nsivarajan opened a new pull request, #64697:
URL: https://github.com/apache/doris/pull/64697
### What problem does this PR solve?
Issue Number: close #xxx
Related PR: #xxx
Problem Summary:
## Problem
When `enable_https=true` and `http_port=0` (HTTP disabled), the built-in
audit plugin fails silently on every batch. `AuditStreamLoader` hardcoded
`http://127.0.0.1:{http_port}` at construction time, so the stream load
URL became `http://127.0.0.1:0` — an unreachable address. Every
`loadBatch()` call threw a connection error, which was swallowed and
counted as discarded logs. No crash, no clear error — audit logging
simply stopped working.
## Fix
- Build the stream load URL with the correct scheme (`https` when
`enable_https=true`) and port (`HttpURLUtil.getHttpPort()`, which
returns `https_port` when HTTPS is enabled).
- Apply the cluster CA truststore (`mysql_ssl_default_ca_certificate`)
to the FE connection when the URL is HTTPS, via a new shared utility
`InternalHttpsUtils.getSslContext()`.
- The BE redirect hop (307 Location header) is always plain HTTP and
is unaffected — SSL is gated on `instanceof HttpsURLConnection`.
## Behaviour
| Config | Before | After |
|---|---|---|
| `enable_https=false` | `http://127.0.0.1:8030` | `http://127.0.0.1:8030`
— unchanged |
| `enable_https=true, http_port=0` | `http://127.0.0.1:0` — fails silently
| `https://127.0.0.1:8050` — works |
## Notes
`InternalHttpsUtils` is introduced here as a shared SSL context utility.
A follow-up PR will extend it to cover FE-to-FE internal REST
communication over HTTPS.
### Release note
None
### Check List (For Author)
- Test <!-- At least one of them must be included. -->
- [ ] Regression test
- [x] Unit Test
- [ ] Manual test (add detailed scripts or steps below)
- [ ] No need to test or manual test. Explain why:
- [ ] This is a refactor/code format and no logic has been changed.
- [ ] Previous test can cover this change.
- [ ] No code files have been changed.
- [ ] Other reason <!-- Add your reason? -->
- Behavior changed:
- [x] No.
- [ ] Yes. <!-- Explain the behavior change -->
- Does this need documentation?
- [x] No.
- [ ] Yes. <!-- Add document PR link here. eg:
https://github.com/apache/doris-website/pull/1214 -->
### Check List (For Reviewer who merge this PR)
- [ ] Confirm the release note
- [ ] Confirm test cases
- [ ] Confirm document
- [ ] Add branch pick label <!-- Add branch pick label that this PR should
merge into -->
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
