Re: [PR] auto reload TLS resources when loading from local files [pinot]

Sun, 28 Jan 2024 17:23:34 -0800 


zhtaoxiang commented on code in PR #12325:
URL: https://github.com/apache/pinot/pull/12325#discussion_r1468989532


##########
pinot-common/src/test/java/org/apache/pinot/common/utils/TlsUtilsTest.java:
##########
@@ -140,4 +167,119 @@ private static void 
assertSSLTrustManagersEqual(TrustManager tm1, TrustManager t
     assertEquals(x509TrustManager1.getAcceptedIssuers().length, 1);
     assertEquals(x509TrustManager1.getAcceptedIssuers()[0], 
x509TrustManager2.getAcceptedIssuers()[0]);
   }
+
+  @Test
+  public void reloadSslFactoryWhenFileStoreChanges()
+      throws IOException, URISyntaxException, InterruptedException {
+    SecureRandom secureRandom = new SecureRandom();
+    SSLFactory sslFactory = TlsUtils.createSSLFactory(KEYSTORE_TYPE, 
TLS_KEYSTORE_FILE_PATH, PASSWORD, TRUSTSTORE_TYPE,
+        TLS_TRUSTSTORE_FILE_PATH, PASSWORD, "TLS", secureRandom, true);
+    X509ExtendedKeyManager x509ExtendedKeyManager = 
sslFactory.getKeyManager().get();
+    X509ExtendedTrustManager x509ExtendedTrustManager = 
sslFactory.getTrustManager().get();
+    SSLContext sslContext = sslFactory.getSslContext();
+
+    PrivateKey privateKey = 
x509ExtendedKeyManager.getPrivateKey(KEY_NAME_ALIAS);
+    Certificate certForPrivateKey = 
x509ExtendedKeyManager.getCertificateChain(KEY_NAME_ALIAS)[0];
+    X509Certificate acceptedIssuerForCert = 
x509ExtendedTrustManager.getAcceptedIssuers()[0];
+
+    // start a new thread to reload the ssl factory when the tls files change
+    ExecutorService executorService = Executors.newSingleThreadExecutor();
+    executorService.execute(
+        () -> {
+          try {
+            TlsUtils.reloadSslFactoryWhenFileStoreChanges(sslFactory, 
KEYSTORE_TYPE, TLS_KEYSTORE_FILE_PATH, PASSWORD,
+                TRUSTSTORE_TYPE, TLS_TRUSTSTORE_FILE_PATH, PASSWORD, "TLS", 
secureRandom);
+          } catch (Exception e) {
+            throw new RuntimeException(e);
+          }
+        });
+
+    WatchService watchService = FileSystems.getDefault().newWatchService();
+    Map<WatchKey, Set<Path>> watchKeyPathMap = new HashMap<>();
+    TlsUtils.registerFile(watchService, watchKeyPathMap, 
TLS_KEYSTORE_FILE_PATH);
+    TlsUtils.registerFile(watchService, watchKeyPathMap, 
TLS_TRUSTSTORE_FILE_PATH);
+
+    // wait for the thread to start
+    Thread.sleep(1000);

Review Comment:
   updaged to 100ms



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org
For additional commands, e-mail: commits-h...@pinot.apache.org

Reply via email to