You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pinot.apache.org by xi...@apache.org on 2024/02/21 05:24:23 UTC
(pinot) branch master updated: make http listener ssl config swappable (#12455)
This is an automated email from the ASF dual-hosted git repository.
xiangfu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pinot.git
The following commit(s) were added to refs/heads/master by this push:
new 99e290861c make http listener ssl config swappable (#12455)
99e290861c is described below
commit 99e290861c9685dc604b5b4eac1b77f37406a899
Author: Haitao Zhang <ha...@startree.ai>
AuthorDate: Tue Feb 20 21:24:17 2024 -0800
make http listener ssl config swappable (#12455)
* make http listener ssl config swappable
* extract common code as a method
---
.../org/apache/pinot/common/utils/TlsUtils.java | 31 +++++++++++++++-------
.../pinot/common/utils/grpc/GrpcQueryClient.java | 6 +----
.../pinot/core/transport/grpc/GrpcQueryServer.java | 6 +----
.../apache/pinot/core/util/ListenerConfigUtil.java | 19 +++----------
4 files changed, 26 insertions(+), 36 deletions(-)
diff --git a/pinot-common/src/main/java/org/apache/pinot/common/utils/TlsUtils.java b/pinot-common/src/main/java/org/apache/pinot/common/utils/TlsUtils.java
index 6e46bcd96d..054c072a13 100644
--- a/pinot-common/src/main/java/org/apache/pinot/common/utils/TlsUtils.java
+++ b/pinot-common/src/main/java/org/apache/pinot/common/utils/TlsUtils.java
@@ -317,11 +317,7 @@ public final class TlsUtils {
* @param tlsConfig TLS config
*/
public static SslContext buildClientContext(TlsConfig tlsConfig) {
- SSLFactory sslFactory = createSSLFactory(tlsConfig);
- if (isKeyOrTrustStorePathNullOrHasFileScheme(tlsConfig.getKeyStorePath())
- && isKeyOrTrustStorePathNullOrHasFileScheme(tlsConfig.getTrustStorePath())) {
- enableAutoRenewalFromFileStoreForSSLFactory(sslFactory, tlsConfig);
- }
+ SSLFactory sslFactory = createSSLFactoryAndEnableAutoRenewalWhenUsingFileStores(tlsConfig);
SslContextBuilder sslContextBuilder =
SslContextBuilder.forClient().sslProvider(SslProvider.valueOf(tlsConfig.getSslProvider()));
sslFactory.getKeyManagerFactory().ifPresent(sslContextBuilder::keyManager);
@@ -342,11 +338,7 @@ public final class TlsUtils {
if (tlsConfig.getKeyStorePath() == null) {
throw new IllegalArgumentException("Must provide key store path for secured server");
}
- SSLFactory sslFactory = createSSLFactory(tlsConfig);
- if (isKeyOrTrustStorePathNullOrHasFileScheme(tlsConfig.getKeyStorePath())
- && isKeyOrTrustStorePathNullOrHasFileScheme(tlsConfig.getTrustStorePath())) {
- enableAutoRenewalFromFileStoreForSSLFactory(sslFactory, tlsConfig);
- }
+ SSLFactory sslFactory = createSSLFactoryAndEnableAutoRenewalWhenUsingFileStores(tlsConfig);
SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(sslFactory.getKeyManagerFactory().get())
.sslProvider(SslProvider.valueOf(tlsConfig.getSslProvider()));
sslFactory.getTrustManagerFactory().ifPresent(sslContextBuilder::trustManager);
@@ -502,6 +494,25 @@ public final class TlsUtils {
keyPathMap.get(key).add(path.getFileName());
}
+ /**
+ * Create a {@link SSLFactory} instance with identity material and trust material swappable for a given TlsConfig,
+ * and nables auto renewal of the {@link SSLFactory} instance when
+ * 1. the {@link SSLFactory} is created with a key manager and trust manager swappable
+ * 2. the key store is null or a local file
+ * 3. the trust store is null or a local file
+ * 4. the key store or trust store file changes.
+ * @param tlsConfig {@link TlsConfig}
+ * @return a {@link SSLFactory} instance with identity material and trust material swappable
+ */
+ public static SSLFactory createSSLFactoryAndEnableAutoRenewalWhenUsingFileStores(TlsConfig tlsConfig) {
+ SSLFactory sslFactory = createSSLFactory(tlsConfig);
+ if (isKeyOrTrustStorePathNullOrHasFileScheme(tlsConfig.getKeyStorePath())
+ && isKeyOrTrustStorePathNullOrHasFileScheme(tlsConfig.getTrustStorePath())) {
+ enableAutoRenewalFromFileStoreForSSLFactory(sslFactory, tlsConfig);
+ }
+ return sslFactory;
+ }
+
/**
* Create a {@link SSLFactory} instance with identity material and trust material swappable for a given TlsConfig
* @param tlsConfig {@link TlsConfig}
diff --git a/pinot-common/src/main/java/org/apache/pinot/common/utils/grpc/GrpcQueryClient.java b/pinot-common/src/main/java/org/apache/pinot/common/utils/grpc/GrpcQueryClient.java
index 94621fa176..35af62de22 100644
--- a/pinot-common/src/main/java/org/apache/pinot/common/utils/grpc/GrpcQueryClient.java
+++ b/pinot-common/src/main/java/org/apache/pinot/common/utils/grpc/GrpcQueryClient.java
@@ -73,11 +73,7 @@ public class GrpcQueryClient {
LOGGER.info("Building gRPC SSL context");
SslContext sslContext = CLIENT_SSL_CONTEXTS_CACHE.computeIfAbsent(tlsConfig.hashCode(), tlsConfigHashCode -> {
try {
- SSLFactory sslFactory = TlsUtils.createSSLFactory(tlsConfig);
- if (TlsUtils.isKeyOrTrustStorePathNullOrHasFileScheme(tlsConfig.getKeyStorePath())
- && TlsUtils.isKeyOrTrustStorePathNullOrHasFileScheme(tlsConfig.getTrustStorePath())) {
- TlsUtils.enableAutoRenewalFromFileStoreForSSLFactory(sslFactory, tlsConfig);
- }
+ SSLFactory sslFactory = TlsUtils.createSSLFactoryAndEnableAutoRenewalWhenUsingFileStores(tlsConfig);
SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();
sslFactory.getKeyManagerFactory().ifPresent(sslContextBuilder::keyManager);
sslFactory.getTrustManagerFactory().ifPresent(sslContextBuilder::trustManager);
diff --git a/pinot-core/src/main/java/org/apache/pinot/core/transport/grpc/GrpcQueryServer.java b/pinot-core/src/main/java/org/apache/pinot/core/transport/grpc/GrpcQueryServer.java
index 0b9621e1e1..70f14e10cf 100644
--- a/pinot-core/src/main/java/org/apache/pinot/core/transport/grpc/GrpcQueryServer.java
+++ b/pinot-core/src/main/java/org/apache/pinot/core/transport/grpc/GrpcQueryServer.java
@@ -98,11 +98,7 @@ public class GrpcQueryServer extends PinotQueryServerGrpc.PinotQueryServerImplBa
}
SslContext sslContext = SERVER_SSL_CONTEXTS_CACHE.computeIfAbsent(tlsConfig.hashCode(), tlsConfigHashCode -> {
try {
- SSLFactory sslFactory = TlsUtils.createSSLFactory(tlsConfig);
- if (TlsUtils.isKeyOrTrustStorePathNullOrHasFileScheme(tlsConfig.getKeyStorePath())
- && TlsUtils.isKeyOrTrustStorePathNullOrHasFileScheme(tlsConfig.getTrustStorePath())) {
- TlsUtils.enableAutoRenewalFromFileStoreForSSLFactory(sslFactory, tlsConfig);
- }
+ SSLFactory sslFactory = TlsUtils.createSSLFactoryAndEnableAutoRenewalWhenUsingFileStores(tlsConfig);
SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(sslFactory.getKeyManagerFactory().get())
.sslProvider(SslProvider.valueOf(tlsConfig.getSslProvider()));
sslFactory.getTrustManagerFactory().ifPresent(sslContextBuilder::trustManager);
diff --git a/pinot-core/src/main/java/org/apache/pinot/core/util/ListenerConfigUtil.java b/pinot-core/src/main/java/org/apache/pinot/core/util/ListenerConfigUtil.java
index a75f620600..bce2cfe36d 100644
--- a/pinot-core/src/main/java/org/apache/pinot/core/util/ListenerConfigUtil.java
+++ b/pinot-core/src/main/java/org/apache/pinot/core/util/ListenerConfigUtil.java
@@ -34,6 +34,7 @@ import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
+import nl.altindag.ssl.SSLFactory;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.pinot.common.config.TlsConfig;
@@ -44,7 +45,6 @@ import org.apache.pinot.spi.env.PinotConfiguration;
import org.apache.pinot.spi.utils.CommonConstants;
import org.glassfish.grizzly.http.server.HttpServer;
import org.glassfish.grizzly.http.server.NetworkListener;
-import org.glassfish.grizzly.ssl.SSLContextConfigurator;
import org.glassfish.grizzly.ssl.SSLEngineConfigurator;
import org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpServerFactory;
import org.glassfish.jersey.internal.guava.ThreadFactoryBuilder;
@@ -263,21 +263,8 @@ public final class ListenerConfigUtil {
}
private static SSLEngineConfigurator buildSSLEngineConfigurator(TlsConfig tlsConfig) {
- SSLContextConfigurator sslContextConfigurator = new SSLContextConfigurator();
-
- if (tlsConfig.getKeyStorePath() != null) {
- Preconditions.checkNotNull(tlsConfig.getKeyStorePassword(), "key store password required");
- sslContextConfigurator.setKeyStoreFile(cacheInTempFile(tlsConfig.getKeyStorePath()).getAbsolutePath());
- sslContextConfigurator.setKeyStorePass(tlsConfig.getKeyStorePassword());
- }
-
- if (tlsConfig.getTrustStorePath() != null) {
- Preconditions.checkNotNull(tlsConfig.getKeyStorePassword(), "trust store password required");
- sslContextConfigurator.setTrustStoreFile(cacheInTempFile(tlsConfig.getTrustStorePath()).getAbsolutePath());
- sslContextConfigurator.setTrustStorePass(tlsConfig.getTrustStorePassword());
- }
-
- return new SSLEngineConfigurator(sslContextConfigurator).setClientMode(false)
+ SSLFactory sslFactory = TlsUtils.createSSLFactoryAndEnableAutoRenewalWhenUsingFileStores(tlsConfig);
+ return new SSLEngineConfigurator(sslFactory.getSslContext()).setClientMode(false)
.setNeedClientAuth(tlsConfig.isClientAuthEnabled()).setEnabledProtocols(new String[]{"TLSv1.2"});
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For additional commands, e-mail: commits-help@pinot.apache.org