jasperjiaguo commented on a change in pull request #7653:
URL: https://github.com/apache/pinot/pull/7653#discussion_r740540089
##########
File path: pinot-core/src/main/java/org/apache/pinot/core/util/TlsUtils.java
##########
@@ -101,23 +112,26 @@ public static TlsConfig
extractTlsConfig(PinotConfiguration pinotConfig, String
* @return KeyManagerFactory
*/
public static KeyManagerFactory createKeyManagerFactory(TlsConfig tlsConfig)
{
- return createKeyManagerFactory(tlsConfig.getKeyStorePath(),
tlsConfig.getKeyStorePassword());
+ return createKeyManagerFactory(tlsConfig.getKeyStorePath(),
+ tlsConfig.getKeyStorePassword(), tlsConfig.getKeyStoreType());
}
/**
* Create a KeyManagerFactory instance for a given path and key password
*
* @param keyStorePath store path
* @param keyStorePassword password
- *
+ * @param keyStoreType keystore type for keystore
* @return KeyManagerFactory
*/
- public static KeyManagerFactory createKeyManagerFactory(String keyStorePath,
String keyStorePassword) {
+ public static KeyManagerFactory createKeyManagerFactory(String keyStorePath,
String keyStorePassword,
+ String keyStoreType) {
Preconditions.checkNotNull(keyStorePath, "key store path must not be
null");
Preconditions.checkNotNull(keyStorePassword, "key store password must not
be null");
+ keyStoreType = StringUtils.isBlank(keyStoreType) ?
KeyStore.getDefaultType() : keyStoreType;
try {
- KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+ KeyStore keyStore = KeyStore.getInstance(keyStoreType);
Review comment:
`keyStoreType = StringUtils.isBlank(keyStoreType) ?
KeyStore.getDefaultType() : keyStoreType;`
It will be set to the default keystore type. Same logic applies for the
truststore type.
##########
File path:
pinot-connectors/presto-pinot-driver/src/main/java/org/apache/pinot/connector/presto/PinotScatterGatherQueryClient.java
##########
@@ -98,10 +97,14 @@ public ErrorCode getErrorCode() {
private final boolean _clientAuthEnabled;
+ private final String _trustStoreType;
+
private final String _trustStorePath;
private final String _trustStorePassword;
+ private final String _keyStoreType;
+
private final String _keyStorePath;
private final String _keyStorePassword;
Review comment:
resolved
##########
File path:
pinot-connectors/presto-pinot-driver/src/main/java/org/apache/pinot/connector/presto/PinotScatterGatherQueryClient.java
##########
@@ -73,8 +73,7 @@ public boolean isRetriable() {
}
}
- public static class PinotException
- extends RuntimeException {
+ public static class PinotException extends RuntimeException {
Review comment:
resolved
##########
File path: pinot-core/pom.xml
##########
@@ -32,6 +32,7 @@
<name>Pinot Core</name>
<url>https://pinot.apache.org/</url>
<properties>
+ <netty-tcnative.version>2.0.36.Final</netty-tcnative.version>
Review comment:
resolved
##########
File path:
pinot-core/src/main/java/org/apache/pinot/server/access/AllowAllAccessFactory.java
##########
@@ -16,13 +16,19 @@
* specific language governing permissions and limitations
* under the License.
*/
-package org.apache.pinot.server.api.access;
+package org.apache.pinot.server.access;
Review comment:
@apucher In `BaseServerStarter` we have
```String accessControlFactoryClass =
_serverConf.getProperty(Server.ACCESS_CONTROL_FACTORY_CLASS,
Server.DEFAULT_ACCESS_CONTROL_FACTORY_CLASS);```
where I have changed `DEFAULT_ACCESS_CONTROL_FACTORY_CLASS` to
`org.apache.pinot.server.access.AllowAllAccessFactory`, and left
`ACCESS_CONTROL_FACTORY_CLASS` unchanged
(`org.apache.pinot.server.api.access.AllowAllAccessFactory`).
So if the current installation is using default (not configuring
`pinot.server.admin.access.control.factory.class`) or configuring it to
customized class there should be no problem.
IIUC, the only case that will cause problem is someone explicitly configured
`pinot.server.admin.access.control.factory.class` to
`org.apache.pinot.server.api.access.AllowAllAccessFactory`. Do you know any use
case configured in this way?
##########
File path:
pinot-core/src/main/java/org/apache/pinot/core/transport/QueryServer.java
##########
@@ -110,7 +119,9 @@ private void attachSSLHandler(SocketChannel ch) {
throw new IllegalArgumentException("Must provide key store path for
secured server");
}
- SslContextBuilder sslContextBuilder =
SslContextBuilder.forServer(TlsUtils.createKeyManagerFactory(_tlsConfig));
+ SslContextBuilder sslContextBuilder = SslContextBuilder
+ .forServer(TlsUtils.createKeyManagerFactory(_tlsConfig))
+ .sslProvider(SslProvider.OPENSSL);
Review comment:
Agreed on the idea of adding native implementation to TLsConfig. Will do.
For creating a streamlined creation method in TlsUtils I think we can start
another PR dedicated for this inssue, so that this PR can be on encryption and
authz.
##########
File path:
pinot-core/src/main/java/org/apache/pinot/core/transport/QueryServer.java
##########
@@ -56,9 +60,11 @@
* @param port bind port
* @param queryScheduler query scheduler
* @param serverMetrics server metrics
+ * @param accessControlFactory access control factory for netty channel
*/
- public QueryServer(int port, QueryScheduler queryScheduler, ServerMetrics
serverMetrics) {
- this(port, queryScheduler, serverMetrics, null);
+ public QueryServer(int port, QueryScheduler queryScheduler, ServerMetrics
serverMetrics,
Review comment:
Fixed in
https://github.com/apache/pinot/pull/7653/commits/32d1130027aa777a72af7e428647363cd3c35568.
Is this what you are suggesting?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org
For additional commands, e-mail: commits-h...@pinot.apache.org
