AryanVBW opened a new pull request, #5499:
URL: https://github.com/apache/opendal/pull/5499

   # Add TLS Support for AWS ElastiCache Memcached
   
   This PR adds TLS support for Memcached connections, particularly targeting 
AWS ElastiCache serverless instances which require TLS connections. Instead of 
using plain TCP conn
   This pull request introduces several changes to the 
`core/src/services/memcached` module to add support for TLS connections, which 
is required for AWS ElastiCache Memcached serverless instances. The most 
important changes include adding TLS-related dependencies, updating the 
`MemcachedBuilder` and `MemcacheConnectionManager` to support TLS 
configuration, and modifying the `Connection` struct to handle both plain and 
TLS connections.
   
   ### TLS Support:
   
   * 
[`core/src/services/memcached/backend.rs`](diffhunk://#diff-786bd730c99162ea9ee3f086fb571e522159e9d6623f5e207dbde76ff30bf855R23-R25):
 Added `tokio_native_tls` dependencies and updated `MemcachedBuilder` to 
include methods for enabling TLS and setting the CA certificate file path. 
[[1]](diffhunk://#diff-786bd730c99162ea9ee3f086fb571e522159e9d6623f5e207dbde76ff30bf855R23-R25)
 
[[2]](diffhunk://#diff-786bd730c99162ea9ee3f086fb571e522159e9d6623f5e207dbde76ff30bf855R88-R103)
   * 
[`core/src/services/memcached/backend.rs`](diffhunk://#diff-786bd730c99162ea9ee3f086fb571e522159e9d6623f5e207dbde76ff30bf855L245-R239):
 Modified `MemcacheConnectionManager` to handle TLS connections by adding 
`enable_tls` and `ca_cert` fields and updating the `connect` method to 
establish a TLS connection if enabled. 
[[1]](diffhunk://#diff-786bd730c99162ea9ee3f086fb571e522159e9d6623f5e207dbde76ff30bf855L245-R239)
 
[[2]](diffhunk://#diff-786bd730c99162ea9ee3f086fb571e522159e9d6623f5e207dbde76ff30bf855L266-R298)
   * 
[`core/src/services/memcached/config.rs`](diffhunk://#diff-afc9b800e90af29db42063799acfd3636266fcd4b4fb952d3d0bf9c30fd2c330R43-R48):
 Updated `MemcachedConfig` to include `enable_tls` and `ca_cert` fields for TLS 
configuration.
   
   ### Connection Handling:
   
   * 
[`core/src/services/memcached/backend.rs`](diffhunk://#diff-786bd730c99162ea9ee3f086fb571e522159e9d6623f5e207dbde76ff30bf855L103-R147):
 Refactored `Adapter` to use a connection pool instead of managing individual 
connections, and updated the `Builder` implementation to create the connection 
pool with the new `MemcacheConnectionManager`. 
[[1]](diffhunk://#diff-786bd730c99162ea9ee3f086fb571e522159e9d6623f5e207dbde76ff30bf855L103-R147)
 
[[2]](diffhunk://#diff-786bd730c99162ea9ee3f086fb571e522159e9d6623f5e207dbde76ff30bf855L165-R163)
   * 
[`core/src/services/memcached/binary.rs`](diffhunk://#diff-fe1fb8d6eb49bb8d1262dc29c15b5b44f69402757d787a40883b78fc3cdabd62R23):
 Modified the `Connection` struct to use a dynamic stream (`Box<dyn AsyncRead + 
AsyncWrite + Send + Unpin>`) to support both plain and TLS connections, and 
updated related methods to work with the new stream type. 
[[1]](diffhunk://#diff-fe1fb8d6eb49bb8d1262dc29c15b5b44f69402757d787a40883b78fc3cdabd62R23)
 
[[2]](diffhunk://#diff-fe1fb8d6eb49bb8d1262dc29c15b5b44f69402757d787a40883b78fc3cdabd62L64-R65)
 
[[3]](diffhunk://#diff-fe1fb8d6eb49bb8d1262dc29c15b5b44f69402757d787a40883b78fc3cdabd62L101-R111)
 ections (`telnet`), users can now establish secure TLS connections (`openssl 
s_client`) with their Memcached instances.
   
   ## Changes
   
   ### 1. Configuration Options
   
   Added new configuration options to `MemcachedConfig`:
   ```rust
   pub struct MemcachedConfig {
       // ... existing fields ...
       
       /// Enable TLS for the connection.
       /// Required for AWS ElastiCache Memcached serverless instances.
       pub enable_tls: Option<bool>,
       
       /// Path to CA certificate file for TLS verification.
       pub ca_cert: Option<String>,
   }
   ```
   
   ### 2. Builder Methods
   
   Added new builder methods to `MemcachedBuilder`:
   ```rust
   impl MemcachedBuilder {
       /// Enable TLS for the connection.
       pub fn enable_tls(mut self, enable: bool) -> Self {
           self.config.enable_tls = Some(enable);
           self
       }
   
       /// Set the CA certificate file path for TLS verification.
       pub fn ca_cert(mut self, ca_cert: &str) -> Self {
           if !ca_cert.is_empty() {
               self.config.ca_cert = Some(ca_cert.to_string());
           }
           self
       }
   }
   ```
   
   ### 3. TLS Connection Handling
   
   - Added TLS support using `tokio-native-tls`
   - Implemented dynamic stream type handling for both TLS and non-TLS 
connections
   - Added support for custom CA certificates for AWS ElastiCache verification
   - Updated the binary protocol implementation to work with TLS streams
   
   ## Usage Example
   
   ```rust
   let builder = MemcachedBuilder::default()
       .endpoint("your-elasticache-endpoint:11211")
       .enable_tls(true)
       .ca_cert("/path/to/ca.pem")  // Optional: provide CA cert if needed
       .build()?;
   ```
   
   ## Implementation Details
   
   1. **Stream Abstraction**: Updated `Connection` to use a boxed trait object 
that can handle both TLS and non-TLS streams:
   ```rust
   pub struct Connection {
       stream: Box<dyn AsyncRead + AsyncWrite + Send + Unpin>,
   }
   ```
   
   2. **TLS Configuration**: Added TLS configuration to 
`MemcacheConnectionManager`:
   ```rust
   pub struct MemcacheConnectionManager {
       address: String,
       username: Option<String>,
       password: Option<String>,
       enable_tls: bool,
       ca_cert: Option<String>,
   }
   ```
   
   3. **Connection Logic**: Implemented smart connection handling that 
automatically uses TLS when enabled:
   ```rust
   async fn connect(&self) -> Result<Self::Connection, Self::Error> {
       if self.enable_tls {
           // TLS connection logic with certificate handling
       } else {
           // Regular TCP connection logic
       }
   }
   ```
   
   ## Testing
   
   - [ ] Added unit tests for TLS configuration
   - [ ] Added integration tests with AWS ElastiCache
   - [ ] Tested backward compatibility with non-TLS connections
   - [ ] Verified error handling for invalid certificates
   
   ## Dependencies
   
   Added `tokio-native-tls` for TLS support:
   ```toml
   [dependencies]
   tokio-native-tls = "0.3"
   ```
   
   ## Related Issues
   
   https://github.com/apache/opendal/issues/5419 
   
   
   @killme2008 @drmingdrmer @jayvdb @viirya @qrilka  @Xuanwo 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@opendal.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to