[GitHub] [skywalking] hanahmily commented on a change in pull request #3370: support es https ssl config.

Thu, 29 Aug 2019 06:11:43 -0700 

hanahmily commented on a change in pull request #3370: support es https ssl 
config.
URL: https://github.com/apache/skywalking/pull/3370#discussion_r319058428
 
 

 ##########
 File path: 
oap-server/server-library/library-client/src/main/java/org/apache/skywalking/oap/server/library/client/elasticsearch/ElasticSearchClient.java
 ##########
 @@ -84,30 +95,50 @@
     public static final String TYPE = "type";
     private final String clusterNodes;
     private final String protocol;
+    private final String keyStorePath;
+    private final String keyStorePass;
     private final String namespace;
     private final String user;
     private final String password;
     protected RestHighLevelClient client;
 
-    public ElasticSearchClient(String clusterNodes, String protocol, String 
namespace, String user, String password) {
+    public ElasticSearchClient(String clusterNodes, String protocol, String 
keyStorePath, String keyStorePass,
+        String namespace, String user, String password) {
         this.clusterNodes = clusterNodes;
         this.protocol = protocol;
         this.namespace = namespace;
         this.user = user;
         this.password = password;
+        this.keyStorePath = keyStorePath;
+        this.keyStorePass = keyStorePass;
     }
 
-    @Override public void connect() throws IOException {
+    @Override
+    public void connect() throws IOException, KeyStoreException, 
NoSuchAlgorithmException, KeyManagementException, CertificateException {
         List<HttpHost> pairsList = parseClusterNodes(clusterNodes);
         RestClientBuilder builder;
         if (StringUtils.isNotBlank(user) && StringUtils.isNotBlank(password)) {
             final CredentialsProvider credentialsProvider = new 
BasicCredentialsProvider();
             credentialsProvider.setCredentials(AuthScope.ANY, new 
UsernamePasswordCredentials(user, password));
             builder = RestClient.builder(pairsList.toArray(new HttpHost[0]))
                 .setHttpClientConfigCallback(httpClientBuilder -> 
httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider));
+
+            if ("https".equals(protocol)) {
+                // more type: 
https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#KeyStore
+                KeyStore truststore = KeyStore.getInstance("jks");
+                try (InputStream is = 
Files.newInputStream(Paths.get(keyStorePath))) {
 
 Review comment:
   We should consider a scenario. When the certification is signed by trusted 
CA such as VeriSign(not self-signed), RestClient should pick up default 
SslContext instead of a dedicated one. What I mean is the keyStorePath should 
be empty in that case.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

Reply via email to