apucher commented on a change in pull request #7653:
URL: https://github.com/apache/pinot/pull/7653#discussion_r738882026
##########
File path:
pinot-core/src/main/java/org/apache/pinot/server/access/AccessControl.java
##########
@@ -27,6 +28,13 @@
@InterfaceStability.Stable
public interface AccessControl {
+ /**
+ *
+ * @param channelHandlerContext netty tls context
+ * @return Whether the client has access to query server
+ */
+ boolean hasQueryServerAccess(ChannelHandlerContext channelHandlerContext);
+
Review comment:
would you mind giving me some additional context about why this is
required? IIRC the netty connection is already configured with 2-way TLS,
meaning that both server and broker need to trust the other's respective cert.
##########
File path: pinot-core/src/main/java/org/apache/pinot/core/util/TlsUtils.java
##########
@@ -101,23 +112,26 @@ public static TlsConfig
extractTlsConfig(PinotConfiguration pinotConfig, String
* @return KeyManagerFactory
*/
public static KeyManagerFactory createKeyManagerFactory(TlsConfig tlsConfig)
{
- return createKeyManagerFactory(tlsConfig.getKeyStorePath(),
tlsConfig.getKeyStorePassword());
+ return createKeyManagerFactory(tlsConfig.getKeyStorePath(),
+ tlsConfig.getKeyStorePassword(), tlsConfig.getKeyStoreType());
}
/**
* Create a KeyManagerFactory instance for a given path and key password
*
* @param keyStorePath store path
* @param keyStorePassword password
- *
+ * @param keyStoreType keystore type for keystore
* @return KeyManagerFactory
*/
- public static KeyManagerFactory createKeyManagerFactory(String keyStorePath,
String keyStorePassword) {
+ public static KeyManagerFactory createKeyManagerFactory(String keyStorePath,
String keyStorePassword,
+ String keyStoreType) {
Preconditions.checkNotNull(keyStorePath, "key store path must not be
null");
Preconditions.checkNotNull(keyStorePassword, "key store password must not
be null");
+ keyStoreType = StringUtils.isBlank(keyStoreType) ?
KeyStore.getDefaultType() : keyStoreType;
try {
- KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+ KeyStore keyStore = KeyStore.getInstance(keyStoreType);
Review comment:
if `keyStoreType` is null, what happens?
##########
File path:
pinot-core/src/main/java/org/apache/pinot/core/transport/QueryServer.java
##########
@@ -110,7 +119,9 @@ private void attachSSLHandler(SocketChannel ch) {
throw new IllegalArgumentException("Must provide key store path for
secured server");
}
- SslContextBuilder sslContextBuilder =
SslContextBuilder.forServer(TlsUtils.createKeyManagerFactory(_tlsConfig));
+ SslContextBuilder sslContextBuilder = SslContextBuilder
+ .forServer(TlsUtils.createKeyManagerFactory(_tlsConfig))
+ .sslProvider(SslProvider.OPENSSL);
Review comment:
I'm all for using a native implementation. I wonder if SSLContext
creation should be streamlined with a utility method in `TlsUtils`. I'd imagine
that any access, even via rest, would benefit from the performance improvement.
This would imply that the ssl provider becomes a property of TLsConfig as
well.
##########
File path: pinot-core/pom.xml
##########
@@ -32,6 +32,7 @@
<name>Pinot Core</name>
<url>https://pinot.apache.org/</url>
<properties>
+ <netty-tcnative.version>2.0.36.Final</netty-tcnative.version>
Review comment:
imo dependency management should be handled in the root pom, if possible.
##########
File path:
pinot-core/src/main/java/org/apache/pinot/core/transport/QueryServer.java
##########
@@ -56,9 +60,11 @@
* @param port bind port
* @param queryScheduler query scheduler
* @param serverMetrics server metrics
+ * @param accessControlFactory access control factory for netty channel
*/
- public QueryServer(int port, QueryScheduler queryScheduler, ServerMetrics
serverMetrics) {
- this(port, queryScheduler, serverMetrics, null);
+ public QueryServer(int port, QueryScheduler queryScheduler, ServerMetrics
serverMetrics,
Review comment:
we may want to consider either removing this constructor entirely, or
retaining one for non-tls use without both TLS related configs
##########
File path:
pinot-connectors/presto-pinot-driver/src/main/java/org/apache/pinot/connector/presto/PinotScatterGatherQueryClient.java
##########
@@ -98,10 +97,14 @@ public ErrorCode getErrorCode() {
private final boolean _clientAuthEnabled;
+ private final String _trustStoreType;
+
private final String _trustStorePath;
private final String _trustStorePassword;
+ private final String _keyStoreType;
+
private final String _keyStorePath;
private final String _keyStorePassword;
Review comment:
I'd suggest to store all these properties inside a `TlsConfig` container
instance directly.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
