This is an automated email from the ASF dual-hosted git repository. mblow pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/asterixdb.git
commit 641462e6515cd0f0729f2a0a3bfe2986a5b5690e Author: Michael Blow <[email protected]> AuthorDate: Thu Jul 27 17:00:36 2023 -0400 [NO ISSUE][*DB] Enable ability to configure RMI bind address Change-Id: Ib0b759cbcbf6dc89e98ed378b3e44968356aaa90 Reviewed-on: https://asterix-gerrit.ics.uci.edu/c/asterixdb/+/17659 Reviewed-by: Murtadha Al Hubail <[email protected]> Tested-by: Michael Blow <[email protected]> Tested-by: Jenkins <[email protected]> Integration-Tests: Jenkins <[email protected]> --- .../apache/asterix/app/nc/NCAppRuntimeContext.java | 16 ++++---------- .../apache/asterix/metadata/RMIClientFactory.java | 13 ++++++++++- .../apache/asterix/metadata/RMIServerFactory.java | 25 +++++++++++++++++++--- .../metadata/bootstrap/AsterixStateProxy.java | 15 +++---------- .../api/network/INetworkSecurityConfig.java | 9 ++++++++ .../ipc/security/NetworkSecurityConfig.java | 7 ++++++ 6 files changed, 57 insertions(+), 28 deletions(-) diff --git a/asterixdb/asterix-app/src/main/java/org/apache/asterix/app/nc/NCAppRuntimeContext.java b/asterixdb/asterix-app/src/main/java/org/apache/asterix/app/nc/NCAppRuntimeContext.java index 1a8916836d..d783f9950a 100644 --- a/asterixdb/asterix-app/src/main/java/org/apache/asterix/app/nc/NCAppRuntimeContext.java +++ b/asterixdb/asterix-app/src/main/java/org/apache/asterix/app/nc/NCAppRuntimeContext.java @@ -462,18 +462,10 @@ public class NCAppRuntimeContext implements INcApplicationContext { final INetworkSecurityManager networkSecurityManager = ncServiceContext.getControllerService().getNetworkSecurityManager(); - // clients need to have the client factory on their classpath- to enable older clients, only use - // our client socket factory when SSL is enabled - if (networkSecurityManager.getConfiguration().isSslEnabled()) { - final RMIServerFactory serverSocketFactory = new RMIServerFactory(networkSecurityManager); - final RMIClientFactory clientSocketFactory = - new RMIClientFactory(networkSecurityManager.getConfiguration()); - metadataNodeStub = (IMetadataNode) UnicastRemoteObject.exportObject(MetadataNode.INSTANCE, - getMetadataProperties().getMetadataPort(), clientSocketFactory, serverSocketFactory); - } else { - metadataNodeStub = (IMetadataNode) UnicastRemoteObject.exportObject(MetadataNode.INSTANCE, - getMetadataProperties().getMetadataPort()); - } + metadataNodeStub = (IMetadataNode) UnicastRemoteObject.exportObject(MetadataNode.INSTANCE, + getMetadataProperties().getMetadataPort(), + RMIClientFactory.getSocketFactory(networkSecurityManager), + RMIServerFactory.getSocketFactory(networkSecurityManager)); } } diff --git a/asterixdb/asterix-metadata/src/main/java/org/apache/asterix/metadata/RMIClientFactory.java b/asterixdb/asterix-metadata/src/main/java/org/apache/asterix/metadata/RMIClientFactory.java index 515e763f58..ce459e27f7 100644 --- a/asterixdb/asterix-metadata/src/main/java/org/apache/asterix/metadata/RMIClientFactory.java +++ b/asterixdb/asterix-metadata/src/main/java/org/apache/asterix/metadata/RMIClientFactory.java @@ -29,6 +29,7 @@ import javax.net.SocketFactory; import javax.net.ssl.SSLSocketFactory; import org.apache.hyracks.api.network.INetworkSecurityConfig; +import org.apache.hyracks.api.network.INetworkSecurityManager; import org.apache.hyracks.ipc.security.NetworkSecurityManager; public class RMIClientFactory implements RMIClientSocketFactory, Serializable { @@ -37,11 +38,21 @@ public class RMIClientFactory implements RMIClientSocketFactory, Serializable { private final INetworkSecurityConfig config; private transient SocketFactory socketFactory; - public RMIClientFactory(INetworkSecurityConfig config) { + private RMIClientFactory(INetworkSecurityConfig config) { this.config = config; } + public static RMIClientSocketFactory getSocketFactory(INetworkSecurityManager securityManager) { + // clients need to have the client factory on their classpath- to enable older clients, only use + // our client socket factory when SSL is enabled + INetworkSecurityConfig config = securityManager.getConfiguration(); + if (config.isSslEnabled()) { + return new RMIClientFactory(config); + } + return null; + } + public Socket createSocket(String host, int port) throws IOException { synchronized (this) { if (socketFactory == null) { diff --git a/asterixdb/asterix-metadata/src/main/java/org/apache/asterix/metadata/RMIServerFactory.java b/asterixdb/asterix-metadata/src/main/java/org/apache/asterix/metadata/RMIServerFactory.java index 9506c5a77e..0128a87d21 100644 --- a/asterixdb/asterix-metadata/src/main/java/org/apache/asterix/metadata/RMIServerFactory.java +++ b/asterixdb/asterix-metadata/src/main/java/org/apache/asterix/metadata/RMIServerFactory.java @@ -19,8 +19,10 @@ package org.apache.asterix.metadata; import java.io.IOException; +import java.net.InetAddress; import java.net.ServerSocket; import java.rmi.server.RMIServerSocketFactory; +import java.util.Optional; import javax.net.ServerSocketFactory; @@ -28,17 +30,34 @@ import org.apache.hyracks.api.network.INetworkSecurityManager; public class RMIServerFactory implements RMIServerSocketFactory { + // default backlog used by the JDK (e.g. sun.security.ssl.SSLServerSocketFactoryImpl) + private static final int DEFAULT_BACKLOG = 50; private final INetworkSecurityManager securityManager; - public RMIServerFactory(INetworkSecurityManager securityManager) { + private RMIServerFactory(INetworkSecurityManager securityManager) { this.securityManager = securityManager; } + public static RMIServerSocketFactory getSocketFactory(INetworkSecurityManager securityManager) { + if (securityManager.getConfiguration().isSslEnabled()) { + return new RMIServerFactory(securityManager); + } + return null; + } + @Override public ServerSocket createServerSocket(int port) throws IOException { + ServerSocketFactory socketFactory; if (securityManager.getConfiguration().isSslEnabled()) { - return securityManager.newSSLContext().getServerSocketFactory().createServerSocket(port); + socketFactory = securityManager.newSSLContext().getServerSocketFactory(); + } else { + socketFactory = ServerSocketFactory.getDefault(); + } + Optional<InetAddress> rmiBindAddress = securityManager.getConfiguration().getRMIBindAddress(); + if (rmiBindAddress.isPresent()) { + return socketFactory.createServerSocket(port, DEFAULT_BACKLOG, rmiBindAddress.get()); + } else { + return socketFactory.createServerSocket(port); } - return ServerSocketFactory.getDefault().createServerSocket(port); } } diff --git a/asterixdb/asterix-metadata/src/main/java/org/apache/asterix/metadata/bootstrap/AsterixStateProxy.java b/asterixdb/asterix-metadata/src/main/java/org/apache/asterix/metadata/bootstrap/AsterixStateProxy.java index 2104fdf1da..cedcccfca4 100644 --- a/asterixdb/asterix-metadata/src/main/java/org/apache/asterix/metadata/bootstrap/AsterixStateProxy.java +++ b/asterixdb/asterix-metadata/src/main/java/org/apache/asterix/metadata/bootstrap/AsterixStateProxy.java @@ -43,18 +43,9 @@ public class AsterixStateProxy implements IAsterixStateProxy { public static IAsterixStateProxy registerRemoteObject(INetworkSecurityManager networkSecurityManager, int metadataCallbackPort) throws RemoteException { - IAsterixStateProxy stub; - // clients need to have the client factory on their classpath- to enable older clients, only use - // our client socket factory when SSL is enabled - if (networkSecurityManager.getConfiguration().isSslEnabled()) { - final RMIServerFactory serverSocketFactory = new RMIServerFactory(networkSecurityManager); - final RMIClientFactory clientSocketFactory = - new RMIClientFactory(networkSecurityManager.getConfiguration()); - stub = (IAsterixStateProxy) UnicastRemoteObject.exportObject(cc, metadataCallbackPort, clientSocketFactory, - serverSocketFactory); - } else { - stub = (IAsterixStateProxy) UnicastRemoteObject.exportObject(cc, metadataCallbackPort); - } + IAsterixStateProxy stub = (IAsterixStateProxy) UnicastRemoteObject.exportObject(cc, metadataCallbackPort, + RMIClientFactory.getSocketFactory(networkSecurityManager), + RMIServerFactory.getSocketFactory(networkSecurityManager)); LOGGER.info("Asterix Distributed State Proxy Bound"); return stub; } diff --git a/hyracks-fullstack/hyracks/hyracks-api/src/main/java/org/apache/hyracks/api/network/INetworkSecurityConfig.java b/hyracks-fullstack/hyracks/hyracks-api/src/main/java/org/apache/hyracks/api/network/INetworkSecurityConfig.java index b483158d12..7fc0335c5c 100644 --- a/hyracks-fullstack/hyracks/hyracks-api/src/main/java/org/apache/hyracks/api/network/INetworkSecurityConfig.java +++ b/hyracks-fullstack/hyracks/hyracks-api/src/main/java/org/apache/hyracks/api/network/INetworkSecurityConfig.java @@ -20,7 +20,9 @@ package org.apache.hyracks.api.network; import java.io.File; import java.io.Serializable; +import java.net.InetAddress; import java.security.KeyStore; +import java.util.Optional; public interface INetworkSecurityConfig extends Serializable { @@ -65,4 +67,11 @@ public interface INetworkSecurityConfig extends Serializable { * @return the trust store file */ File getTrustStoreFile(); + + /** + * The optional address to bind for RMI server sockets; or absent to bind to all addresses / interfaces. + * + * @return the optional bind address + */ + Optional<InetAddress> getRMIBindAddress(); } diff --git a/hyracks-fullstack/hyracks/hyracks-ipc/src/main/java/org/apache/hyracks/ipc/security/NetworkSecurityConfig.java b/hyracks-fullstack/hyracks/hyracks-ipc/src/main/java/org/apache/hyracks/ipc/security/NetworkSecurityConfig.java index 2170c15365..bfcd623900 100644 --- a/hyracks-fullstack/hyracks/hyracks-ipc/src/main/java/org/apache/hyracks/ipc/security/NetworkSecurityConfig.java +++ b/hyracks-fullstack/hyracks/hyracks-ipc/src/main/java/org/apache/hyracks/ipc/security/NetworkSecurityConfig.java @@ -22,10 +22,12 @@ import java.io.File; import java.io.IOException; import java.io.ObjectInputStream; import java.io.ObjectOutputStream; +import java.net.InetAddress; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.security.cert.CertificateException; +import java.util.Optional; import org.apache.hyracks.api.network.INetworkSecurityConfig; @@ -90,6 +92,11 @@ public class NetworkSecurityConfig implements INetworkSecurityConfig { return trustStoreFile; } + @Override + public Optional<InetAddress> getRMIBindAddress() { + return Optional.empty(); + } + private void writeObject(ObjectOutputStream out) throws IOException { out.defaultWriteObject(); writeStore(keyStore, out);
