github-actions[bot] commented on code in PR #60921:
URL: https://github.com/apache/doris/pull/60921#discussion_r3427648933
##########
fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/manager/HttpUtils.java:
##########
@@ -130,8 +135,11 @@ public static CloseableHttpClient getHttpClient() {
}
private static String executeRequest(HttpRequestBase request) throws
IOException {
- CloseableHttpClient client = getHttpClient();
- return client.execute(request, httpResponse ->
EntityUtils.toString(httpResponse.getEntity()));
+ try (CloseableHttpClient client = Config.enable_https
Review Comment:
This should choose the HTTPS-aware client from the request URI scheme, not
only from the global FE HTTPS flag. `HttpUtils` still drives plain BE calls:
`configurationName()` builds `http://<be>/api/show_config`,
`handleConfigurationInfo(..., "BE", ...)` forces `http://`, and
`concatBeSetConfigUrl()` builds `http://.../api/update_config`. With
`Config.enable_https=true`, those BE calls now enter
`InternalHttpsUtils.createValidatedHttpClient()`, which loads
`mysql_ssl_default_ca_certificate` before executing the request. A deployment
can enable FE HTTPS while not relying on that MySQL CA path for BE HTTP calls,
so plain BE manager/config requests can fail before connecting to the BE.
Please gate the internal HTTPS client on
`"https".equalsIgnoreCase(request.getURI().getScheme()) &&
Config.enable_https`, and keep the plain client for `http://` URLs.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
