Re: [PR] [REST] Add option to configure TLS settings in REST client [iceberg]

Tue, 03 Jun 2025 06:52:54 -0700 


nastra commented on code in PR #13190:
URL: https://github.com/apache/iceberg/pull/13190#discussion_r2123896669


##########
core/src/main/java/org/apache/iceberg/rest/HTTPClient.java:
##########
@@ -368,8 +374,48 @@ static HttpClientConnectionManager 
configureConnectionManager(Map<String, String
                     properties, REST_MAX_CONNECTIONS, 
REST_MAX_CONNECTIONS_DEFAULT)))
         .setMaxConnPerRoute(
             PropertyUtil.propertyAsInt(
-                properties, REST_MAX_CONNECTIONS_PER_ROUTE, 
REST_MAX_CONNECTIONS_PER_ROUTE_DEFAULT))
-        .build();
+                properties,
+                REST_MAX_CONNECTIONS_PER_ROUTE,
+                REST_MAX_CONNECTIONS_PER_ROUTE_DEFAULT));
+
+    TLSConfigurer tlsConfigurer = loadTlsConfigurer(properties);
+    if (tlsConfigurer != null) {
+      connectionManagerBuilder.setTlsSocketStrategy(
+          new DefaultClientTlsStrategy(
+              tlsConfigurer.sslContext(),
+              tlsConfigurer.supportedProtocols(),
+              tlsConfigurer.supportedCipherSuites(),
+              SSLBufferMode.STATIC,
+              tlsConfigurer.hostnameVerifier()));
+    }
+
+    return connectionManagerBuilder.build();
+  }
+
+  private static TLSConfigurer loadTlsConfigurer(Map<String, String> 
properties) {
+    String impl = properties.get(REST_TLS_CONFIGURER);
+    if (impl == null) {
+      return null;
+    }
+
+    DynConstructors.Ctor<TLSConfigurer> ctor;
+    try {
+      ctor =
+          DynConstructors.builder(TLSConfigurer.class)
+              .loader(HTTPClient.class.getClassLoader())
+              .impl(impl)
+              .buildChecked();
+    } catch (NoSuchMethodException e) {
+      throw new IllegalArgumentException(
+          String.format(
+              "Cannot initialize TLSConfigurer implementation %s: %s", impl, 
e.getMessage()),
+          e);
+    }
+
+    TLSConfigurer configurer = ctor.newInstance();

Review Comment:
   in places like `CatalogUtil` we catch the `ClassCastException` in case the 
given class isn't an instance of what we're expecting, so maybe we should do 
the same here and also verify that with a small unit test



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@iceberg.apache.org
For additional commands, e-mail: issues-h...@iceberg.apache.org

Reply via email to