[jira] [Commented] (TINKERPOP-3146) Support SSL Certificates Reloading

[ASF GitHub Bot (Jira)]

    [ 
https://issues.apache.org/jira/browse/TINKERPOP-3146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17940166#comment-17940166
 ] 

ASF GitHub Bot commented on TINKERPOP-3146:
-------------------------------------------

andreachild commented on code in PR #3078:
URL: https://github.com/apache/tinkerpop/pull/3078#discussion_r2023689769


##########
gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/AbstractChannelizer.java:
##########
@@ -148,8 +146,32 @@ public void init(final ServerGremlinExecutor 
serverGremlinExecutor) {
         configureSerializers();
 
         // configure ssl if present
-        sslContext = settings.optionalSsl().isPresent() && 
settings.ssl.enabled ?
-                Optional.ofNullable(createSSLContext(settings)) : 
Optional.empty();
+        if (settings.optionalSsl().isPresent() && settings.ssl.enabled) {
+            if (settings.ssl.getSslContext().isPresent()) {
+                logger.info("Using the SslContext override");
+                this.sslContext = settings.ssl.getSslContext();
+            } else {
+                final SSLFactory sslFactory = 
createSSLFactoryBuilder(settings).withSwappableTrustMaterial().withSwappableIdentityMaterial().build();
+                this.sslContext = Optional.of(createSSLContext(sslFactory));
+
+                // Every minute, check if keyStore/trustStore were modified, 
and if they were,
+                // reload the SSLFactory which will reload the underlying 
KeyManager/TrustManager that Netty SSLHandler uses.
+                scheduledExecutorService.scheduleAtFixedRate(
+                        new 
SSLStoreFilesModificationWatcher(settings.ssl.keyStore, 
settings.ssl.trustStore, () -> {
+                            SSLFactory newSslFactory = 
createSSLFactoryBuilder(settings).build();
+                            try {
+                                SSLFactoryUtils.reload(sslFactory, 
newSslFactory);
+                            } catch (RuntimeException e) {
+                                logger.error("Failed to reload SSLFactory", e);
+                            }
+                        }),
+                        1L, 1L, TimeUnit.MINUTES

Review Comment:
   Should this be a configurable setting with default of 0 to disable for 
backwards compatibility?





> Support SSL Certificates Reloading
> ----------------------------------
>
>                 Key: TINKERPOP-3146
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-3146
>             Project: TinkerPop
>          Issue Type: New Feature
>          Components: server
>            Reporter: Clément de Groc
>            Priority: Minor
>
> Gremlin Server supports SSL and allows loading KeyStore/TrustStore 
> certificate files on startup 
> ([1|https://github.com/apache/tinkerpop/blob/c4e48dee7a3c3942b4597c7a234adfc94b7d9c76/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/GremlinServer.java#L170],
>  
> [2|https://github.com/apache/tinkerpop/blob/c4e48dee7a3c3942b4597c7a234adfc94b7d9c76/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/AbstractChannelizer.java#L133-L135]).
>  However, in some environments, certificate files are rotated frequently and 
> would need to be reloaded without disruption. This ticket aims to support 
> transparently hot reloading file certificates on modification.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)