfigurator(sslContextConfigurator).setClientMode(false)
- .setWantClientAuth(requiresClientAuth).setEnabledProtocols(new String[] { "TLSv1.2" });
+ .setNeedClientAuth(tlsConfig.isClientAuth()).setEnabledProtocols(new String[] { "TLSv1.2" });
}
private static String getBrokerClientProtocol(PinotConfiguration brokerConf) {
diff --git a/pinot-broker/src/main/java/org/apache/pinot/broker/broker/helix/HelixBrokerStarter.java b/pinot-broker/src/main/java/org/apache/pinot/broker/broker/helix/HelixBrokerStarter.java
index 746bf7a..c31c3b7 100644
--- a/pinot-broker/src/main/java/org/apache/pinot/broker/broker/helix/HelixBrokerStarter.java
+++ b/pinot-broker/src/main/java/org/apache/pinot/broker/broker/helix/HelixBrokerStarter.java
@@ -60,6 +60,8 @@ import org.apache.pinot.common.utils.NetUtil;
import org.apache.pinot.common.utils.ServiceStatus;
import org.apache.pinot.common.utils.config.TagNameUtils;
import org.apache.pinot.common.utils.helix.TableCache;
+import org.apache.pinot.core.transport.TlsConfig;
+import org.apache.pinot.core.util.TlsUtils;
import org.apache.pinot.spi.env.PinotConfiguration;
import org.apache.pinot.spi.services.ServiceRole;
import org.apache.pinot.spi.services.ServiceStartable;
@@ -238,9 +240,11 @@ public class HelixBrokerStarter implements ServiceStartable {
// Initialize FunctionRegistry before starting the broker request handler
FunctionRegistry.init();
TableCache tableCache = new TableCache(_propertyStore, caseInsensitive);
+ // Configure TLS
+ TlsConfig tlsConfig = TlsUtils.extractTlsConfig(_brokerConf, "pinot.broker.netty");
_brokerRequestHandler =
new SingleConnectionBrokerRequestHandler(_brokerConf, _routingManager, _accessControlFactory, queryQuotaManager,
- tableCache, _brokerMetrics);
+ tableCache, _brokerMetrics, tlsConfig);
int brokerQueryPort = _brokerConf.getProperty(Helix.KEY_OF_BROKER_QUERY_PORT, Helix.DEFAULT_BROKER_QUERY_PORT);
LOGGER.info("Starting broker admin application on port: {}", brokerQueryPort);
diff --git a/pinot-broker/src/main/java/org/apache/pinot/broker/requesthandler/SingleConnectionBrokerRequestHandler.java b/pinot-broker/src/main/java/org/apache/pinot/broker/requesthandler/SingleConnectionBrokerRequestHandler.java
index cbffeb1..ec24e66 100644
--- a/pinot-broker/src/main/java/org/apache/pinot/broker/requesthandler/SingleConnectionBrokerRequestHandler.java
+++ b/pinot-broker/src/main/java/org/apache/pinot/broker/requesthandler/SingleConnectionBrokerRequestHandler.java
@@ -44,6 +44,8 @@ import org.apache.pinot.core.transport.QueryRouter;
import org.apache.pinot.core.transport.ServerInstance;
import org.apache.pinot.core.transport.ServerResponse;
import org.apache.pinot.core.transport.ServerRoutingInstance;
+import org.apache.pinot.core.transport.TlsConfig;
+import org.apache.pinot.core.util.TlsUtils;
import org.apache.pinot.spi.env.PinotConfiguration;
import org.apache.pinot.spi.utils.builder.TableNameBuilder;
@@ -58,9 +60,9 @@ public class SingleConnectionBrokerRequestHandler extends BaseBrokerRequestHandl
public SingleConnectionBrokerRequestHandler(PinotConfiguration config, RoutingManager routingManager,
AccessControlFactory accessControlFactory, QueryQuotaManager queryQuotaManager, TableCache tableCache,
- BrokerMetrics brokerMetrics) {
+ BrokerMetrics brokerMetrics, TlsConfig tlsConfig) {
super(config, routingManager, accessControlFactory, queryQuotaManager, tableCache, brokerMetrics);
- _queryRouter = new QueryRouter(_brokerId, brokerMetrics);
+ _queryRouter = new QueryRouter(_brokerId, brokerMetrics, tlsConfig);
}
@Override
diff --git a/pinot-broker/src/test/java/org/apache/pinot/broker/requesthandler/LiteralOnlyBrokerRequestTest.java b/pinot-broker/src/test/java/org/apache/pinot/broker/requesthandler/LiteralOnlyBrokerRequestTest.java
index e23435e..65896d2 100644
--- a/pinot-broker/src/test/java/org/apache/pinot/broker/requesthandler/LiteralOnlyBrokerRequestTest.java
+++ b/pinot-broker/src/test/java/org/apache/pinot/broker/requesthandler/LiteralOnlyBrokerRequestTest.java
@@ -92,7 +92,7 @@ public class LiteralOnlyBrokerRequestTest {
throws Exception {
SingleConnectionBrokerRequestHandler requestHandler =
new SingleConnectionBrokerRequestHandler(new PinotConfiguration(), null, null, null, null,
- new BrokerMetrics("", new MetricsRegistry(), true, Collections.emptySet()));
+ new BrokerMetrics("", new MetricsRegistry(), true, Collections.emptySet()), null);
long randNum = RANDOM.nextLong();
byte[] randBytes = new byte[12];
RANDOM.nextBytes(randBytes);
@@ -119,7 +119,7 @@ public class LiteralOnlyBrokerRequestTest {
throws Exception {
SingleConnectionBrokerRequestHandler requestHandler =
new SingleConnectionBrokerRequestHandler(new PinotConfiguration(), null, null, null, null,
- new BrokerMetrics("", new MetricsRegistry(), true, Collections.emptySet()));
+ new BrokerMetrics("", new MetricsRegistry(), true, Collections.emptySet()), null);
long currentTsMin = System.currentTimeMillis();
JsonNode request = new ObjectMapper().readTree(
"{\"sql\":\"SELECT now() as currentTs, fromDateTime('2020-01-01 UTC', 'yyyy-MM-dd z') as firstDayOf2020\"}");
diff --git a/pinot-connectors/pinot-spark-connector/src/main/scala/org/apache/pinot/connector/spark/connector/PinotServerDataFetcher.scala b/pinot-connectors/pinot-spark-connector/src/main/scala/org/apache/pinot/connector/spark/connector/PinotServerDataFetcher.scala
index 6b938cb..1c103b4 100644
--- a/pinot-connectors/pinot-spark-connector/src/main/scala/org/apache/pinot/connector/spark/connector/PinotServerDataFetcher.scala
+++ b/pinot-connectors/pinot-spark-connector/src/main/scala/org/apache/pinot/connector/spark/connector/PinotServerDataFetcher.scala
@@ -48,6 +48,7 @@ private[pinot] class PinotServerDataFetcher(
private val metricsRegistry = new MetricsRegistry()
private val brokerMetrics = new BrokerMetrics(metricsRegistry)
private val queryRouter = new QueryRouter(brokerId, brokerMetrics)
+ // TODO add support for TLS-secured server
def fetchData(): List[DataTable] = {
val routingTableForRequest = createRoutingTableForRequest()
diff --git a/pinot-controller/src/main/java/org/apache/pinot/controller/ControllerStarter.java b/pinot-controller/src/main/java/org/apache/pinot/controller/ControllerStarter.java
index fb46da9..c1e1efc 100644
--- a/pinot-controller/src/main/java/org/apache/pinot/controller/ControllerStarter.java
+++ b/pinot-controller/src/main/java/org/apache/pinot/controller/ControllerStarter.java
@@ -83,6 +83,7 @@ import org.apache.pinot.controller.validation.OfflineSegmentIntervalChecker;
import org.apache.pinot.controller.validation.RealtimeSegmentValidationManager;
import org.apache.pinot.core.periodictask.PeriodicTask;
import org.apache.pinot.core.periodictask.PeriodicTaskScheduler;
+import org.apache.pinot.core.util.TlsUtils;
import org.apache.pinot.spi.crypt.PinotCrypterFactory;
import org.apache.pinot.spi.env.PinotConfiguration;
import org.apache.pinot.spi.filesystem.PinotFSFactory;
@@ -413,6 +414,12 @@ public class ControllerStarter implements ServiceStartable {
}
});
+ // install default SSL context if necessary
+ if (CommonConstants.HTTPS_PROTOCOL.equals(_config.getProperty(ControllerConf.CONTROLLER_BROKER_PROTOCOL))) {
+ LOGGER.info("Installing default SSL context for broker relay requests");
+ TlsUtils.installDefaultSSLSocketFactory(TlsUtils.extractTlsConfig(_config, "controller.broker"));
+ }
+
_adminApp.start(_listenerConfigs);
_listenerConfigs.stream().forEach(listenerConfig -> LOGGER.info("Controller services available at {}://{}:{}/",
diff --git a/pinot-controller/src/main/java/org/apache/pinot/controller/api/ControllerAdminApiApplication.java b/pinot-controller/src/main/java/org/apache/pinot/controller/api/ControllerAdminApiApplication.java
index 5c2c8e3..a18553e 100644
--- a/pinot-controller/src/main/java/org/apache/pinot/controller/api/ControllerAdminApiApplication.java
+++ b/pinot-controller/src/main/java/org/apache/pinot/controller/api/ControllerAdminApiApplication.java
@@ -18,23 +18,20 @@
*/
package org.apache.pinot.controller.api;
+import com.google.common.base.Preconditions;
+import io.swagger.jaxrs.config.BeanConfig;
import java.io.IOException;
-import java.net.InetAddress;
import java.net.URI;
import java.net.URL;
import java.net.URLClassLoader;
-import java.net.UnknownHostException;
-import java.util.Collection;
import java.util.List;
import java.util.stream.Collectors;
-
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerResponseContext;
import javax.ws.rs.container.ContainerResponseFilter;
-
-import org.apache.pinot.controller.api.listeners.ListenerConfig;
-import org.apache.pinot.controller.api.listeners.TlsConfiguration;
import org.apache.pinot.common.utils.CommonConstants;
+import org.apache.pinot.controller.api.listeners.ListenerConfig;
+import org.apache.pinot.core.transport.TlsConfig;
import org.glassfish.grizzly.http.server.CLStaticHttpHandler;
import org.glassfish.grizzly.http.server.HttpServer;
import org.glassfish.grizzly.http.server.NetworkListener;
@@ -50,10 +47,6 @@ import org.glassfish.jersey.server.ResourceConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import com.google.common.base.Preconditions;
-
-import io.swagger.jaxrs.config.BeanConfig;
-
public class ControllerAdminApiApplication extends ResourceConfig {
private static final Logger LOGGER = LoggerFactory.getLogger(ControllerAdminApiApplication.class);
@@ -76,16 +69,16 @@ public class ControllerAdminApiApplication extends ResourceConfig {
// property("jersey.config.server.tracing.threshold", "VERBOSE");
}
- private SSLEngineConfigurator buildSSLEngineConfigurator(TlsConfiguration tlsConfiguration) {
+ private SSLEngineConfigurator buildSSLEngineConfigurator(TlsConfig tlsConfig) {
SSLContextConfigurator sslContextConfigurator = new SSLContextConfigurator();
- sslContextConfigurator.setKeyStoreFile(tlsConfiguration.getKeyStorePath());
- sslContextConfigurator.setKeyStorePass(tlsConfiguration.getKeyStorePassword());
- sslContextConfigurator.setTrustStoreFile(tlsConfiguration.getTrustStorePath());
- sslContextConfigurator.setTrustStorePass(tlsConfiguration.getTrustStorePassword());
+ sslContextConfigurator.setKeyStoreFile(tlsConfig.getKeyStorePath());
+ sslContextConfigurator.setKeyStorePass(tlsConfig.getKeyStorePassword());
+ sslContextConfigurator.setTrustStoreFile(tlsConfig.getTrustStorePath());
+ sslContextConfigurator.setTrustStorePass(tlsConfig.getTrustStorePassword());
return new SSLEngineConfigurator(sslContextConfigurator).setClientMode(false)
- .setWantClientAuth(tlsConfiguration.isRequiresClientAuth()).setEnabledProtocols(new String[] { "TLSv1.2 " });
+ .setNeedClientAuth(tlsConfig.isClientAuth()).setEnabledProtocols(new String[] { "TLSv1.2" });
}
public void registerBinder(AbstractBinder binder) {
@@ -100,10 +93,11 @@ public class ControllerAdminApiApplication extends ResourceConfig {
.setThreadFactory(new ThreadFactoryBuilder().setNameFormat("grizzly-http-server-%d")
.setUncaughtExceptionHandler(new JerseyProcessingUncaughtExceptionHandler()).build());
- listener.setSecure(listenerConfig.getTlsConfiguration() != null);
- if (listener.isSecure()) {
- listener.setSSLEngineConfig(buildSSLEngineConfigurator(listenerConfig.getTlsConfiguration()));
+ if (listenerConfig.getTlsConfig().isEnabled()) {
+ listener.setSecure(true);
+ listener.setSSLEngineConfig(buildSSLEngineConfigurator(listenerConfig.getTlsConfig()));
}
+
httpServer.addListener(listener);
}
diff --git a/pinot-controller/src/main/java/org/apache/pinot/controller/api/listeners/ListenerConfig.java b/pinot-controller/src/main/java/org/apache/pinot/controller/api/listeners/ListenerConfig.java
index 07df6a1..822912f 100644
--- a/pinot-controller/src/main/java/org/apache/pinot/controller/api/listeners/ListenerConfig.java
+++ b/pinot-controller/src/main/java/org/apache/pinot/controller/api/listeners/ListenerConfig.java
@@ -18,42 +18,45 @@
*/
package org.apache.pinot.controller.api.listeners;
+import org.apache.pinot.core.transport.TlsConfig;
+
+
/**
* Provides configuration settings expected by an Http Server to
* setup listeners for http and https protocols.
*/
public class ListenerConfig {
- private final String name;
- private final String host;
- private final int port;
- private final String protocol;
- private final TlsConfiguration tlsConfiguration;
-
- public ListenerConfig(String name, String host, int port, String protocol, TlsConfiguration tlsConfiguration) {
- this.name = name;
- this.host = host;
- this.port = port;
- this.protocol = protocol;
- this.tlsConfiguration = tlsConfiguration;
+ private final String _name;
+ private final String _host;
+ private final int _port;
+ private final String _protocol;
+ private final TlsConfig _tlsConfig;
+
+ public ListenerConfig(String name, String host, int port, String protocol, TlsConfig tlsConfig) {
+ this._name = name;
+ this._host = host;
+ this._port = port;
+ this._protocol = protocol;
+ this._tlsConfig = tlsConfig;
}
public String getName() {
- return name;
+ return _name;
}
public String getHost() {
- return host;
+ return _host;
}
public int getPort() {
- return port;
+ return _port;
}
public String getProtocol() {
- return protocol;
+ return _protocol;
}
- public TlsConfiguration getTlsConfiguration() {
- return tlsConfiguration;
+ public TlsConfig getTlsConfig() {
+ return _tlsConfig;
}
}
diff --git a/pinot-controller/src/main/java/org/apache/pinot/controller/api/listeners/TlsConfiguration.java b/pinot-controller/src/main/java/org/apache/pinot/controller/api/listeners/TlsConfiguration.java
deleted file mode 100644
index d3edde0..0000000
--- a/pinot-controller/src/main/java/org/apache/pinot/controller/api/listeners/TlsConfiguration.java
+++ /dev/null
@@ -1,63 +0,0 @@
-package org.apache.pinot.controller.api.listeners;
-
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-/**
- * Holds TLS configuration settings. Used as a vessel to configure Https Listeners.
- *
- * @author Daniel Lavoie
- * @since 0.4.0
- */
-public class TlsConfiguration {
- private final String keyStorePath;
- private final String keyStorePassword;
- private final String trustStorePath;
- private final String trustStorePassword;
- private final boolean requiresClientAuth;
-
- public TlsConfiguration(String keyStorePath, String keyStorePassword, String trustStorePath,
- String trustStorePassword, boolean requiresClientAuth) {
- this.keyStorePath = keyStorePath;
- this.keyStorePassword = keyStorePassword;
- this.trustStorePath = trustStorePath;
- this.trustStorePassword = trustStorePassword;
- this.requiresClientAuth = requiresClientAuth;
- }
-
- public String getKeyStorePath() {
- return keyStorePath;
- }
-
- public String getKeyStorePassword() {
- return keyStorePassword;
- }
-
- public String getTrustStorePath() {
- return trustStorePath;
- }
-
- public String getTrustStorePassword() {
- return trustStorePassword;
- }
-
- public boolean isRequiresClientAuth() {
- return requiresClientAuth;
- }
-}
diff --git a/pinot-controller/src/main/java/org/apache/pinot/controller/util/ListenerConfigUtil.java b/pinot-controller/src/main/java/org/apache/pinot/controller/util/ListenerConfigUtil.java
index 398cd78..f33f523 100644
--- a/pinot-controller/src/main/java/org/apache/pinot/controller/util/ListenerConfigUtil.java
+++ b/pinot-controller/src/main/java/org/apache/pinot/controller/util/ListenerConfigUtil.java
@@ -22,10 +22,11 @@ import java.util.ArrayList;
import java.util.List;
import java.util.Optional;
import java.util.stream.Collectors;
-
+import org.apache.pinot.common.utils.CommonConstants;
import org.apache.pinot.controller.ControllerConf;
import org.apache.pinot.controller.api.listeners.ListenerConfig;
-import org.apache.pinot.controller.api.listeners.TlsConfiguration;
+import org.apache.pinot.core.transport.TlsConfig;
+import org.apache.pinot.core.util.TlsUtils;
/**
@@ -47,7 +48,8 @@ public abstract class ListenerConfigUtil {
if (controllerConf.getControllerPort() != null) {
listenerConfigs.add(
- new ListenerConfig("http", "0.0.0.0", Integer.valueOf(controllerConf.getControllerPort()), "http", null));
+ new ListenerConfig("http", "0.0.0.0", Integer.parseInt(controllerConf.getControllerPort()),
+ "http", new TlsConfig()));
}
listenerConfigs.addAll(controllerConf.getControllerAccessProtocols().stream()
@@ -59,26 +61,13 @@ public abstract class ListenerConfigUtil {
return listenerConfigs;
}
- private static Optional<TlsConfiguration> buildTlsConfiguration(String protocol, ControllerConf controllerConf) {
- return Optional.ofNullable(controllerConf.getControllerAccessProtocolProperty(protocol, "tls.keystore.path"))
-
- .map(keystore -> buildTlsConfiguration(protocol, keystore, controllerConf));
- }
-
- private static TlsConfiguration buildTlsConfiguration(String protocol, String keystore,
- ControllerConf controllerConf) {
- return new TlsConfiguration(keystore,
- controllerConf.getControllerAccessProtocolProperty(protocol, "tls.keystore.password"),
- controllerConf.getControllerAccessProtocolProperty(protocol, "tls.truststore.path"),
- controllerConf.getControllerAccessProtocolProperty(protocol, "tls.truststore.password"), Boolean.parseBoolean(
- controllerConf.getControllerAccessProtocolProperty(protocol, "tls.requires_client_auth", "false")));
- }
-
private static ListenerConfig buildListenerConfig(String protocol, ControllerConf controllerConf) {
+ TlsConfig tlsConfig = TlsUtils.extractTlsConfig(controllerConf, "controller.access.protocols." + protocol);
+ tlsConfig.setEnabled(CommonConstants.HTTPS_PROTOCOL.equals(protocol));
+
return new ListenerConfig(protocol,
getHost(controllerConf.getControllerAccessProtocolProperty(protocol, "host", "0.0.0.0")),
- getPort(controllerConf.getControllerAccessProtocolProperty(protocol, "port")), protocol,
- buildTlsConfiguration(protocol, controllerConf).orElse(null));
+ getPort(controllerConf.getControllerAccessProtocolProperty(protocol, "port")), protocol, tlsConfig);
}
private static String getHost(String configuredHost) {
diff --git a/pinot-controller/src/test/java/org/apache/pinot/controller/util/ListenerConfigUtilTest.java b/pinot-controller/src/test/java/org/apache/pinot/controller/util/ListenerConfigUtilTest.java
index bcb4333..c8c745b 100644
--- a/pinot-controller/src/test/java/org/apache/pinot/controller/util/ListenerConfigUtilTest.java
+++ b/pinot-controller/src/test/java/org/apache/pinot/controller/util/ListenerConfigUtilTest.java
@@ -174,7 +174,7 @@ public class ListenerConfigUtilTest {
Assert.assertEquals(legacyListener.getHost(), "0.0.0.0");
Assert.assertEquals(legacyListener.getPort(), 9000);
Assert.assertEquals(legacyListener.getProtocol(), "http");
- Assert.assertNull(legacyListener.getTlsConfiguration());
+ Assert.assertFalse(legacyListener.getTlsConfig().isEnabled());
}
private void assertHttpListener(ListenerConfig httpsListener, String host, int port) {
@@ -182,7 +182,7 @@ public class ListenerConfigUtilTest {
Assert.assertEquals(httpsListener.getHost(), host);
Assert.assertEquals(httpsListener.getPort(), port);
Assert.assertEquals(httpsListener.getProtocol(), "http");
- Assert.assertNull(httpsListener.getTlsConfiguration());
+ Assert.assertFalse(httpsListener.getTlsConfig().isEnabled());
}
private void assertHttpsListener(ListenerConfig httpsListener, String host, int port) {
@@ -190,12 +190,13 @@ public class ListenerConfigUtilTest {
Assert.assertEquals(httpsListener.getHost(), host);
Assert.assertEquals(httpsListener.getPort(), port);
Assert.assertEquals(httpsListener.getProtocol(), "https");
- Assert.assertNotNull(httpsListener.getTlsConfiguration());
- Assert.assertEquals(httpsListener.getTlsConfiguration().getKeyStorePassword(), "a-password");
- Assert.assertEquals(httpsListener.getTlsConfiguration().getKeyStorePath(), "/some-keystore-path");
- Assert.assertEquals(httpsListener.getTlsConfiguration().isRequiresClientAuth(), true);
- Assert.assertEquals(httpsListener.getTlsConfiguration().getTrustStorePassword(), "a-password");
- Assert.assertEquals(httpsListener.getTlsConfiguration().getTrustStorePath(), "/some-truststore-path");
+ Assert.assertNotNull(httpsListener.getTlsConfig());
+ Assert.assertTrue(httpsListener.getTlsConfig().isEnabled());
+ Assert.assertEquals(httpsListener.getTlsConfig().getKeyStorePassword(), "a-password");
+ Assert.assertEquals(httpsListener.getTlsConfig().getKeyStorePath(), "/some-keystore-path");
+ Assert.assertTrue(httpsListener.getTlsConfig().isClientAuth());
+ Assert.assertEquals(httpsListener.getTlsConfig().getTrustStorePassword(), "a-password");
+ Assert.assertEquals(httpsListener.getTlsConfig().getTrustStorePath(), "/some-truststore-path");
}
private void configureHttpsProperties(ControllerConf controllerConf, String host, int port) {
@@ -205,7 +206,7 @@ public class ListenerConfigUtilTest {
controllerConf.setProperty("controller.access.protocols.https.port", String.valueOf(port));
controllerConf.setProperty("controller.access.protocols.https.tls.keystore.password", "a-password");
controllerConf.setProperty("controller.access.protocols.https.tls.keystore.path", "/some-keystore-path");
- controllerConf.setProperty("controller.access.protocols.https.tls.requires_client_auth", "true");
+ controllerConf.setProperty("controller.access.protocols.https.tls.client.auth", "true");
controllerConf.setProperty("controller.access.protocols.https.tls.truststore.password", "a-password");
controllerConf.setProperty("controller.access.protocols.https.tls.truststore.path", "/some-truststore-path");
}
diff --git a/pinot-core/src/main/java/org/apache/pinot/core/transport/QueryRouter.java b/pinot-core/src/main/java/org/apache/pinot/core/transport/QueryRouter.java
index 2710a16..6e2e9ae 100644
--- a/pinot-core/src/main/java/org/apache/pinot/core/transport/QueryRouter.java
+++ b/pinot-core/src/main/java/org/apache/pinot/core/transport/QueryRouter.java
@@ -48,12 +48,31 @@ public class QueryRouter {
private final ServerChannels _serverChannels;
private final ConcurrentHashMap<Long, AsyncQueryResponse> _asyncQueryResponseMap = new ConcurrentHashMap<>();
+ /**
+ * Create an unsecured query router
+ *
+ * @param brokerId broker id
+ * @param brokerMetrics broker metrics
+ */
public QueryRouter(String brokerId, BrokerMetrics brokerMetrics) {
_brokerId = brokerId;
_brokerMetrics = brokerMetrics;
_serverChannels = new ServerChannels(this, brokerMetrics);
}
+ /**
+ * Create a query router with TLS config
+ *
+ * @param brokerId broker id
+ * @param brokerMetrics broker metrics
+ * @param tlsConfig TLS config
+ */
+ public QueryRouter(String brokerId, BrokerMetrics brokerMetrics, TlsConfig tlsConfig) {
+ _brokerId = brokerId;
+ _brokerMetrics = brokerMetrics;
+ _serverChannels = new ServerChannels(this, brokerMetrics, tlsConfig);
+ }
+
public AsyncQueryResponse submitQuery(long requestId, String rawTableName,
@Nullable BrokerRequest offlineBrokerRequest, @Nullable Map<ServerInstance, List<String>> offlineRoutingTable,
@Nullable BrokerRequest realtimeBrokerRequest, @Nullable Map<ServerInstance, List<String>> realtimeRoutingTable,
diff --git a/pinot-core/src/main/java/org/apache/pinot/core/transport/QueryServer.java b/pinot-core/src/main/java/org/apache/pinot/core/transport/QueryServer.java
index 6299f94..2c85afa 100644
--- a/pinot-core/src/main/java/org/apache/pinot/core/transport/QueryServer.java
+++ b/pinot-core/src/main/java/org/apache/pinot/core/transport/QueryServer.java
@@ -28,9 +28,14 @@ import io.netty.channel.socket.SocketChannel;
import io.netty.channel.socket.nio.NioServerSocketChannel;
import io.netty.handler.codec.LengthFieldBasedFrameDecoder;
import io.netty.handler.codec.LengthFieldPrepender;
+import io.netty.handler.logging.LogLevel;
+import io.netty.handler.logging.LoggingHandler;
+import io.netty.handler.ssl.ClientAuth;
+import io.netty.handler.ssl.SslContextBuilder;
import java.util.concurrent.TimeUnit;
import org.apache.pinot.common.metrics.ServerMetrics;
import org.apache.pinot.core.query.scheduler.QueryScheduler;
+import org.apache.pinot.core.util.TlsUtils;
/**
@@ -41,15 +46,36 @@ public class QueryServer {
private final int _port;
private final QueryScheduler _queryScheduler;
private final ServerMetrics _serverMetrics;
+ private final TlsConfig _tlsConfig;
private EventLoopGroup _bossGroup;
private EventLoopGroup _workerGroup;
private Channel _channel;
+ /**
+ * Create an unsecured server instance
+ *
+ * @param port bind port
+ * @param queryScheduler query scheduler
+ * @param serverMetrics server metrics
+ */
public QueryServer(int port, QueryScheduler queryScheduler, ServerMetrics serverMetrics) {
+ this(port, queryScheduler, serverMetrics, null);
+ }
+
+ /**
+ * Create a server instance with TLS config
+ *
+ * @param port bind port
+ * @param queryScheduler query scheduler
+ * @param serverMetrics server metrics
+ * @param tlsConfig TLS/SSL config
+ */
+ public QueryServer(int port, QueryScheduler queryScheduler, ServerMetrics serverMetrics, TlsConfig tlsConfig) {
_port = port;
_queryScheduler = queryScheduler;
_serverMetrics = serverMetrics;
+ _tlsConfig = tlsConfig;
}
public void start() {
@@ -62,6 +88,10 @@ public class QueryServer {
.childHandler(new ChannelInitializer<SocketChannel>() {
@Override
protected void initChannel(SocketChannel ch) {
+ if (_tlsConfig != null && _tlsConfig.isEnabled()) {
+ attachSSLHandler(ch);
+ }
+
ch.pipeline()
.addLast(new LengthFieldBasedFrameDecoder(Integer.MAX_VALUE, 0, Integer.BYTES, 0, Integer.BYTES),
new LengthFieldPrepender(Integer.BYTES),
@@ -76,6 +106,29 @@ public class QueryServer {
}
}
+ private void attachSSLHandler(SocketChannel ch) {
+ try {
+ if (_tlsConfig.getKeyStorePath() == null) {
+ throw new IllegalArgumentException("Must provide key store path for secured server");
+ }
+
+ SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(TlsUtils.createKeyManagerFactory(_tlsConfig));
+
+ if (_tlsConfig.getTrustStorePath() != null) {
+ sslContextBuilder.trustManager(TlsUtils.createTrustManagerFactory(_tlsConfig));
+ }
+
+ if (_tlsConfig.isClientAuth()) {
+ sslContextBuilder.clientAuth(ClientAuth.REQUIRE);
+ }
+
+ ch.pipeline().addLast("ssl", sslContextBuilder.build().newHandler(ch.alloc()));
+
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ }
+
public void shutDown() {
try {
_channel.close().sync();
diff --git a/pinot-core/src/main/java/org/apache/pinot/core/transport/ServerChannels.java b/pinot-core/src/main/java/org/apache/pinot/core/transport/ServerChannels.java
index 7c05742..e9cd2aa 100644
--- a/pinot-core/src/main/java/org/apache/pinot/core/transport/ServerChannels.java
+++ b/pinot-core/src/main/java/org/apache/pinot/core/transport/ServerChannels.java
@@ -29,6 +29,8 @@ import io.netty.channel.socket.SocketChannel;
import io.netty.channel.socket.nio.NioSocketChannel;
import io.netty.handler.codec.LengthFieldBasedFrameDecoder;
import io.netty.handler.codec.LengthFieldPrepender;
+import io.netty.handler.ssl.ClientAuth;
+import io.netty.handler.ssl.SslContextBuilder;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.TimeUnit;
import javax.annotation.concurrent.ThreadSafe;
@@ -36,6 +38,7 @@ import org.apache.pinot.common.metrics.BrokerGauge;
import org.apache.pinot.common.metrics.BrokerMeter;
import org.apache.pinot.common.metrics.BrokerMetrics;
import org.apache.pinot.common.request.InstanceRequest;
+import org.apache.pinot.core.util.TlsUtils;
import org.apache.thrift.TSerializer;
import org.apache.thrift.protocol.TCompactProtocol;
@@ -51,10 +54,29 @@ public class ServerChannels {
private final BrokerMetrics _brokerMetrics;
private final ConcurrentHashMap<ServerRoutingInstance, ServerChannel> _serverToChannelMap = new ConcurrentHashMap<>();
private final EventLoopGroup _eventLoopGroup = new NioEventLoopGroup();
+ private final TlsConfig _tlsConfig;
+ /**
+ * Create an unsecured server channel
+ *
+ * @param queryRouter query router
+ * @param brokerMetrics broker metrics
+ */
public ServerChannels(QueryRouter queryRouter, BrokerMetrics brokerMetrics) {
+ this(queryRouter, brokerMetrics, null);
+ }
+
+ /**
+ * Create a server channel with TLS config
+ *
+ * @param queryRouter query router
+ * @param brokerMetrics broker metrics
+ * @param tlsConfig TLS/SSL config
+ */
+ public ServerChannels(QueryRouter queryRouter, BrokerMetrics brokerMetrics, TlsConfig tlsConfig) {
_queryRouter = queryRouter;
_brokerMetrics = brokerMetrics;
+ _tlsConfig = tlsConfig;
}
public void sendRequest(ServerRoutingInstance serverRoutingInstance, InstanceRequest instanceRequest)
@@ -81,6 +103,10 @@ public class ServerChannels {
.handler(new ChannelInitializer<SocketChannel>() {
@Override
protected void initChannel(SocketChannel ch) {
+ if (_tlsConfig != null && _tlsConfig.isEnabled()) {
+ attachSSLHandler(ch);
+ }
+
ch.pipeline()
.addLast(new LengthFieldBasedFrameDecoder(Integer.MAX_VALUE, 0, Integer.BYTES, 0, Integer.BYTES),
new LengthFieldPrepender(Integer.BYTES),
@@ -91,6 +117,25 @@ public class ServerChannels {
});
}
+ private void attachSSLHandler(SocketChannel ch) {
+ try {
+ SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();
+
+ if (_tlsConfig.getKeyStorePath() != null) {
+ sslContextBuilder.keyManager(TlsUtils.createKeyManagerFactory(_tlsConfig));
+ }
+
+ if (_tlsConfig.getTrustStorePath() != null) {
+ sslContextBuilder.trustManager(TlsUtils.createTrustManagerFactory(_tlsConfig));
+ }
+
+ ch.pipeline().addLast("ssl", sslContextBuilder.build().newHandler(ch.alloc()));
+
+ } catch (Exception e) {
+ throw new RuntimeException(e);
+ }
+ }
+
synchronized void sendRequest(InstanceRequest instanceRequest)
throws Exception {
if (_channel == null || !_channel.isActive()) {
diff --git a/pinot-core/src/main/java/org/apache/pinot/core/transport/TlsConfig.java b/pinot-core/src/main/java/org/apache/pinot/core/transport/TlsConfig.java
new file mode 100644
index 0000000..0ea7f47
--- /dev/null
+++ b/pinot-core/src/main/java/org/apache/pinot/core/transport/TlsConfig.java
@@ -0,0 +1,61 @@
+package org.apache.pinot.core.transport;
+
+/**
+ * Container object for TLS/SSL configuration of pinot clients and servers (netty, grizzly, etc.)
+ */
+public class TlsConfig {
+ private boolean _enabled;
+ private boolean _clientAuth;
+ private String _keyStorePath;
+ private String _keyStorePassword;
+ private String _trustStorePath;
+ private String _trustStorePassword;
+
+ public boolean isEnabled() {
+ return _enabled;
+ }
+
+ public void setEnabled(boolean enabled) {
+ _enabled = enabled;
+ }
+
+ public boolean isClientAuth() {
+ return _clientAuth;
+ }
+
+ public void setClientAuth(boolean clientAuth) {
+ _clientAuth = clientAuth;
+ }
+
+ public String getKeyStorePath() {
+ return _keyStorePath;
+ }
+
+ public void setKeyStorePath(String keyStorePath) {
+ _keyStorePath = keyStorePath;
+ }
+
+ public String getKeyStorePassword() {
+ return _keyStorePassword;
+ }
+
+ public void setKeyStorePassword(String keyStorePassword) {
+ _keyStorePassword = keyStorePassword;
+ }
+
+ public String getTrustStorePath() {
+ return _trustStorePath;
+ }
+
+ public void setTrustStorePath(String trustStorePath) {
+ _trustStorePath = trustStorePath;
+ }
+
+ public String getTrustStorePassword() {
+ return _trustStorePassword;
+ }
+
+ public void setTrustStorePassword(String trustStorePassword) {
+ _trustStorePassword = trustStorePassword;
+ }
+}
diff --git a/pinot-core/src/main/java/org/apache/pinot/core/util/TlsUtils.java b/pinot-core/src/main/java/org/apache/pinot/core/util/TlsUtils.java
new file mode 100644
index 0000000..f8adc85
--- /dev/null
+++ b/pinot-core/src/main/java/org/apache/pinot/core/util/TlsUtils.java
@@ -0,0 +1,132 @@
+package org.apache.pinot.core.util;
+
+import com.google.common.base.Preconditions;
+import java.io.FileInputStream;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import org.apache.pinot.core.transport.TlsConfig;
+import org.apache.pinot.spi.env.PinotConfiguration;
+
+
+/**
+ * Utility class for shared TLS configuration logic
+ */
+public final class TlsUtils {
+ private static final String TLS_ENABLED = "tls.enabled";
+ private static final String TLS_CIENT_AUTH = "tls.client.auth";
+ private static final String TLS_KEYSTORE_PATH = "tls.keystore.path";
+ private static final String TLS_KEYSTORE_PASSWORD = "tls.keystore.password";
+ private static final String TLS_TRUSTSTORE_PATH = "tls.truststore.path";
+ private static final String TLS_TRUSTSTORE_PASSWORD = "tls.truststore.password";
+
+ private TlsUtils() {
+ // left blank
+ }
+
+ /**
+ * Extract a TlsConfig instance from a namespaced set of configuration keys.
+ *
+ * @param pinotConfig pinot configuration
+ * @param prefix namespace prefix
+ *
+ * @return TlsConfig instance
+ */
+ public static TlsConfig extractTlsConfig(PinotConfiguration pinotConfig, String prefix) {
+ TlsConfig tlsConfig = new TlsConfig();
+
+ tlsConfig.setEnabled(pinotConfig.getProperty(prefix + "." + TLS_ENABLED, false));
+ tlsConfig.setClientAuth(pinotConfig.getProperty(prefix + "." + TLS_CIENT_AUTH, false));
+ tlsConfig.setKeyStorePath(pinotConfig.getProperty(prefix + "." + TLS_KEYSTORE_PATH));
+ tlsConfig.setKeyStorePassword(pinotConfig.getProperty(prefix + "." + TLS_KEYSTORE_PASSWORD));
+ tlsConfig.setTrustStorePath(pinotConfig.getProperty(prefix + "." + TLS_TRUSTSTORE_PATH));
+ tlsConfig.setTrustStorePassword(pinotConfig.getProperty(prefix + "." + TLS_TRUSTSTORE_PASSWORD));
+
+ return tlsConfig;
+ }
+
+ /**
+ * Create a KeyManagerFactory instance from a given TlsConfig.
+ *
+ * @param tlsConfig TLS config
+ *
+ * @return KeyManagerFactory
+ */
+ public static KeyManagerFactory createKeyManagerFactory(TlsConfig tlsConfig) {
+ Preconditions.checkNotNull(tlsConfig.getKeyStorePath(), "key store path is null");
+ Preconditions.checkNotNull(tlsConfig.getKeyStorePassword(), "key store password is null");
+
+ try {
+ KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+ try (FileInputStream is = new FileInputStream(tlsConfig.getKeyStorePath())) {
+ keyStore.load(is, tlsConfig.getKeyStorePassword().toCharArray());
+ }
+
+ KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+ keyManagerFactory.init(keyStore, tlsConfig.getKeyStorePassword().toCharArray());
+
+ return keyManagerFactory;
+
+ } catch (Exception e) {
+ throw new RuntimeException(String.format("Could not create key manager factory '%s'",
+ tlsConfig.getKeyStorePath()), e);
+ }
+ }
+
+ /**
+ * Create a TrustManagerFactory instance from a given TlsConfig.
+ *
+ * @param tlsConfig TLS config
+ *
+ * @return TrustManagerFactory
+ */
+ public static TrustManagerFactory createTrustManagerFactory(TlsConfig tlsConfig) {
+ Preconditions.checkNotNull(tlsConfig.getTrustStorePath(), "trust store path is null");
+ Preconditions.checkNotNull(tlsConfig.getTrustStorePassword(), "trust store password is null");
+
+ try {
+ KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+ try (FileInputStream is = new FileInputStream(tlsConfig.getTrustStorePath())) {
+ keyStore.load(is, tlsConfig.getTrustStorePassword().toCharArray());
+ }
+
+ TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+ trustManagerFactory.init(keyStore);
+
+ return trustManagerFactory;
+ } catch (Exception e) {
+ throw new RuntimeException(String.format("Could not create trust manager factory '%s'",
+ tlsConfig.getTrustStorePath()), e);
+ }
+ }
+
+ /**
+ * Installs a default TLS socket factory for all HttpsURLConnection instances based on a given TlsConfig (1 or 2-way)
+ *
+ * @param tlsConfig TLS config
+ */
+ public static void installDefaultSSLSocketFactory(TlsConfig tlsConfig) {
+ KeyManager[] keyManagers = null;
+ if (tlsConfig.getKeyStorePath() != null) {
+ keyManagers = createKeyManagerFactory(tlsConfig).getKeyManagers();
+ }
+
+ TrustManager[] trustManagers = null;
+ if (tlsConfig.getTrustStorePath() != null) {
+ trustManagers = createTrustManagerFactory(tlsConfig).getTrustManagers();
+ }
+
+ try {
+ SSLContext sc = SSLContext.getInstance("SSL");
+ sc.init(keyManagers, trustManagers, new java.security.SecureRandom());
+ HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
+ } catch (GeneralSecurityException ignore) {
+ // ignore
+ }
+ }
+}
diff --git a/pinot-server/src/main/java/org/apache/pinot/server/conf/ServerConf.java b/pinot-server/src/main/java/org/apache/pinot/server/conf/ServerConf.java
index baf916f..0f5e66a 100644
--- a/pinot-server/src/main/java/org/apache/pinot/server/conf/ServerConf.java
+++ b/pinot-server/src/main/java/org/apache/pinot/server/conf/ServerConf.java
@@ -121,4 +121,8 @@ public class ServerConf {
public String getMetricsPrefix() {
return _serverConf.getProperty(PINOT_SERVER_METRICS_PREFIX, Server.DEFAULT_METRICS_PREFIX);
}
+
+ public PinotConfiguration getPinotConfig() {
+ return _serverConf;
+ }
}
diff --git a/pinot-server/src/main/java/org/apache/pinot/server/starter/ServerInstance.java b/pinot-server/src/main/java/org/apache/pinot/server/starter/ServerInstance.java
index 462a304..2c0188b 100644
--- a/pinot-server/src/main/java/org/apache/pinot/server/starter/ServerInstance.java
+++ b/pinot-server/src/main/java/org/apache/pinot/server/starter/ServerInstance.java
@@ -34,7 +34,9 @@ import org.apache.pinot.core.query.executor.QueryExecutor;
import org.apache.pinot.core.query.scheduler.QueryScheduler;
import org.apache.pinot.core.query.scheduler.QuerySchedulerFactory;
import org.apache.pinot.core.transport.QueryServer;
+import org.apache.pinot.core.transport.TlsConfig;
import org.apache.pinot.core.transport.grpc.GrpcQueryServer;
+import org.apache.pinot.core.util.TlsUtils;
import org.apache.pinot.server.conf.ServerConf;
import org.apache.pinot.spi.env.PinotConfiguration;
import org.slf4j.Logger;
@@ -90,10 +92,15 @@ public class ServerInstance {
QuerySchedulerFactory.create(serverConf.getSchedulerConfig(), _queryExecutor, _serverMetrics, _latestQueryTime);
int nettyPort = serverConf.getNettyPort();
- LOGGER.info("Initializing Netty query server on port: {}", nettyPort);
- _nettyQueryServer = new QueryServer(nettyPort, _queryScheduler, _serverMetrics);
+ TlsConfig tlsConfig = TlsUtils.extractTlsConfig(serverConf.getPinotConfig(), "pinot.server.netty");
+ LOGGER.info("Initializing Netty query server on port: {} with tls: {}", nettyPort, tlsConfig.isEnabled());
+ _nettyQueryServer = new QueryServer(nettyPort, _queryScheduler, _serverMetrics, tlsConfig);
if (serverConf.isEnableGrpcServer()) {
+ if (tlsConfig.isEnabled()) {
+ LOGGER.warn("gRPC query server does not support TLS yet");
+ }
+
int grpcPort = serverConf.getGrpcPort();
LOGGER.info("Initializing gRPC query server on port: {}", grpcPort);
_grpcQueryServer = new GrpcQueryServer(grpcPort, _queryExecutor, _serverMetrics);
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For additional commands, e-mail: commits-help@pinot.apache.org
[incubator-pinot] 01/02: more assertions
Posted by ap...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
apucher pushed a commit to branch pinot-internode-tls
in repository https://gitbox.apache.org/repos/asf/incubator-pinot.git
commit 468a65ae459cb679ec39eb86bd62ac0bb2e8cea5
Author: Alexander Pucher <al...@alexpucher.com>
AuthorDate: Wed Jan 6 13:48:05 2021 -0800
more assertions
---
.../broker/broker/BrokerAdminApiApplication.java | 2 +-
.../apache/pinot/controller/ControllerConf.java | 24 +++++++++++++---------
2 files changed, 15 insertions(+), 11 deletions(-)
diff --git a/pinot-broker/src/main/java/org/apache/pinot/broker/broker/BrokerAdminApiApplication.java b/pinot-broker/src/main/java/org/apache/pinot/broker/broker/BrokerAdminApiApplication.java
index 4eb8f3f..821e4aa 100644
--- a/pinot-broker/src/main/java/org/apache/pinot/broker/broker/BrokerAdminApiApplication.java
+++ b/pinot-broker/src/main/java/org/apache/pinot/broker/broker/BrokerAdminApiApplication.java
@@ -71,7 +71,7 @@ public class BrokerAdminApiApplication extends ResourceConfig {
int brokerQueryPort = brokerConf.getProperty(CommonConstants.Helix.KEY_OF_BROKER_QUERY_PORT,
CommonConstants.Helix.DEFAULT_BROKER_QUERY_PORT);
- Preconditions.checkArgument(brokerQueryPort > 0);
+ Preconditions.checkArgument(brokerQueryPort > 0, "broker client port must be > 0");
_baseUri = URI.create(String.format("%s://0.0.0.0:%d/", getBrokerClientProtocol(brokerConf), brokerQueryPort));
_httpServer = buildHttpsServer(brokerConf);
diff --git a/pinot-controller/src/main/java/org/apache/pinot/controller/ControllerConf.java b/pinot-controller/src/main/java/org/apache/pinot/controller/ControllerConf.java
index e080220..5d308d9 100644
--- a/pinot-controller/src/main/java/org/apache/pinot/controller/ControllerConf.java
+++ b/pinot-controller/src/main/java/org/apache/pinot/controller/ControllerConf.java
@@ -18,6 +18,7 @@
*/
package org.apache.pinot.controller;
+import com.google.common.base.Preconditions;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
@@ -37,6 +38,10 @@ import static org.apache.pinot.common.utils.CommonConstants.Controller.DEFAULT_M
public class ControllerConf extends PinotConfiguration {
+ public static final List<String> SUPPORTED_PROTOCOLS = Arrays.asList(
+ CommonConstants.HTTP_PROTOCOL,
+ CommonConstants.HTTPS_PROTOCOL);
+
public static final String CONTROLLER_VIP_HOST = "controller.vip.host";
public static final String CONTROLLER_VIP_PORT = "controller.vip.port";
public static final String CONTROLLER_VIP_PROTOCOL = "controller.vip.protocol";
@@ -354,19 +359,11 @@ public class ControllerConf extends PinotConfiguration {
}
public String getControllerVipProtocol() {
- return Optional.ofNullable(getProperty(CONTROLLER_VIP_PROTOCOL))
-
- .filter(protocol -> CommonConstants.HTTPS_PROTOCOL.equals(protocol))
-
- .orElse(CommonConstants.HTTP_PROTOCOL);
+ return getSupportedProtocol(CONTROLLER_VIP_PROTOCOL);
}
public String getControllerBrokerProtocol() {
- return Optional.ofNullable(getProperty(CONTROLLER_BROKER_PROTOCOL))
-
- .filter(protocol -> CommonConstants.HTTPS_PROTOCOL.equals(protocol))
-
- .orElse(CommonConstants.HTTP_PROTOCOL);
+ return getSupportedProtocol(CONTROLLER_BROKER_PROTOCOL);
}
public int getRetentionControllerFrequencyInSeconds() {
@@ -657,4 +654,11 @@ public class ControllerConf extends PinotConfiguration {
}
return seconds;
}
+
+ private String getSupportedProtocol(String property) {
+ String value = getProperty(property, CommonConstants.HTTP_PROTOCOL);
+ Preconditions.checkArgument(SUPPORTED_PROTOCOLS.contains(value),
+ "Unsupported %s protocol '%s'", property, value);
+ return value;
+ }
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For additional commands, e-mail: commits-help@pinot.apache.org