pyjams opened a new pull request, #6776: URL: https://github.com/apache/hop/pull/6776
## Native SSH Tunnel support for database connections Addresses #6573 ### Problem Currently, Apache Hop has no built-in way to connect to databases that sit inside private networks behind an SSH bastion host. Users are forced to set up external SSH tunnels manually (e.g. via `ssh -L`) before running pipelines, which complicates deployment and is error-prone in automated/containerised environments. ### Solution This PR adds **native SSH tunnel support** directly in the database connection metadata, so that Hop can transparently open an SSH tunnel before establishing the JDBC connection — no external tooling required. #### What changed - **`SshTunnelManager`** (new class): manages JSch SSH sessions with local port forwarding. Supports three authentication methods: password, keyboard-interactive, and private key (with optional passphrase). Includes a 30-second keepalive interval to prevent VPN/firewall idle-connection drops. - **`IDatabase` / `BaseDatabaseMeta`**: added SSH tunnel configuration fields (`sshEnabled`, `sshHost`, `sshPort`, `sshUsername`, `sshPassword`, `sshPrivateKey`, `sshPassphrase`) persisted via `@HopMetadataProperty`. - **`DatabaseMeta`**: delegate getters/setters for the new SSH fields. - **`Database`**: opens the SSH tunnel *before* the JDBC connect and rewrites the JDBC URL to point to `localhost:<localPort>`. The tunnel is closed in `closeConnectionOnly()` (not `disconnect()`) to avoid premature teardown when connections are shared across a pipeline connection group. - **`DatabaseMetaEditor`** (UI): new **"SSH Tunnel"** tab in the database connection dialog, with fields that enable/disable dynamically based on the selected authentication method. - **i18n**: English and Italian labels. #### Testing - 5 unit tests for `SshTunnelManager` (session creation, port forwarding, authentication modes, error handling) - 5 unit tests for `Database` SSH tunnel integration (tunnel open/close lifecycle, URL rewriting, grouped connections) - Manual testing verified with MySQL over SSH tunnel #### Checklist - [x] `mvn clean install apache-rat:check` passes - [x] Single commit, no squash needed - [x] I hereby declare this contribution to be licensed under the [Apache License Version 2.0, January 2004](http://www.apache.org/licenses/LICENSE-2.0) #### Dependencies Added `com.jcraft:jsch:0.1.55` to `core/pom.xml` (widely used, Apache-compatible BSD license). #### Note: pre-existing LDAP build failure The `hop-transform-ldap` module fails to compile on current `main` due to commit `859d0dbc` (PR #6665 — LDAP XML cleanup) which changed several methods in `LdapOutputMeta` and `LdapInputMeta` to `private` that are still called by external converter classes (`LdapOutputOperationTypeConverter`, `LdapOutputDerefAliasesTypeConverter`, `LdapOutputReferralTypeConverter`, `LdapInputSearchScopeConverter`). **This is unrelated to the changes in this PR.** -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
