apucher opened a new pull request #6418: URL: https://github.com/apache/incubator-pinot/pull/6418
**DRAFT** **DISCUSS**: use single TLS keystore/truststore config for all TLS connections of a single process, e.g. combine `pinot.broker.client.tls` and `pinot.broker.netty.tls`? ## Description We add support for TLS-secured connections between pinot clients, brokers, controllers, and servers: - client-controller (https, refactored existing) - client-broker (htps) - controller-broker relay (https) - broker-server (netty) The implementation supports legacy http, 1-way TLS, and 2-way TLS. ## Upgrade Notes Does this PR prevent a zero down-time upgrade? (Assume upgrade order: Controller, Broker, Server, Minion) **No** Does this PR fix a zero-downtime upgrade introduced earlier? **No** Does this PR otherwise need attention when creating release notes? **Yes** ## Release Notes Add support for TLS-secured connections. TLS can be configured using the following new (or refactored) properties: pinot-broker REST api - pinot.broker.client.protocol (`http` or `https`) - pinot.broker.client.tls.keystore.path - pinot.broker.client.tls.keystore.password - pinot.broker.client.tls.truststore.path - pinot.broker.client.tls.truststore.password - pinot.broker.client.tls.client.auth (`true` or `false`) pinot-broker netty client - pinot.broker.netty.tls.enabled (`true` or `false`) - pinot.broker.netty.tls.keystore.path - pinot.broker.netty.tls.keystore.password - pinot.broker.netty.tls.truststore.path - pinot.broker.netty.tls.truststore.password - pinot.broker.netty.tls.client.auth (`true` or `false`) pinot-controller REST api - pinot.controller.access.protocols (`http` or `https` or `http,https`) - pinot.controller.access.protocols.https.tls.keystore.path - pinot.controller.access.protocols.https.tls.keystore.password - pinot.controller.access.protocols.https.tls.truststore.path - pinot.controller.access.protocols.https.tls.truststore.password - pinot.controller.access.protocols.https.tls.client.auth (`true` or `false`) pinot-controller REST broker relay - pinot.controller.broker.protocol (`http` or `https`) - pinot.controller.broker.tls.keystore.path - pinot.controller.broker.tls.keystore.password - pinot.controller.broker.tls.truststore.path - pinot.controller.broker.tls.truststore.password - pinot.controller.broker.tls.client.auth (`true` or `false`) pinot-server netty server - pinot.server.netty.tls.enabled (`true` or `false`) - pinot.server.netty.tls.keystore.path - pinot.server.netty.tls.keystore.password - pinot.server.netty.tls.truststore.path - pinot.server.netty.tls.truststore.password - pinot.server.netty.tls.client.auth (`true` or `false`) ## Documentation TBD ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
