This is an automated email from the ASF dual-hosted git repository. haonan pushed a commit to branch fix_ratis_tls_config in repository https://gitbox.apache.org/repos/asf/iotdb.git
commit f10521f864aa9861f90affc9ee738b6e5051508d Author: HTHou <[email protected]> AuthorDate: Sun Sep 28 17:29:35 2025 +0800 Fix ratis TLS not working --- .../java/org/apache/iotdb/consensus/ratis/RatisClient.java | 13 +++++++++++-- .../org/apache/iotdb/consensus/ratis/RatisConsensus.java | 9 ++++++--- .../java/org/apache/iotdb/consensus/ratis/utils/Utils.java | 9 ++++++++- pom.xml | 1 + 4 files changed, 26 insertions(+), 6 deletions(-) diff --git a/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/ratis/RatisClient.java b/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/ratis/RatisClient.java index 43f0a82561c..7b674493e1b 100644 --- a/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/ratis/RatisClient.java +++ b/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/ratis/RatisClient.java @@ -27,6 +27,7 @@ import org.apache.commons.pool2.PooledObject; import org.apache.commons.pool2.impl.DefaultPooledObject; import org.apache.ratis.client.RaftClient; import org.apache.ratis.client.RaftClientRpc; +import org.apache.ratis.conf.Parameters; import org.apache.ratis.conf.RaftProperties; import org.apache.ratis.protocol.RaftGroup; import org.apache.ratis.protocol.exceptions.LeaderSteppingDownException; @@ -89,16 +90,19 @@ class RatisClient implements AutoCloseable { private final RaftProperties raftProperties; private final RaftClientRpc clientRpc; private final RatisConfig.Client config; + private final Parameters parameters; public Factory( ClientManager<RaftGroup, RatisClient> clientManager, RaftProperties raftProperties, RaftClientRpc clientRpc, - RatisConfig.Client config) { + RatisConfig.Client config, + Parameters parameters) { super(clientManager); this.raftProperties = raftProperties; this.clientRpc = clientRpc; this.config = config; + this.parameters = parameters; } @Override @@ -116,6 +120,7 @@ class RatisClient implements AutoCloseable { .setRaftGroup(group) .setRetryPolicy(new RatisRetryPolicy(config)) .setClientRpc(clientRpc) + .setParameters(parameters) .build(), clientManager)); } @@ -131,16 +136,19 @@ class RatisClient implements AutoCloseable { private final RaftProperties raftProperties; private final RaftClientRpc clientRpc; private final RatisConfig.Client config; + private final Parameters parameters; public EndlessRetryFactory( ClientManager<RaftGroup, RatisClient> clientManager, RaftProperties raftProperties, RaftClientRpc clientRpc, - RatisConfig.Client config) { + RatisConfig.Client config, + Parameters parameters) { super(clientManager); this.raftProperties = raftProperties; this.clientRpc = clientRpc; this.config = config; + this.parameters = parameters; } @Override @@ -157,6 +165,7 @@ class RatisClient implements AutoCloseable { .setProperties(raftProperties) .setRaftGroup(group) .setRetryPolicy(new RatisEndlessRetryPolicy(config)) + .setParameters(parameters) .setClientRpc(clientRpc) .build(), clientManager)); diff --git a/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/ratis/RatisConsensus.java b/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/ratis/RatisConsensus.java index 434411dd051..045fa779174 100644 --- a/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/ratis/RatisConsensus.java +++ b/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/ratis/RatisConsensus.java @@ -122,6 +122,7 @@ class RatisConsensus implements IConsensus { private final RaftProperties properties = new RaftProperties(); private final RaftClientRpc clientRpc; + private final Parameters parameters; private final IClientManager<RaftGroup, RatisClient> clientManager; private final IClientManager<RaftGroup, RatisClient> reconfigurationClientManager; @@ -158,7 +159,7 @@ class RatisConsensus implements IConsensus { RaftServerConfigKeys.setStorageDir(properties, Collections.singletonList(storageDir)); GrpcConfigKeys.Server.setPort(properties, config.getThisNodeEndPoint().getPort()); - Parameters parameters = Utils.initRatisConfig(properties, config.getRatisConfig()); + this.parameters = Utils.initRatisConfig(properties, config.getRatisConfig()); this.config = config.getRatisConfig(); this.readOption = this.config.getRead().getReadOption(); this.canServeStaleRead = @@ -223,6 +224,7 @@ class RatisConsensus implements IConsensus { .setServerId(myself.getId()) .setProperties(properties) .setOption(RaftStorage.StartupOption.RECOVER) + .setParameters(parameters) .setStateMachineRegistry( raftGroupId -> new ApplicationStateMachineProxy( @@ -1034,8 +1036,9 @@ class RatisConsensus implements IConsensus { new GenericKeyedObjectPool<>( isReconfiguration ? new RatisClient.EndlessRetryFactory( - manager, properties, clientRpc, config.getClient()) - : new RatisClient.Factory(manager, properties, clientRpc, config.getClient()), + manager, properties, clientRpc, config.getClient(), parameters) + : new RatisClient.Factory( + manager, properties, clientRpc, config.getClient(), parameters), new ClientPoolProperty.Builder<RatisClient>() .setMaxClientNumForEachNode(config.getClient().getMaxClientNumForEachNode()) .build() diff --git a/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/ratis/utils/Utils.java b/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/ratis/utils/Utils.java index ca8f71ddf9e..1a62743d2d7 100644 --- a/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/ratis/utils/Utils.java +++ b/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/ratis/utils/Utils.java @@ -55,6 +55,7 @@ import javax.net.ssl.KeyManager; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; +import javax.net.ssl.X509TrustManager; import java.io.File; import java.io.InputStream; @@ -385,7 +386,13 @@ public class Utils { TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init(trustStore); - TrustManager trustManager = tmf.getTrustManagers()[0]; + TrustManager originalTrustManager = tmf.getTrustManagers()[0]; + + // The self-signed certification may not set Subject Alternative Name (SAN) + // Thrift with ssl didn't check it, but Grpc did. + // Wrap to disable the verification + TrustManager trustManager = + new NoHostnameVerificationTrustManager((X509TrustManager) originalTrustManager); GrpcConfigKeys.TLS.setConf(parameters, new GrpcTlsConfig(keyManager, trustManager, true)); } catch (Exception e) { LOGGER.error("Failed to read key store or trust store.", e); diff --git a/pom.xml b/pom.xml index dd35c7987f0..a15aef31278 100644 --- a/pom.xml +++ b/pom.xml @@ -155,6 +155,7 @@ <sonar.coverage.jacoco.xmlReportPaths>target/jacoco-merged-reports/jacoco.xml</sonar.coverage.jacoco.xmlReportPaths> <!-- Exclude all generated code --> <sonar.exclusions>**/generated-sources</sonar.exclusions> + <sonar.test.exclusions>**/test/*</sonar.test.exclusions> <!-- URL of the ASF SonarQube server --> <sonar.host.url>https://sonarcloud.io</sonar.host.url> <sonar.java.checkstyle.reportPaths>target/checkstyle-report.xml</sonar.java.checkstyle.reportPaths>
