This is an automated email from the ASF dual-hosted git repository. apucher pushed a commit to branch pinot-broker-https-discussion in repository https://gitbox.apache.org/repos/asf/incubator-pinot.git
commit ba6eac20ea9350ee1cd829270695d10f16315cc2 Author: Alexander Pucher <[email protected]> AuthorDate: Tue Jan 5 13:54:52 2021 -0800 client-broker TLS --- .../broker/broker/BrokerAdminApiApplication.java | 51 ++++++++++++++++++++-- .../broker/broker/helix/HelixBrokerStarter.java | 2 +- .../api/resources/PinotQueryResource.java | 14 +++--- .../tools/admin/command/PostQueryCommand.java | 15 +++++-- 4 files changed, 68 insertions(+), 14 deletions(-) diff --git a/pinot-broker/src/main/java/org/apache/pinot/broker/broker/BrokerAdminApiApplication.java b/pinot-broker/src/main/java/org/apache/pinot/broker/broker/BrokerAdminApiApplication.java index ba262fd..f6c25ac 100644 --- a/pinot-broker/src/main/java/org/apache/pinot/broker/broker/BrokerAdminApiApplication.java +++ b/pinot-broker/src/main/java/org/apache/pinot/broker/broker/BrokerAdminApiApplication.java @@ -27,9 +27,12 @@ import org.apache.pinot.broker.requesthandler.BrokerRequestHandler; import org.apache.pinot.broker.routing.RoutingManager; import org.apache.pinot.common.metrics.BrokerMetrics; import org.apache.pinot.common.utils.CommonConstants; +import org.apache.pinot.spi.env.PinotConfiguration; import org.glassfish.grizzly.http.server.CLStaticHttpHandler; import org.glassfish.grizzly.http.server.HttpHandler; import org.glassfish.grizzly.http.server.HttpServer; +import org.glassfish.grizzly.ssl.SSLContextConfigurator; +import org.glassfish.grizzly.ssl.SSLEngineConfigurator; import org.glassfish.hk2.utilities.binding.AbstractBinder; import org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpServerFactory; import org.glassfish.jersey.jackson.JacksonFeature; @@ -39,6 +42,17 @@ import org.glassfish.jersey.server.ResourceConfig; public class BrokerAdminApiApplication extends ResourceConfig { private static final String RESOURCE_PACKAGE = "org.apache.pinot.broker.api.resources"; + // TODO find a permanent home for broker configuration keys + private static final String PINOT_BROKER_CLIENT_PROTOCOL = "pinot.broker.client.protocol"; + private static final String PINOT_BROKER_CLIENT_TLS_KEYSTORE_PATH = "pinot.broker.client.tls.keystore.path"; + private static final String PINOT_BROKER_CLIENT_TLS_KEYSTORE_PASSWORD = "pinot.broker.client.tls.keystore.password"; + private static final String PINOT_BROKER_CLIENT_TLS_TRUSTSTORE_PATH = "pinot.broker.client.tls.truststore.path"; + private static final String PINOT_BROKER_CLIENT_TLS_TRUSTSTORE_PASSWORD = "pinot.broker.client.tls.truststore.password"; + private static final String PINOT_BROKER_CLIENT_TLS_REQUIRES_CLIENT_AUTH = "pinot.broker.client.tls.requires_client_auth"; + + private static final String PROTOCOL_HTTPS = "https"; + private static final String PROTOCOL_HTTP = "http"; + private URI _baseUri; private HttpServer _httpServer; @@ -58,13 +72,42 @@ public class BrokerAdminApiApplication extends ResourceConfig { registerClasses(io.swagger.jaxrs.listing.SwaggerSerializers.class); } - public void start(int httpPort) { - Preconditions.checkArgument(httpPort > 0); - _baseUri = URI.create("http://0.0.0.0:"; + httpPort + "/"); - _httpServer = GrizzlyHttpServerFactory.createHttpServer(_baseUri, this); + public void start(PinotConfiguration brokerConf) { + int brokerQueryPort = brokerConf.getProperty( + CommonConstants.Helix.KEY_OF_BROKER_QUERY_PORT, CommonConstants.Helix.DEFAULT_BROKER_QUERY_PORT); + + Preconditions.checkArgument(brokerQueryPort > 0); + _baseUri = URI.create(String.format("%s://0.0.0.0:%d/", + brokerConf.getProperty(PINOT_BROKER_CLIENT_PROTOCOL, PROTOCOL_HTTP), brokerQueryPort)); + + _httpServer = buildHttpsServer(brokerConf); setupSwagger(); } + private HttpServer buildHttpsServer(PinotConfiguration brokerConf) { + boolean isSecure = PROTOCOL_HTTPS.equals(brokerConf.getProperty(PINOT_BROKER_CLIENT_PROTOCOL, PROTOCOL_HTTP)); + + if (isSecure) { + return GrizzlyHttpServerFactory.createHttpServer(_baseUri, this, true, buildSSLConfig(brokerConf)); + } + + return GrizzlyHttpServerFactory.createHttpServer(_baseUri, this); + } + + private SSLEngineConfigurator buildSSLConfig(PinotConfiguration brokerConf) { + SSLContextConfigurator sslContextConfigurator = new SSLContextConfigurator(); + + sslContextConfigurator.setKeyStoreFile(brokerConf.getProperty(PINOT_BROKER_CLIENT_TLS_KEYSTORE_PATH)); + sslContextConfigurator.setKeyStorePass(brokerConf.getProperty(PINOT_BROKER_CLIENT_TLS_KEYSTORE_PASSWORD)); + sslContextConfigurator.setTrustStoreFile(brokerConf.getProperty(PINOT_BROKER_CLIENT_TLS_TRUSTSTORE_PATH)); + sslContextConfigurator.setTrustStorePass(brokerConf.getProperty(PINOT_BROKER_CLIENT_TLS_TRUSTSTORE_PASSWORD)); + + boolean requiresClientAuth = brokerConf.getProperty(PINOT_BROKER_CLIENT_TLS_REQUIRES_CLIENT_AUTH, false); + + return new SSLEngineConfigurator(sslContextConfigurator).setClientMode(false) + .setWantClientAuth(requiresClientAuth).setEnabledProtocols(new String[] { "TLSv1.2" }); + } + private void setupSwagger() { BeanConfig beanConfig = new BeanConfig(); beanConfig.setTitle("Pinot Broker API"); diff --git a/pinot-broker/src/main/java/org/apache/pinot/broker/broker/helix/HelixBrokerStarter.java b/pinot-broker/src/main/java/org/apache/pinot/broker/broker/helix/HelixBrokerStarter.java index 730076e..746bf7a 100644 --- a/pinot-broker/src/main/java/org/apache/pinot/broker/broker/helix/HelixBrokerStarter.java +++ b/pinot-broker/src/main/java/org/apache/pinot/broker/broker/helix/HelixBrokerStarter.java @@ -245,7 +245,7 @@ public class HelixBrokerStarter implements ServiceStartable { int brokerQueryPort = _brokerConf.getProperty(Helix.KEY_OF_BROKER_QUERY_PORT, Helix.DEFAULT_BROKER_QUERY_PORT); LOGGER.info("Starting broker admin application on port: {}", brokerQueryPort); _brokerAdminApplication = new BrokerAdminApiApplication(_routingManager, _brokerRequestHandler, _brokerMetrics); - _brokerAdminApplication.start(brokerQueryPort); + _brokerAdminApplication.start(_brokerConf); LOGGER.info("Initializing cluster change mediator"); for (ClusterChangeHandler externalViewChangeHandler : _externalViewChangeHandlers) { diff --git a/pinot-controller/src/main/java/org/apache/pinot/controller/api/resources/PinotQueryResource.java b/pinot-controller/src/main/java/org/apache/pinot/controller/api/resources/PinotQueryResource.java index 004f863..fa5d258 100644 --- a/pinot-controller/src/main/java/org/apache/pinot/controller/api/resources/PinotQueryResource.java +++ b/pinot-controller/src/main/java/org/apache/pinot/controller/api/resources/PinotQueryResource.java @@ -196,10 +196,12 @@ public class PinotQueryResource { LOGGER.error("Instance {} not found", instanceId); return QueryException.INTERNAL_ERROR.toString(); } + + // TODO extract protocol from Helix + String protocol = "http"; String hostNameWithPrefix = instanceConfig.getHostName(); - String url = - getQueryURL(hostNameWithPrefix.substring(hostNameWithPrefix.indexOf("_") + 1), instanceConfig.getPort(), - querySyntax); + String url = getQueryURL(protocol, hostNameWithPrefix.substring(hostNameWithPrefix.indexOf("_") + 1), + instanceConfig.getPort(), querySyntax); ObjectNode requestJson = getRequestJson(query, traceEnabled, queryOptions, querySyntax); return sendRequestRaw(url, query, requestJson); } @@ -226,12 +228,12 @@ public class PinotQueryResource { return requestJson; } - private String getQueryURL(String hostName, String port, String querySyntax) { + private String getQueryURL(String protocol, String hostName, String port, String querySyntax) { switch (querySyntax) { case CommonConstants.Broker.Request.SQL: - return String.format("http://%s:%s/query/sql";, hostName, port); + return String.format("%s://%s:%s/query/sql", protocol, hostName, port); case CommonConstants.Broker.Request.PQL: - return String.format("http://%s:%s/query";, hostName, port); + return String.format("%s://%s:%s/query", protocol, hostName, port); default: throw new UnsupportedOperationException("Unsupported query syntax - " + querySyntax); } diff --git a/pinot-tools/src/main/java/org/apache/pinot/tools/admin/command/PostQueryCommand.java b/pinot-tools/src/main/java/org/apache/pinot/tools/admin/command/PostQueryCommand.java index e08aa3e..511d7e7 100644 --- a/pinot-tools/src/main/java/org/apache/pinot/tools/admin/command/PostQueryCommand.java +++ b/pinot-tools/src/main/java/org/apache/pinot/tools/admin/command/PostQueryCommand.java @@ -32,12 +32,15 @@ import org.slf4j.LoggerFactory; public class PostQueryCommand extends AbstractBaseAdminCommand implements Command { private static final Logger LOGGER = LoggerFactory.getLogger(PostQueryCommand.class.getName()); - @Option(name = "-brokerHost", required = false, metaVar = "<String>", usage = "host name for controller.") + @Option(name = "-brokerHost", required = false, metaVar = "<String>", usage = "host name for broker.") private String _brokerHost; @Option(name = "-brokerPort", required = false, metaVar = "<int>", usage = "http port for broker.") private String _brokerPort = Integer.toString(CommonConstants.Helix.DEFAULT_BROKER_QUERY_PORT); + @Option(name = "-brokerProtocol", required = false, metaVar = "<String>", usage = "protocol for broker.") + private String _brokerProtocol = "http"; + @Option(name = "-queryType", required = false, metaVar = "<string>", usage = "Query use sql or pql.") private String _queryType = Request.PQL; @@ -59,7 +62,8 @@ public class PostQueryCommand extends AbstractBaseAdminCommand implements Comman @Override public String toString() { - return ("PostQuery -brokerHost " + _brokerHost + " -brokerPort " + _brokerPort + " -queryType " + _queryType + " -query " + _query); + return ("PostQuery -brokerProtocol " + _brokerProtocol + " -brokerHost " + _brokerHost + " -brokerPort " + + _brokerPort + " -queryType " + _queryType + " -query " + _query); } @Override @@ -82,6 +86,11 @@ public class PostQueryCommand extends AbstractBaseAdminCommand implements Comman return this; } + public PostQueryCommand setBrokerProtocol(String protocol) { + _brokerProtocol = protocol; + return this; + } + public PostQueryCommand setQueryType(String queryType) { _queryType = queryType; return this; @@ -100,7 +109,7 @@ public class PostQueryCommand extends AbstractBaseAdminCommand implements Comman LOGGER.info("Executing command: " + toString()); String request; - String urlString = "http://"; + _brokerHost + ":" + _brokerPort + "/query"; + String urlString = _brokerProtocol + "://" + _brokerHost + ":" + _brokerPort + "/query"; if (_queryType.toLowerCase().equals(Request.SQL)) { urlString += "/sql"; request = JsonUtils.objectToString(Collections.singletonMap(Request.SQL, _query)); --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
