This is an automated email from the ASF dual-hosted git repository. haonan pushed a commit to branch ssl_between_nodes in repository https://gitbox.apache.org/repos/asf/iotdb.git
commit e99289941d016f39f1a629da21d1cee94db6e9cd Author: HTHou <[email protected]> AuthorDate: Mon Jul 21 11:09:11 2025 +0800 seprate configs --- iotdb-core/ainode/ainode/core/config.py | 30 ++++++++++++++++++++++ iotdb-core/ainode/ainode/core/ingress/iotdb.py | 1 + iotdb-core/ainode/ainode/core/rpc/client.py | 20 ++++++++++++--- .../confignode/conf/ConfigNodeDescriptor.java | 1 + .../manager/consensus/ConsensusManager.java | 2 +- .../service/thrift/ConfigNodeRPCService.java | 2 +- .../iot/client/AsyncIoTConsensusServiceClient.java | 2 +- .../iot/client/SyncIoTConsensusServiceClient.java | 2 +- .../db/consensus/DataRegionConsensusImpl.java | 6 ++--- .../db/consensus/SchemaRegionConsensusImpl.java | 2 +- .../iotdb/db/protocol/client/ConfigNodeClient.java | 2 +- .../execution/exchange/MPPDataExchangeService.java | 2 +- .../db/service/DataNodeInternalRPCService.java | 2 +- .../iotdb/db/service/ExternalRPCService.java | 2 +- .../conf/iotdb-system.properties.template | 22 +++++++--------- .../iotdb/commons/client/ainode/AINodeClient.java | 2 +- .../client/ainode/AsyncAINodeServiceClient.java | 2 +- .../AsyncConfigNodeInternalServiceClient.java | 2 +- .../async/AsyncDataNodeExternalServiceClient.java | 2 +- .../async/AsyncDataNodeInternalServiceClient.java | 2 +- .../AsyncDataNodeMPPDataExchangeServiceClient.java | 2 +- .../async/AsyncPipeConsensusServiceClient.java | 2 +- .../client/sync/SyncConfigNodeIServiceClient.java | 2 +- .../sync/SyncDataNodeInternalServiceClient.java | 2 +- .../SyncDataNodeMPPDataExchangeServiceClient.java | 2 +- .../sync/SyncPipeConsensusServiceClient.java | 2 +- .../apache/iotdb/commons/conf/CommonConfig.java | 23 ++++++++++++----- .../iotdb/commons/conf/CommonDescriptor.java | 14 +++++++--- .../service/AbstractThriftServiceThread.java | 1 + 29 files changed, 110 insertions(+), 48 deletions(-) diff --git a/iotdb-core/ainode/ainode/core/config.py b/iotdb-core/ainode/ainode/core/config.py index 6f0336ad6ae..3fe7a3d921f 100644 --- a/iotdb-core/ainode/ainode/core/config.py +++ b/iotdb-core/ainode/ainode/core/config.py @@ -74,6 +74,10 @@ class AINodeConfig(object): # Whether to enable compression for thrift self._ain_thrift_compression_enabled = AINODE_THRIFT_COMPRESSION_ENABLED + # use for ssl + self._ain_thrift_ssl_enabled = False + self._ain_thrift_ssl_ca_file = None + # Cache number of model storage to avoid repeated loading self._ain_model_storage_cache_size = 30 @@ -176,6 +180,22 @@ class AINodeConfig(object): ) -> None: self._ain_thrift_compression_enabled = ain_thrift_compression_enabled + def get_ain_thrift_ssl_enabled(self) -> bool: + return self._ain_thrift_ssl_enabled + + def set_ain_thrift_ssl_enabled( + self, ain_thrift_ssl_enabled: int + ) -> None: + self._ain_thrift_ssl_enabled = ain_thrift_ssl_enabled + + def get_ain_thrift_ssl_ca_file(self) -> str: + return self._ain_thrift_ssl_ca_file + + def set_ain_thrift_ssl_ca_file( + self, ain_thrift_ssl_ca_file: str + ) -> None: + self._ain_thrift_ssl_ca_file = ain_thrift_ssl_ca_file + def get_ain_model_storage_cache_size(self) -> int: return self._ain_model_storage_cache_size @@ -309,6 +329,16 @@ class AINodeDescriptor(object): int(file_configs["ain_thrift_compression_enabled"]) ) + if "ain_thrift_ssl_enabled" in config_keys: + self._config.set_ain_thrift_ssl_enabled( + int(file_configs["ain_thrift_ssl_enabled"]) + ) + + if "ain_thrift_ssl_ca_file" in config_keys: + self._config.set_ain_thrift_ssl_ca_file( + file_configs["ain_thrift_ssl_ca_file"] + ) + if "ain_logs_dir" in config_keys: log_dir = file_configs["ain_logs_dir"] self._config.set_ain_logs_dir(log_dir) diff --git a/iotdb-core/ainode/ainode/core/ingress/iotdb.py b/iotdb-core/ainode/ainode/core/ingress/iotdb.py index 2d1bb74016f..7bdc99f2baf 100644 --- a/iotdb-core/ainode/ainode/core/ingress/iotdb.py +++ b/iotdb-core/ainode/ainode/core/ingress/iotdb.py @@ -92,6 +92,7 @@ class IoTDBTreeModelDataset(BasicDatabaseForecastDataset): password=password, zone_id=time_zone, ) + # TODO(HAONAN) self.session.open(False) self.use_rate = use_rate self.offset_rate = offset_rate diff --git a/iotdb-core/ainode/ainode/core/rpc/client.py b/iotdb-core/ainode/ainode/core/rpc/client.py index c595000bb0f..abb08e29238 100644 --- a/iotdb-core/ainode/ainode/core/rpc/client.py +++ b/iotdb-core/ainode/ainode/core/rpc/client.py @@ -109,9 +109,23 @@ class ConfigNodeClient(object): raise TException(self._MSG_RECONNECTION_FAIL) def _connect(self, target_config_node: TEndPoint) -> None: - transport = TTransport.TFramedTransport( - TSocket.TSocket(target_config_node.ip, target_config_node.port) - ) + if AINodeDescriptor().get_config().get_ain_thrift_ssl_enabled(): + import ssl,sys + from thrift.transport import TSSLSocket + + if sys.version_info >= (3, 10): + context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH) + else: + context = ssl.SSLContext(ssl.PROTOCOL_TLS) + context.verify_mode = ssl.CERT_REQUIRED + context.check_hostname = True + context.load_verify_locations(cafile=AINodeDescriptor().get_config().get_ain_thrift_ssl_ca_file()) + socket = TSSLSocket.TSSLSocket( + host=target_config_node.ip, port=target_config_node.port, ssl_context=context + ) + else: + socket = TSocket.TSocket(target_config_node.ip, target_config_node.port) + transport = TTransport.TFramedTransport(socket) if not transport.isOpen(): try: transport.open() diff --git a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/conf/ConfigNodeDescriptor.java b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/conf/ConfigNodeDescriptor.java index ed8c4bb5f26..1820425c856 100644 --- a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/conf/ConfigNodeDescriptor.java +++ b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/conf/ConfigNodeDescriptor.java @@ -364,6 +364,7 @@ public class ConfigNodeDescriptor { // commons commonDescriptor.loadCommonProps(properties); commonDescriptor.initCommonConfigDir(conf.getSystemDir()); + commonDescriptor.initThriftSSL(properties); conf.setProcedureCompletedEvictTTL( Integer.parseInt( diff --git a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/consensus/ConsensusManager.java b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/consensus/ConsensusManager.java index deda5c0a566..225e6cec3a7 100644 --- a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/consensus/ConsensusManager.java +++ b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/consensus/ConsensusManager.java @@ -169,7 +169,7 @@ public class ConsensusManager { CONF.getConfigNodeRatisGrpcFlowControlWindow())) .setLeaderOutstandingAppendsMax( CONF.getConfigNodeRatisGrpcLeaderOutstandingAppendsMax()) - .setEnableSSL(COMMON_CONF.isEnableSSL()) + .setEnableSSL(COMMON_CONF.isEnableInternalSSL()) .setSslKeyStorePath(COMMON_CONF.getKeyStorePath()) .setSslKeyStorePassword(COMMON_CONF.getKeyStorePwd()) .setSslTrustStorePath(COMMON_CONF.getTrustStorePath()) diff --git a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/service/thrift/ConfigNodeRPCService.java b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/service/thrift/ConfigNodeRPCService.java index 33710cb7594..3e042837e28 100644 --- a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/service/thrift/ConfigNodeRPCService.java +++ b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/service/thrift/ConfigNodeRPCService.java @@ -61,7 +61,7 @@ public class ConfigNodeRPCService extends ThriftService implements ConfigNodeRPC try { thriftServiceThread = - commonConfig.isEnableSSL() + commonConfig.isEnableInternalSSL() ? new ThriftServiceThread( processor, getID().getName(), diff --git a/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/iot/client/AsyncIoTConsensusServiceClient.java b/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/iot/client/AsyncIoTConsensusServiceClient.java index 4a20b7c2f12..ba54abec627 100644 --- a/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/iot/client/AsyncIoTConsensusServiceClient.java +++ b/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/iot/client/AsyncIoTConsensusServiceClient.java @@ -58,7 +58,7 @@ public class AsyncIoTConsensusServiceClient extends IoTConsensusIService.AsyncCl super( property.getProtocolFactory(), tAsyncClientManager, - commonConfig.isEnableSSL() + commonConfig.isEnableInternalSSL() ? TNonblockingSocketWrapper.wrap( endpoint.getIp(), endpoint.getPort(), diff --git a/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/iot/client/SyncIoTConsensusServiceClient.java b/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/iot/client/SyncIoTConsensusServiceClient.java index 9a6810d0ecd..27dc5391027 100644 --- a/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/iot/client/SyncIoTConsensusServiceClient.java +++ b/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/iot/client/SyncIoTConsensusServiceClient.java @@ -53,7 +53,7 @@ public class SyncIoTConsensusServiceClient extends IoTConsensusIService.Client property .getProtocolFactory() .getProtocol( - commonConfig.isEnableSSL() + commonConfig.isEnableInternalSSL() ? DeepCopyRpcTransportFactory.INSTANCE.getTransport( endpoint.getIp(), endpoint.getPort(), diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/consensus/DataRegionConsensusImpl.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/consensus/DataRegionConsensusImpl.java index 47bb6033b5c..f787f370204 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/consensus/DataRegionConsensusImpl.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/consensus/DataRegionConsensusImpl.java @@ -138,7 +138,7 @@ public class DataRegionConsensusImpl { CONF.getThriftServerAwaitTimeForStopService()) .setThriftMaxFrameSize(CONF.getThriftMaxFrameSize()) .setMaxClientNumForEachNode(CONF.getMaxClientNumForEachNode()) - .setEnableSSL(COMMON_CONF.isEnableSSL()) + .setEnableSSL(COMMON_CONF.isEnableInternalSSL()) .setSslKeyStorePath(COMMON_CONF.getKeyStorePath()) .setSslKeyStorePassword(COMMON_CONF.getKeyStorePwd()) .setSslTrustStorePath(COMMON_CONF.getTrustStorePath()) @@ -167,7 +167,7 @@ public class DataRegionConsensusImpl { .setThriftServerAwaitTimeForStopService( CONF.getThriftServerAwaitTimeForStopService()) .setThriftMaxFrameSize(CONF.getThriftMaxFrameSize()) - .setEnableSSL(COMMON_CONF.isEnableSSL()) + .setEnableSSL(COMMON_CONF.isEnableInternalSSL()) .setSslKeyStorePath(COMMON_CONF.getKeyStorePath()) .setSslKeyStorePassword(COMMON_CONF.getKeyStorePwd()) .setSslTrustStorePath(COMMON_CONF.getTrustStorePath()) @@ -218,7 +218,7 @@ public class DataRegionConsensusImpl { CONF.getDataRatisConsensusGrpcFlowControlWindow())) .setLeaderOutstandingAppendsMax( CONF.getDataRatisConsensusGrpcLeaderOutstandingAppendsMax()) - .setEnableSSL(COMMON_CONF.isEnableSSL()) + .setEnableSSL(COMMON_CONF.isEnableInternalSSL()) .setSslKeyStorePath(COMMON_CONF.getKeyStorePath()) .setSslKeyStorePassword(COMMON_CONF.getKeyStorePwd()) .setSslTrustStorePath(COMMON_CONF.getTrustStorePath()) diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/consensus/SchemaRegionConsensusImpl.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/consensus/SchemaRegionConsensusImpl.java index 5195e2c4ccd..de60f9792c7 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/consensus/SchemaRegionConsensusImpl.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/consensus/SchemaRegionConsensusImpl.java @@ -104,7 +104,7 @@ public class SchemaRegionConsensusImpl { .setLeaderOutstandingAppendsMax( CONF .getSchemaRatisConsensusGrpcLeaderOutstandingAppendsMax()) - .setEnableSSL(COMMON_CONF.isEnableSSL()) + .setEnableSSL(COMMON_CONF.isEnableInternalSSL()) .setSslKeyStorePath(COMMON_CONF.getKeyStorePath()) .setSslKeyStorePassword(COMMON_CONF.getKeyStorePwd()) .setSslTrustStorePath(COMMON_CONF.getTrustStorePath()) diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/client/ConfigNodeClient.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/client/ConfigNodeClient.java index 9d0025c885f..79e6c9e2e94 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/client/ConfigNodeClient.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/client/ConfigNodeClient.java @@ -265,7 +265,7 @@ public class ConfigNodeClient implements IConfigNodeRPCService.Iface, ThriftClie public void connect(TEndPoint endpoint, int timeoutMs) throws TException { try { transport = - commonConfig.isEnableSSL() + commonConfig.isEnableInternalSSL() ? DeepCopyRpcTransportFactory.INSTANCE.getTransport( endpoint.getIp(), endpoint.getPort(), diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/execution/exchange/MPPDataExchangeService.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/execution/exchange/MPPDataExchangeService.java index 9681896d823..e8be8c7d9f0 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/execution/exchange/MPPDataExchangeService.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/execution/exchange/MPPDataExchangeService.java @@ -93,7 +93,7 @@ public class MPPDataExchangeService extends ThriftService implements MPPDataExch public void initThriftServiceThread() throws IllegalAccessException { try { thriftServiceThread = - commonConfig.isEnableSSL() + commonConfig.isEnableInternalSSL() ? new ThriftServiceThread( processor, getID().getName(), diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/service/DataNodeInternalRPCService.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/service/DataNodeInternalRPCService.java index b95adc0d764..2a2349c97bb 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/service/DataNodeInternalRPCService.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/service/DataNodeInternalRPCService.java @@ -62,7 +62,7 @@ public class DataNodeInternalRPCService extends ThriftService public void initThriftServiceThread() throws IllegalAccessException { try { thriftServiceThread = - commonConfig.isEnableSSL() + commonConfig.isEnableInternalSSL() ? new ThriftServiceThread( processor, getID().getName(), diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/service/ExternalRPCService.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/service/ExternalRPCService.java index 031bc4efbd5..f17cbb67d8b 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/service/ExternalRPCService.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/service/ExternalRPCService.java @@ -66,7 +66,7 @@ public class ExternalRPCService extends ThriftService implements ExternalRPCServ public void initThriftServiceThread() throws IllegalAccessException { try { thriftServiceThread = - commonConfig.isEnableSSL() + commonConfig.isEnableThriftClientSSL() ? new ThriftServiceThread( processor, getID().getName(), diff --git a/iotdb-core/node-commons/src/assembly/resources/conf/iotdb-system.properties.template b/iotdb-core/node-commons/src/assembly/resources/conf/iotdb-system.properties.template index efb74b66a0d..71c5c80e34f 100644 --- a/iotdb-core/node-commons/src/assembly/resources/conf/iotdb-system.properties.template +++ b/iotdb-core/node-commons/src/assembly/resources/conf/iotdb-system.properties.template @@ -438,16 +438,21 @@ dn_metric_internal_reporter_type=MEMORY ### SSL Configuration #################### -# Does IoTDB enable SSL +# Whether enable SSL for thrift client connections # effectiveMode: restart # Datatype: boolean enable_thrift_ssl=false -# Rest Service enabled SSL +# Whether enable SSL for Rest Service # effectiveMode: restart # Datatype: boolean enable_https=false +# Whether enable SSL for cluster internal connections +# effectiveMode: restart +# Datatype: boolean +enable_internal_connection_ssl=false + # SSL key store path # linux e.g. /home/iotdb/server.keystore (absolute path) or server.keystore (relative path) # windows e.g. C:\\iotdb\\server.keystore (absolute path) or server.keystore (relative path) @@ -463,12 +468,12 @@ key_store_pwd= # linux e.g. /home/iotdb/server.truststore (absolute path) or server.truststore (relative path) # windows e.g. C:\\iotdb\\server.truststore (absolute path) or server.truststore (relative path) # effectiveMode: restart -key_trust_path= +trust_store_path= # SSL trust store password # effectiveMode: restart # Datatype: String -key_trust_pwd= +trust_store_pwd= #################### ### Connection Configuration @@ -600,15 +605,6 @@ cache_init_num=10 # Datatype: boolean client_auth=false -# SSL trust store path -# effectiveMode: restart -trust_store_path="" - -# SSL trust store password. -# effectiveMode: restart -# Datatype: String -trust_store_pwd="" - # SSL timeout (in seconds) # effectiveMode: restart # Datatype: int diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/ainode/AINodeClient.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/ainode/AINodeClient.java index f896dd33218..2aecd595ff2 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/ainode/AINodeClient.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/ainode/AINodeClient.java @@ -99,7 +99,7 @@ public class AINodeClient implements AutoCloseable, ThriftClient { private void init() throws TException { try { - if (commonConfig.isEnableSSL()) { + if (commonConfig.isEnableInternalSSL()) { TSSLTransportFactory.TSSLTransportParameters params = new TSSLTransportFactory.TSSLTransportParameters(); params.setTrustStore(commonConfig.getTrustStorePath(), commonConfig.getTrustStorePwd()); diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/ainode/AsyncAINodeServiceClient.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/ainode/AsyncAINodeServiceClient.java index d5dda4f6353..0264baed18f 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/ainode/AsyncAINodeServiceClient.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/ainode/AsyncAINodeServiceClient.java @@ -53,7 +53,7 @@ public class AsyncAINodeServiceClient extends IAINodeRPCService.AsyncClient super( property.getProtocolFactory(), tClientManager, - commonConfig.isEnableSSL() + commonConfig.isEnableInternalSSL() ? TNonblockingSocketWrapper.wrap( endPoint.getIp(), endPoint.getPort(), diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncConfigNodeInternalServiceClient.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncConfigNodeInternalServiceClient.java index 0f86f1b2a37..9b62f1cbf3e 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncConfigNodeInternalServiceClient.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncConfigNodeInternalServiceClient.java @@ -60,7 +60,7 @@ public class AsyncConfigNodeInternalServiceClient extends IConfigNodeRPCService. super( property.getProtocolFactory(), tClientManager, - commonConfig.isEnableSSL() + commonConfig.isEnableInternalSSL() ? TNonblockingSocketWrapper.wrap( endpoint.getIp(), endpoint.getPort(), diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncDataNodeExternalServiceClient.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncDataNodeExternalServiceClient.java index 974df8f4222..8a92b678794 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncDataNodeExternalServiceClient.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncDataNodeExternalServiceClient.java @@ -60,7 +60,7 @@ public class AsyncDataNodeExternalServiceClient extends IDataNodeRPCService.Asyn super( property.getProtocolFactory(), tClientManager, - commonConfig.isEnableSSL() + commonConfig.isEnableInternalSSL() ? TNonblockingSocketWrapper.wrap( endpoint.getIp(), endpoint.getPort(), diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncDataNodeInternalServiceClient.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncDataNodeInternalServiceClient.java index f087d18b0e4..41bb7ed72d7 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncDataNodeInternalServiceClient.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncDataNodeInternalServiceClient.java @@ -62,7 +62,7 @@ public class AsyncDataNodeInternalServiceClient extends IDataNodeRPCService.Asyn super( property.getProtocolFactory(), tClientManager, - commonConfig.isEnableSSL() + commonConfig.isEnableInternalSSL() ? TNonblockingSocketWrapper.wrap( endpoint.getIp(), endpoint.getPort(), diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncDataNodeMPPDataExchangeServiceClient.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncDataNodeMPPDataExchangeServiceClient.java index 964ff7f1d94..e8203e3ff10 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncDataNodeMPPDataExchangeServiceClient.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncDataNodeMPPDataExchangeServiceClient.java @@ -58,7 +58,7 @@ public class AsyncDataNodeMPPDataExchangeServiceClient extends MPPDataExchangeSe super( property.getProtocolFactory(), tClientManager, - commonConfig.isEnableSSL() + commonConfig.isEnableInternalSSL() ? TNonblockingSocketWrapper.wrap( endpoint.getIp(), endpoint.getPort(), diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncPipeConsensusServiceClient.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncPipeConsensusServiceClient.java index c50a3523efe..2b07580b74b 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncPipeConsensusServiceClient.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncPipeConsensusServiceClient.java @@ -63,7 +63,7 @@ public class AsyncPipeConsensusServiceClient extends PipeConsensusIService.Async super( property.getProtocolFactory(), tAsyncClientManager, - commonConfig.isEnableSSL() + commonConfig.isEnableInternalSSL() ? TNonblockingSocketWrapper.wrap( endpoint.getIp(), endpoint.getPort(), diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncConfigNodeIServiceClient.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncConfigNodeIServiceClient.java index 3bcfa6495e3..2fdb9887e7e 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncConfigNodeIServiceClient.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncConfigNodeIServiceClient.java @@ -55,7 +55,7 @@ public class SyncConfigNodeIServiceClient extends IConfigNodeRPCService.Client property .getProtocolFactory() .getProtocol( - commonConfig.isEnableSSL() + commonConfig.isEnableInternalSSL() ? DeepCopyRpcTransportFactory.INSTANCE.getTransport( endPoint.getIp(), endPoint.getPort(), diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncDataNodeInternalServiceClient.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncDataNodeInternalServiceClient.java index 4ec2fc1a46f..854b4a4aa18 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncDataNodeInternalServiceClient.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncDataNodeInternalServiceClient.java @@ -56,7 +56,7 @@ public class SyncDataNodeInternalServiceClient extends IDataNodeRPCService.Clien property .getProtocolFactory() .getProtocol( - commonConfig.isEnableSSL() + commonConfig.isEnableInternalSSL() ? DeepCopyRpcTransportFactory.INSTANCE.getTransport( endpoint.getIp(), endpoint.getPort(), diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncDataNodeMPPDataExchangeServiceClient.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncDataNodeMPPDataExchangeServiceClient.java index 9b0a6136cb3..0ff739554bb 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncDataNodeMPPDataExchangeServiceClient.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncDataNodeMPPDataExchangeServiceClient.java @@ -55,7 +55,7 @@ public class SyncDataNodeMPPDataExchangeServiceClient extends MPPDataExchangeSer property .getProtocolFactory() .getProtocol( - commonConfig.isEnableSSL() + commonConfig.isEnableInternalSSL() ? DeepCopyRpcTransportFactory.INSTANCE.getTransport( endpoint.getIp(), endpoint.getPort(), diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncPipeConsensusServiceClient.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncPipeConsensusServiceClient.java index d79854d29ed..4755a65c650 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncPipeConsensusServiceClient.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncPipeConsensusServiceClient.java @@ -55,7 +55,7 @@ public class SyncPipeConsensusServiceClient extends PipeConsensusIService.Client property .getProtocolFactory() .getProtocol( - commonConfig.isEnableSSL() + commonConfig.isEnableInternalSSL() ? DeepCopyRpcTransportFactory.INSTANCE.getTransport( endpoint.getIp(), endpoint.getPort(), diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java index 3cf96f3951d..224939c4711 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java @@ -416,8 +416,11 @@ public class CommonConfig { private volatile Pattern trustedUriPattern = Pattern.compile("file:.*"); - /** Enable the thrift Service ssl. */ - private boolean enableSSL = false; + /** Enable the Thrift Client ssl. */ + private boolean enableThriftClientSSL = false; + + /** Enable the cluster internal connection ssl. */ + private boolean enableInternalSSL = false; /** ssl key Store Path. */ private String keyStorePath = ""; @@ -2449,12 +2452,20 @@ public class CommonConfig { this.trustedUriPattern = trustedUriPattern; } - public boolean isEnableSSL() { - return enableSSL; + public boolean isEnableThriftClientSSL() { + return enableThriftClientSSL; + } + + public void setEnableThriftClientSSL(boolean enableThriftClientSSL) { + this.enableThriftClientSSL = enableThriftClientSSL; + } + + public boolean isEnableInternalSSL() { + return enableInternalSSL; } - public void setEnableSSL(boolean enableSSL) { - this.enableSSL = enableSSL; + public void setEnableInternalSSL(boolean enableInternalSSL) { + this.enableInternalSSL = enableInternalSSL; } public String getKeyStorePath() { diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonDescriptor.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonDescriptor.java index 472f6b2bc24..7c99e3e36ca 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonDescriptor.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonDescriptor.java @@ -451,10 +451,18 @@ public class CommonDescriptor { } public void initThriftSSL(TrimProperties properties) { - config.setEnableSSL( + config.setEnableThriftClientSSL( Boolean.parseBoolean( - properties.getProperty("enable_thrift_ssl", Boolean.toString(config.isEnableSSL())))); + properties.getProperty( + "enable_thrift_ssl", Boolean.toString(config.isEnableThriftClientSSL())))); + config.setEnableInternalSSL( + Boolean.parseBoolean( + properties.getProperty( + "enable_internal_connection_ssl", Boolean.toString(config.isEnableInternalSSL())))); config.setKeyStorePath(properties.getProperty("key_store_path", config.getKeyStorePath())); - config.setKeyStorePwd(properties.getProperty("key_store_pwd", config.getKeyStorePath())); + config.setKeyStorePwd(properties.getProperty("key_store_pwd", config.getKeyStorePwd())); + config.setTrustStorePath( + properties.getProperty("trust_store_path", config.getTrustStorePath())); + config.setTrustStorePwd(properties.getProperty("trust_store_pwd", config.getTrustStorePwd())); } } diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/service/AbstractThriftServiceThread.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/service/AbstractThriftServiceThread.java index 6c1aed0b55d..b787cf500e1 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/service/AbstractThriftServiceThread.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/service/AbstractThriftServiceThread.java @@ -192,6 +192,7 @@ public abstract class AbstractThriftServiceThread extends Thread { poolServer = new TThreadPoolServer(poolArgs); poolServer.setServerEventHandler(serverEventHandler); } catch (TTransportException e) { + logger.error("init TThreadPoolServer failed", e); catchFailedInitialization(e); } }
