(pinot) branch master updated: Support runtime reload for TLS resources (#12277)

xiangfu Mon, 22 Jan 2024 12:29:01 -0800

This is an automated email from the ASF dual-hosted git repository.

xiangfu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pinot.git



The following commit(s) were added to refs/heads/master by this push:
     new f1fec060a6 Support runtime reload for TLS resources (#12277)
f1fec060a6 is described below

commit f1fec060a62c43ee8544e0730b453452cedcf32d
Author: Haitao Zhang <hai...@startree.ai>
AuthorDate: Mon Jan 22 12:28:49 2024 -0800

    Support runtime reload for TLS resources (#12277)
    
    * build swappable tls resource bundle when possible
    
    * fix format
    
    * remove the limitation that secrets are from files
    
    * simplify logic
---
 pinot-common/pom.xml                               |   4 +
 .../org/apache/pinot/common/utils/TlsUtils.java    | 114 +++++++++++-----
 .../pinot/common/utils/grpc/GrpcQueryClient.java   |  14 +-
 .../apache/pinot/common/utils/TlsUtilsTest.java    | 143 +++++++++++++++++++++
 pinot-common/src/test/resources/tls/keystore.p12   | Bin 0 -> 2581 bytes
 pinot-common/src/test/resources/tls/truststore.p12 | Bin 0 -> 1186 bytes
 .../pinot/core/transport/grpc/GrpcQueryServer.java |   8 +-
 .../apache/pinot/core/util/ListenerConfigUtil.java |   2 +-
 pom.xml                                            |   7 +
 9 files changed, 242 insertions(+), 50 deletions(-)

diff --git a/pinot-common/pom.xml b/pinot-common/pom.xml
index 3fb09c7340..d5b3ee6a7e 100644
--- a/pinot-common/pom.xml
+++ b/pinot-common/pom.xml
@@ -397,6 +397,10 @@
       <groupId>com.github.seancfoley</groupId>
       <artifactId>ipaddress</artifactId>
     </dependency>
+    <dependency>
+      <groupId>io.github.hakky54</groupId>
+      <artifactId>sslcontext-kickstart-for-netty</artifactId>
+    </dependency>
   </dependencies>
   <profiles>
     <profile>
diff --git 
a/pinot-common/src/main/java/org/apache/pinot/common/utils/TlsUtils.java 
b/pinot-common/src/main/java/org/apache/pinot/common/utils/TlsUtils.java
index 6504bdf5ce..f883b88fcf 100644
--- a/pinot-common/src/main/java/org/apache/pinot/common/utils/TlsUtils.java
+++ b/pinot-common/src/main/java/org/apache/pinot/common/utils/TlsUtils.java
@@ -18,6 +18,7 @@
  */
 package org.apache.pinot.common.utils;
 
+import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Preconditions;
 import io.netty.handler.ssl.ClientAuth;
 import io.netty.handler.ssl.SslContext;
@@ -28,15 +29,15 @@ import java.net.MalformedURLException;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URL;
-import java.security.GeneralSecurityException;
 import java.security.KeyStore;
+import java.security.SecureRandom;
 import java.util.concurrent.atomic.AtomicReference;
 import javax.net.ssl.HttpsURLConnection;
-import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
-import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
+import nl.altindag.ssl.SSLFactory;
+import nl.altindag.ssl.exception.GenericSSLContextException;
 import org.apache.commons.lang.StringUtils;
 import org.apache.http.ssl.SSLContexts;
 import org.apache.pinot.common.config.TlsConfig;
@@ -60,6 +61,10 @@ public final class TlsUtils {
   private static final String TRUSTSTORE_PASSWORD = "truststore.password";
   private static final String SSL_PROVIDER = "ssl.provider";
 
+  private static final String FILE_SCHEME = "file";
+  private static final String FILE_SCHEME_PREFIX = FILE_SCHEME + "://";
+  private static final String FILE_SCHEME_PREFIX_WITHOUT_SLASH = FILE_SCHEME + 
":";
+
   private static final AtomicReference<SSLContext> SSL_CONTEXT_REF = new 
AtomicReference<>();
 
   private TlsUtils() {
@@ -136,7 +141,7 @@ public final class TlsUtils {
 
     try {
       KeyStore keyStore = KeyStore.getInstance(keyStoreType);
-      try (InputStream is = makeKeyStoreUrl(keyStorePath).openStream()) {
+      try (InputStream is = makeKeyOrTrustStoreUrl(keyStorePath).openStream()) 
{
         keyStore.load(is, keyStorePassword.toCharArray());
       }
 
@@ -176,7 +181,7 @@ public final class TlsUtils {
 
     try {
       KeyStore keyStore = KeyStore.getInstance(trustStoreType);
-      try (InputStream is = makeKeyStoreUrl(trustStorePath).openStream()) {
+      try (InputStream is = 
makeKeyOrTrustStoreUrl(trustStorePath).openStream()) {
         keyStore.load(is, trustStorePassword.toCharArray());
       }
 
@@ -213,25 +218,14 @@ public final class TlsUtils {
    */
   public static void installDefaultSSLSocketFactory(String keyStoreType, 
String keyStorePath, String keyStorePassword,
       String trustStoreType, String trustStorePath, String trustStorePassword) 
{
-    KeyManager[] keyManagers = null;
-    if (keyStorePath != null) {
-      keyManagers = createKeyManagerFactory(keyStorePath, keyStorePassword, 
keyStoreType).getKeyManagers();
-    }
-
-    TrustManager[] trustManagers = null;
-    if (trustStorePath != null) {
-      trustManagers = createTrustManagerFactory(trustStorePath, 
trustStorePassword, trustStoreType).getTrustManagers();
-    }
-
     try {
-      SSLContext sc = SSLContext.getInstance("SSL");
-      sc.init(keyManagers, trustManagers, new java.security.SecureRandom());
-
+      SSLFactory sslFactory = createSSLFactory(keyStoreType, keyStorePath, 
keyStorePassword,
+          trustStoreType, trustStorePath, trustStorePassword,
+          "SSL", new java.security.SecureRandom());
       // HttpsURLConnection
-      HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
-
-      setSslContext(sc);
-    } catch (GeneralSecurityException e) {
+      
HttpsURLConnection.setDefaultSSLSocketFactory(sslFactory.getSslSocketFactory());
+      setSslContext(sslFactory.getSslContext());
+    } catch (GenericSSLContextException e) {
       throw new IllegalStateException("Could not initialize SSL support", e);
     }
   }
@@ -240,14 +234,14 @@ public final class TlsUtils {
     return namespace + "." + suffix;
   }
 
-  public static URL makeKeyStoreUrl(String storePath)
+  public static URL makeKeyOrTrustStoreUrl(String storePath)
       throws URISyntaxException, MalformedURLException {
     URI inputUri = new URI(storePath);
     if (StringUtils.isBlank(inputUri.getScheme())) {
       if (storePath.startsWith("/")) {
-        return new URL("file://" + storePath);
+        return new URL(FILE_SCHEME_PREFIX + storePath);
       }
-      return new URL("file://./" + storePath);
+      return new URL(FILE_SCHEME_PREFIX + "./" + storePath);
     }
     return inputUri.toURL();
   }
@@ -293,14 +287,11 @@ public final class TlsUtils {
    * @param tlsConfig TLS config
    */
   public static SslContext buildClientContext(TlsConfig tlsConfig) {
+    SSLFactory sslFactory = createSSLFactory(tlsConfig);
     SslContextBuilder sslContextBuilder =
         
SslContextBuilder.forClient().sslProvider(SslProvider.valueOf(tlsConfig.getSslProvider()));
-    if (tlsConfig.getKeyStorePath() != null) {
-      sslContextBuilder.keyManager(createKeyManagerFactory(tlsConfig));
-    }
-    if (tlsConfig.getTrustStorePath() != null) {
-      sslContextBuilder.trustManager(createTrustManagerFactory(tlsConfig));
-    }
+    sslFactory.getKeyManagerFactory().ifPresent(sslContextBuilder::keyManager);
+    
sslFactory.getTrustManagerFactory().ifPresent(sslContextBuilder::trustManager);
     try {
       return sslContextBuilder.build();
     } catch (Exception e) {
@@ -317,11 +308,10 @@ public final class TlsUtils {
     if (tlsConfig.getKeyStorePath() == null) {
       throw new IllegalArgumentException("Must provide key store path for 
secured server");
     }
-    SslContextBuilder sslContextBuilder = 
SslContextBuilder.forServer(createKeyManagerFactory(tlsConfig))
+    SSLFactory sslFactory = createSSLFactory(tlsConfig);
+    SslContextBuilder sslContextBuilder = 
SslContextBuilder.forServer(sslFactory.getKeyManagerFactory().get())
         .sslProvider(SslProvider.valueOf(tlsConfig.getSslProvider()));
-    if (tlsConfig.getTrustStorePath() != null) {
-      sslContextBuilder.trustManager(createTrustManagerFactory(tlsConfig));
-    }
+    
sslFactory.getTrustManagerFactory().ifPresent(sslContextBuilder::trustManager);
     if (tlsConfig.isClientAuthEnabled()) {
       sslContextBuilder.clientAuth(ClientAuth.REQUIRE);
     }
@@ -331,4 +321,58 @@ public final class TlsUtils {
       throw new RuntimeException(e);
     }
   }
+
+  /**
+   * Create a {@link SSLFactory} instance with identity material and trust 
material swappable for a given TlsConfig
+   * @param tlsConfig {@link TlsConfig}
+   * @return a {@link SSLFactory} instance with identity material and trust 
material swappable
+   */
+  public static SSLFactory createSSLFactory(TlsConfig tlsConfig) {
+    return createSSLFactory(
+        tlsConfig.getKeyStoreType(), tlsConfig.getKeyStorePath(), 
tlsConfig.getKeyStorePassword(),
+        tlsConfig.getTrustStoreType(), tlsConfig.getTrustStorePath(), 
tlsConfig.getTrustStorePassword(),
+        null, null);
+  }
+
+  @VisibleForTesting
+  static SSLFactory createSSLFactory(
+      String keyStoreType, String keyStorePath, String keyStorePassword,
+      String trustStoreType, String trustStorePath, String trustStorePassword,
+      String sslContextProtocol, SecureRandom secureRandom) {
+    try {
+      SSLFactory.Builder sslFactoryBuilder = SSLFactory.builder();
+      InputStream keyStoreStream = null;
+      InputStream trustStoreStream = null;
+      if (keyStorePath != null) {
+        Preconditions.checkNotNull(keyStorePassword, "key store password must 
not be null");
+        keyStoreStream = makeKeyOrTrustStoreUrl(keyStorePath).openStream();
+        sslFactoryBuilder
+            .withSwappableIdentityMaterial()
+            .withIdentityMaterial(keyStoreStream, 
keyStorePassword.toCharArray(), keyStoreType);
+      }
+      if (trustStorePath != null) {
+        Preconditions.checkNotNull(trustStorePassword, "trust store password 
must not be null");
+        trustStoreStream = makeKeyOrTrustStoreUrl(trustStorePath).openStream();
+        sslFactoryBuilder
+            .withSwappableTrustMaterial()
+            .withTrustMaterial(trustStoreStream, 
trustStorePassword.toCharArray(), trustStoreType);
+      }
+      if (sslContextProtocol != null) {
+        sslFactoryBuilder.withSslContextAlgorithm(sslContextProtocol);
+      }
+      if (secureRandom != null) {
+        sslFactoryBuilder.withSecureRandom(secureRandom);
+      }
+      SSLFactory sslFactory = sslFactoryBuilder.build();
+      if (keyStoreStream != null) {
+        keyStoreStream.close();
+      }
+      if (trustStoreStream != null) {
+        trustStoreStream.close();
+      }
+      return sslFactory;
+    } catch (Exception e) {
+      throw new IllegalStateException(e);
+    }
+  }
 }
diff --git 
a/pinot-common/src/main/java/org/apache/pinot/common/utils/grpc/GrpcQueryClient.java
 
b/pinot-common/src/main/java/org/apache/pinot/common/utils/grpc/GrpcQueryClient.java
index 88611f427d..7194d454ca 100644
--- 
a/pinot-common/src/main/java/org/apache/pinot/common/utils/grpc/GrpcQueryClient.java
+++ 
b/pinot-common/src/main/java/org/apache/pinot/common/utils/grpc/GrpcQueryClient.java
@@ -27,9 +27,8 @@ import io.grpc.netty.shaded.io.netty.handler.ssl.SslProvider;
 import java.util.Collections;
 import java.util.Iterator;
 import java.util.concurrent.TimeUnit;
-import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLException;
-import javax.net.ssl.TrustManagerFactory;
+import nl.altindag.ssl.SSLFactory;
 import org.apache.pinot.common.config.GrpcConfig;
 import org.apache.pinot.common.proto.PinotQueryServerGrpc;
 import org.apache.pinot.common.proto.Server;
@@ -56,15 +55,10 @@ public class GrpcQueryClient {
               .usePlaintext().build();
     } else {
       try {
+        SSLFactory sslFactory = 
TlsUtils.createSSLFactory(config.getTlsConfig());
         SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();
-        if (config.getTlsConfig().getKeyStorePath() != null) {
-          KeyManagerFactory keyManagerFactory = 
TlsUtils.createKeyManagerFactory(config.getTlsConfig());
-          sslContextBuilder.keyManager(keyManagerFactory);
-        }
-        if (config.getTlsConfig().getTrustStorePath() != null) {
-          TrustManagerFactory trustManagerFactory = 
TlsUtils.createTrustManagerFactory(config.getTlsConfig());
-          sslContextBuilder.trustManager(trustManagerFactory);
-        }
+        
sslFactory.getKeyManagerFactory().ifPresent(sslContextBuilder::keyManager);
+        
sslFactory.getTrustManagerFactory().ifPresent(sslContextBuilder::trustManager);
         if (config.getTlsConfig().getSslProvider() != null) {
           sslContextBuilder =
               GrpcSslContexts.configure(sslContextBuilder, 
SslProvider.valueOf(config.getTlsConfig().getSslProvider()));
diff --git 
a/pinot-common/src/test/java/org/apache/pinot/common/utils/TlsUtilsTest.java 
b/pinot-common/src/test/java/org/apache/pinot/common/utils/TlsUtilsTest.java
new file mode 100644
index 0000000000..b674af0deb
--- /dev/null
+++ b/pinot-common/src/test/java/org/apache/pinot/common/utils/TlsUtilsTest.java
@@ -0,0 +1,143 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.pinot.common.utils;
+
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URISyntaxException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.nio.file.StandardCopyOption;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.security.cert.Certificate;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509KeyManager;
+import javax.net.ssl.X509TrustManager;
+import nl.altindag.ssl.SSLFactory;
+import org.apache.commons.io.FileUtils;
+import org.testng.annotations.AfterClass;
+import org.testng.annotations.BeforeClass;
+import org.testng.annotations.Test;
+
+import static org.testng.Assert.assertEquals;
+
+
+public class TlsUtilsTest {
+  private static final String TLS_RESOURCE_FOLDER = "tls/";
+  private static final String TLS_KEYSTORE_FILE = "keystore.p12";
+  private static final String TLS_TRUSTSTORE_FILE = "truststore.p12";
+  private static final String[] TLS_RESOURCE_FILES = {TLS_KEYSTORE_FILE, 
TLS_TRUSTSTORE_FILE};
+  private static final String PASSWORD = "changeit";
+  private static final String KEYSTORE_TYPE = "PKCS12";
+  private static final String TRUSTSTORE_TYPE = "PKCS12";
+  private static final String DEFAULT_TEST_TLS_DIR
+      = new File(FileUtils.getTempDirectoryPath(), "test-tls-dir" + 
System.currentTimeMillis()).getAbsolutePath();
+
+  @BeforeClass
+  public void setUp()
+      throws IOException, URISyntaxException {
+    copyResourceFilesToTempFolder();
+  }
+
+  private static void copyResourceFilesToTempFolder()
+      throws URISyntaxException, IOException {
+    // Create the destination folder if it doesn't exist
+    Files.createDirectories(Paths.get(DEFAULT_TEST_TLS_DIR));
+    for (String fileName : TLS_RESOURCE_FILES) {
+      // Use the class loader to get the InputStream of the resource file
+      try (InputStream resourceStream
+          = 
TlsUtilsTest.class.getClassLoader().getResourceAsStream(TLS_RESOURCE_FOLDER + 
fileName)) {
+        if (resourceStream == null) {
+          throw new IOException("Resource file not found: " + fileName);
+        }
+        // Specify the destination path
+        Path destinationPath = Paths.get(DEFAULT_TEST_TLS_DIR, fileName);
+        // Use Files.copy to copy the file to the destination folder
+        Files.copy(resourceStream, destinationPath, 
StandardCopyOption.REPLACE_EXISTING);
+      } catch (IOException e) {
+        e.printStackTrace(); // Handle the exception as needed
+      }
+    }
+  }
+
+  @AfterClass
+  public void tearDown() {
+    FileUtils.deleteQuietly(new File(DEFAULT_TEST_TLS_DIR));
+  }
+
+  @Test
+  public void swappableSSLFactoryHasSameAsStaticOnes()
+      throws NoSuchAlgorithmException, KeyManagementException, IOException, 
URISyntaxException {
+    SecureRandom secureRandom = new SecureRandom();
+    KeyManagerFactory keyManagerFactory =
+        TlsUtils.createKeyManagerFactory(DEFAULT_TEST_TLS_DIR + "/" + 
TLS_KEYSTORE_FILE, PASSWORD,
+            KEYSTORE_TYPE);
+    TrustManagerFactory trustManagerFactory =
+        TlsUtils.createTrustManagerFactory(DEFAULT_TEST_TLS_DIR + "/" + 
TLS_TRUSTSTORE_FILE, PASSWORD,
+            TRUSTSTORE_TYPE);
+    SSLContext sslContext = SSLContext.getInstance("TLS");
+    sslContext.init(keyManagerFactory.getKeyManagers(), 
trustManagerFactory.getTrustManagers(), secureRandom);
+    SSLFactory sslFactory =
+        TlsUtils.createSSLFactory(KEYSTORE_TYPE, DEFAULT_TEST_TLS_DIR + "/" + 
TLS_KEYSTORE_FILE, PASSWORD,
+            TRUSTSTORE_TYPE, DEFAULT_TEST_TLS_DIR + "/" + TLS_TRUSTSTORE_FILE, 
PASSWORD,
+            "TLS", secureRandom);
+    KeyManagerFactory swappableKeyManagerFactory = 
sslFactory.getKeyManagerFactory().get();
+    assertEquals(swappableKeyManagerFactory.getKeyManagers().length, 
keyManagerFactory.getKeyManagers().length);
+    assertEquals(swappableKeyManagerFactory.getKeyManagers().length, 1);
+    assertSSLKeyManagersEqual(swappableKeyManagerFactory.getKeyManagers()[0], 
keyManagerFactory.getKeyManagers()[0]);
+    TrustManagerFactory swappableTrustManagerFactory = 
sslFactory.getTrustManagerFactory().get();
+    assertEquals(swappableTrustManagerFactory.getTrustManagers().length,
+        trustManagerFactory.getTrustManagers().length);
+    assertEquals(swappableTrustManagerFactory.getTrustManagers().length, 1);
+    
assertSSLTrustManagersEqual(swappableTrustManagerFactory.getTrustManagers()[0],
+        trustManagerFactory.getTrustManagers()[0]);
+    SSLContext swappableSSLContext = sslFactory.getSslContext();
+    assertEquals(swappableSSLContext.getProtocol(), sslContext.getProtocol());
+    assertEquals(swappableSSLContext.getProvider(), sslContext.getProvider());
+  }
+
+  private static void assertSSLKeyManagersEqual(KeyManager km1, KeyManager 
km2) {
+    X509KeyManager x509KeyManager1 = (X509KeyManager) km1;
+    X509KeyManager x509KeyManager2 = (X509KeyManager) km2;
+    assertEquals(x509KeyManager1.getPrivateKey("mykey"), 
x509KeyManager2.getPrivateKey("mykey"));
+
+    Certificate[] certs1 = x509KeyManager1.getCertificateChain("mykey");
+    Certificate[] certs2 = x509KeyManager2.getCertificateChain("mykey");
+    assertEquals(certs1.length, certs2.length);
+    assertEquals(certs1.length, 1);
+    assertEquals(certs1[0], certs2[0]);
+  }
+
+  private static void assertSSLTrustManagersEqual(TrustManager tm1, 
TrustManager tm2) {
+    X509TrustManager x509TrustManager1 = (X509TrustManager) tm1;
+    X509TrustManager x509TrustManager2 = (X509TrustManager) tm2;
+
+    assertEquals(x509TrustManager1.getAcceptedIssuers().length, 
x509TrustManager2.getAcceptedIssuers().length);
+    assertEquals(x509TrustManager1.getAcceptedIssuers().length, 1);
+    assertEquals(x509TrustManager1.getAcceptedIssuers()[0], 
x509TrustManager2.getAcceptedIssuers()[0]);
+  }
+}
diff --git a/pinot-common/src/test/resources/tls/keystore.p12 
b/pinot-common/src/test/resources/tls/keystore.p12
new file mode 100644
index 0000000000..d2a87e5dc6
Binary files /dev/null and b/pinot-common/src/test/resources/tls/keystore.p12 
differ
diff --git a/pinot-common/src/test/resources/tls/truststore.p12 
b/pinot-common/src/test/resources/tls/truststore.p12
new file mode 100644
index 0000000000..98c97bb079
Binary files /dev/null and b/pinot-common/src/test/resources/tls/truststore.p12 
differ
diff --git 
a/pinot-core/src/main/java/org/apache/pinot/core/transport/grpc/GrpcQueryServer.java
 
b/pinot-core/src/main/java/org/apache/pinot/core/transport/grpc/GrpcQueryServer.java
index b238d7de0c..7ac88bb6ba 100644
--- 
a/pinot-core/src/main/java/org/apache/pinot/core/transport/grpc/GrpcQueryServer.java
+++ 
b/pinot-core/src/main/java/org/apache/pinot/core/transport/grpc/GrpcQueryServer.java
@@ -31,6 +31,7 @@ import io.grpc.stub.StreamObserver;
 import java.io.IOException;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
+import nl.altindag.ssl.SSLFactory;
 import org.apache.pinot.common.config.GrpcConfig;
 import org.apache.pinot.common.config.TlsConfig;
 import org.apache.pinot.common.datatable.DataTable;
@@ -89,11 +90,10 @@ public class GrpcQueryServer extends 
PinotQueryServerGrpc.PinotQueryServerImplBa
     if (tlsConfig.getKeyStorePath() == null) {
       throw new IllegalArgumentException("Must provide key store path for 
secured gRpc server");
     }
-    SslContextBuilder sslContextBuilder = 
SslContextBuilder.forServer(TlsUtils.createKeyManagerFactory(tlsConfig))
+    SSLFactory sslFactory = TlsUtils.createSSLFactory(tlsConfig);
+    SslContextBuilder sslContextBuilder = 
SslContextBuilder.forServer(sslFactory.getKeyManagerFactory().get())
         .sslProvider(SslProvider.valueOf(tlsConfig.getSslProvider()));
-    if (tlsConfig.getTrustStorePath() != null) {
-      
sslContextBuilder.trustManager(TlsUtils.createTrustManagerFactory(tlsConfig));
-    }
+    
sslFactory.getTrustManagerFactory().ifPresent(sslContextBuilder::trustManager);
     if (tlsConfig.isClientAuthEnabled()) {
       sslContextBuilder.clientAuth(ClientAuth.REQUIRE);
     }
diff --git 
a/pinot-core/src/main/java/org/apache/pinot/core/util/ListenerConfigUtil.java 
b/pinot-core/src/main/java/org/apache/pinot/core/util/ListenerConfigUtil.java
index 93b729845a..a75f620600 100644
--- 
a/pinot-core/src/main/java/org/apache/pinot/core/util/ListenerConfigUtil.java
+++ 
b/pinot-core/src/main/java/org/apache/pinot/core/util/ListenerConfigUtil.java
@@ -304,7 +304,7 @@ public final class ListenerConfigUtil {
 
   private static File cacheInTempFile(String sourceUrl) {
     try {
-      URL url = TlsUtils.makeKeyStoreUrl(sourceUrl);
+      URL url = TlsUtils.makeKeyOrTrustStoreUrl(sourceUrl);
       if ("file".equals(url.getProtocol())) {
         return new File(url.getPath());
       }
diff --git a/pom.xml b/pom.xml
index bcee2e06af..99fd00dd94 100644
--- a/pom.xml
+++ b/pom.xml
@@ -163,6 +163,7 @@
     <joda-time.version>2.12.5</joda-time.version>
     <testng.version>7.8.0</testng.version>
     <woodstox.version>6.4.0</woodstox.version>
+    <sslcontext.kickstart.version>8.2.0</sslcontext.kickstart.version>
 
     <!-- Sets the VM argument line used when unit tests are run. -->
     <argLine>-Xms4g -Xmx4g</argLine>
@@ -1414,6 +1415,12 @@
       </dependency>
       <!-- Lucene dependencies end -->
 
+      <dependency>
+        <groupId>io.github.hakky54</groupId>
+        <artifactId>sslcontext-kickstart-for-netty</artifactId>
+        <version>${sslcontext.kickstart.version}</version>
+      </dependency>
+
     </dependencies>
   </dependencyManagement>
   <build>


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org
For additional commands, e-mail: commits-h...@pinot.apache.org

(pinot) branch master updated: Support runtime reload for TLS resources (#12277)

Reply via email to