Skip to content

[feature](tls) Add TLS framework #63145

Open
Hastyshell wants to merge 6 commits into
apache:masterfrom
Hastyshell:pick-mtls-pr-8598-oss
Open

[feature](tls) Add TLS framework #63145
Hastyshell wants to merge 6 commits into
apache:masterfrom
Hastyshell:pick-mtls-pr-8598-oss

Conversation

@Hastyshell
Copy link
Copy Markdown
Collaborator

@Hastyshell Hastyshell commented May 11, 2026
edited
Loading

What problem does this PR solve?

Issue Number: None

Related PR: None

Problem Summary: Port the public mTLS scaffolding, configuration, protocol startup split, certificate-auth contracts, and TLS validation tests while excluding all enterprise module directories.

Release note

Add TLS configuration and certificate-auth scaffolding for optional TLS modules.

Check List (For Author)

  • Test: bash -n build.sh run-fe-ut.sh run-be-ut.sh run-cloud-ut.sh; git diff --check --cached; ./run-fe-ut.sh --run org.apache.doris.analysis.TlsOptionsTest (fails on existing missing edu.umd.cs.findbugs.annotations.SuppressFBWarnings for generated ImmutableFlightAuthResult)

  • Behavior changed: Yes, adds TLS-related configuration and startup/auth extension points.

  • Does this need documentation: Yes

Release note

None

Check List (For Author)

  • Test

    • Regression test
    • Unit Test
    • Manual test (add detailed scripts or steps below)
    • No need to test or manual test. Explain why:
      • This is a refactor/code format and no logic has been changed.
      • Previous test can cover this change.
      • No code files have been changed.
      • Other reason

  • Behavior changed:

    • No.
    • Yes.

  • Does this need documentation?

    • No.
    • Yes.

Check List (For Reviewer who merge this PR)

  • Confirm the release note
  • Confirm test cases
  • Confirm document
  • Add branch pick label

@Hastyshell
[feature](tls) Add OSS mTLS scaffolding
4bb0479 
### What problem does this PR solve?

Issue Number: None

Related PR: selectdb/selectdb-core#8598

Problem Summary: Port the public mTLS scaffolding, configuration, protocol startup split, certificate-auth contracts, and TLS validation tests while excluding all enterprise module directories.

### Release note

Add TLS configuration and certificate-auth scaffolding for optional TLS modules.

### Check List (For Author)

- Test: bash -n build.sh run-fe-ut.sh run-be-ut.sh run-cloud-ut.sh; git diff --check --cached; ./run-fe-ut.sh --run org.apache.doris.analysis.TlsOptionsTest (fails on existing missing edu.umd.cs.findbugs.annotations.SuppressFBWarnings for generated ImmutableFlightAuthResult)

- Behavior changed: Yes, adds TLS-related configuration and startup/auth extension points.

- Does this need documentation: Yes
@hello-stephen
Copy link
Copy Markdown
Contributor

hello-stephen commented May 11, 2026

Thank you for your contribution to Apache Doris.
Don't know what should be done next? See How to process your PR.

Please clearly describe your PR:

  1. What problem was fixed (it's best to include specific error reporting information). How it was fixed.
  2. Which behaviors were modified. What was the previous behavior, what is it now, why was it modified, and what possible impacts might there be.
  3. What features were added. Why was this function added?
  4. Which code was refactored and why was this part of the code refactored?
  5. Which functions were optimized and what is the difference before and after the optimization?

@Hastyshell Hastyshell marked this pull request as draft May 11, 2026 12:13
@gavinchou gavinchou changed the title [feature](tls) Add OSS mTLS scaffolding [feature](tls) Add TLS framework May 11, 2026
@Hastyshell
[chore](tls) Fix CI style checks
301150c 
### What problem does this PR solve?

Issue Number: None

Related PR: apache#63145

Problem Summary: Fix clang-format and FE CheckStyle failures in the TLS scaffolding PR.

### Release note

None

### Check List (For Author)

- Test: ./build-support/check-format.sh with clang-format 16; cd fe && mvn clean checkstyle:check; git diff --check

- Behavior changed: No

- Does this need documentation: No
@Hastyshell
Copy link
Copy Markdown
Collaborator Author

Hastyshell commented May 12, 2026

run buildall

@Hastyshell
[chore](thirdparty) Remove internal brpc TLS patches
9f2ddc4 
### What problem does this PR solve?

Issue Number: None

Related PR: apache#63145

Problem Summary: Remove thirdparty brpc TLS implementation patches from the OSS scaffolding PR to keep the change focused on public extension points.

### Release note

None

### Check List (For Author)

- Test: git diff --check --cached

- Behavior changed: No

- Does this need documentation: No
@Hastyshell
Copy link
Copy Markdown
Collaborator Author

Hastyshell commented May 12, 2026

run buildall

@Hastyshell
[chore](regression) Remove cloud TLS regression tests
781475f 
### What problem does this PR solve?

Issue Number: None

Related PR: apache#63145

Problem Summary: Remove cloud TLS regression cases that depend on custom TLS capabilities from the OSS scaffolding PR.

### Release note

None

### Check List (For Author)

- Test: git diff --check --cached

- Behavior changed: No

- Does this need documentation: No
@Hastyshell
Copy link
Copy Markdown
Collaborator Author

Hastyshell commented May 12, 2026

run buildall

@hello-stephen
Copy link
Copy Markdown
Contributor

hello-stephen commented May 12, 2026

Cloud UT Coverage Report

Increment line coverage 🎉

Increment coverage report
Complete coverage report

Category Coverage
Function Coverage 78.05% (1849/2369)
Line Coverage 64.74% (33230/51327)
Region Coverage 65.28% (16450/25198)
Branch Coverage 55.79% (8777/15732)

@hello-stephen
Copy link
Copy Markdown
Contributor

hello-stephen commented May 12, 2026

Cloud UT Coverage Report

Increment line coverage 🎉

Increment coverage report
Complete coverage report

Category Coverage
Function Coverage 78.05% (1849/2369)
Line Coverage 64.71% (33213/51327)
Region Coverage 65.26% (16444/25198)
Branch Coverage 55.82% (8782/15732)

@hello-stephen
Copy link
Copy Markdown
Contributor

hello-stephen commented May 12, 2026

BE UT Coverage Report

Increment line coverage 40.91% (18/44) 🎉

Increment coverage report
Complete coverage report

Category Coverage
Function Coverage 53.28% (20527/38524)
Line Coverage 37.01% (194003/524138)
Region Coverage 33.35% (151346/453794)
Branch Coverage 34.40% (66088/192134)

@hello-stephen
Copy link
Copy Markdown
Contributor

hello-stephen commented May 12, 2026

BE UT Coverage Report

Increment line coverage 40.91% (18/44) 🎉

Increment coverage report
Complete coverage report

Category Coverage
Function Coverage 53.28% (20527/38524)
Line Coverage 37.02% (194020/524138)
Region Coverage 33.36% (151387/453794)
Branch Coverage 34.41% (66117/192134)

@Hastyshell
[fix](tls) Return resolved user identity directly
32e638f 
### What problem does this PR solve?

Issue Number: None

Related PR: apache#63145

Problem Summary: Fix FE compilation by returning the resolved UserIdentity directly instead of treating it as a list.

### Release note

None

### Check List (For Author)

- Test: git diff --check; cd fe && mvn -pl fe-core checkstyle:check

- Behavior changed: No

- Does this need documentation: No
@Hastyshell
Copy link
Copy Markdown
Collaborator Author

Hastyshell commented May 14, 2026

run buildall

@Hastyshell Hastyshell marked this pull request as ready for review May 14, 2026 14:21
@hello-stephen
Copy link
Copy Markdown
Contributor

hello-stephen commented May 14, 2026

Cloud UT Coverage Report

Increment line coverage 🎉

Increment coverage report
Complete coverage report

Category Coverage
Function Coverage 78.03% (1850/2371)
Line Coverage 64.68% (33222/51362)
Region Coverage 65.21% (16443/25214)
Branch Coverage 55.70% (8777/15758)

@Hastyshell
[fix](tls) Align SAN normalization test
52f8c63 
### What problem does this PR solve?

Issue Number: None

Related PR: apache#63145

Problem Summary: Align the TlsOptions test expectation with SanEntryCodec normalization, which canonicalizes SAN types and strips trailing dots without changing value case.

### Release note

None

### Check List (For Author)

- Test: git diff --check; cd fe && mvn -pl fe-core checkstyle:check

- Behavior changed: No

- Does this need documentation: No
@hello-stephen
Copy link
Copy Markdown
Contributor

hello-stephen commented May 14, 2026

TPC-H: Total hot run time: 29842 ms 
machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpch-tools
Tpch sf100 test result on commit 32e638f18c98907b89e265a08765f26e3796fe29, data reload: false

------ Round 1 ----------------------------------
orders	Doris	NULL	NULL	0	0	0	NULL	0	NULL	NULL	2023-12-26 18:27:23	2023-12-26 18:42:55	NULL	utf-8	NULL	NULL	
============================================
q1	17781	4035	4112	4035
q2	q3	10705	913	648	648
q4	4663	460	342	342
q5	7454	1357	1147	1147
q6	210	174	141	141
q7	946	965	756	756
q8	9817	1440	1325	1325
q9	6741	5377	5341	5341
q10	6300	2088	1813	1813
q11	478	273	258	258
q12	679	426	298	298
q13	18141	3372	2747	2747
q14	293	287	266	266
q15	q16	898	870	794	794
q17	1005	1049	714	714
q18	6539	5681	5677	5677
q19	1270	1259	1069	1069
q20	505	410	265	265
q21	4591	2285	1899	1899
q22	432	359	307	307
Total cold run time: 99448 ms
Total hot run time: 29842 ms

----- Round 2, with runtime_filter_mode=off -----
orders	Doris	NULL	NULL	150000000	42	6422171781	NULL	22778155	NULL	NULL	2023-12-26 18:27:23	2023-12-26 18:42:55	NULL	utf-8	NULL	NULL	
============================================
q1	4310	4232	4235	4232
q2	q3	4641	4784	4161	4161
q4	2106	2202	1409	1409
q5	4931	4962	5291	4962
q6	191	169	141	141
q7	2276	1958	1688	1688
q8	3451	3173	3183	3173
q9	8470	8515	8479	8479
q10	4507	4507	4298	4298
q11	666	466	441	441
q12	702	797	512	512
q13	3339	3658	2919	2919
q14	301	307	278	278
q15	q16	787	794	700	700
q17	1425	1396	1497	1396
q18	8018	7240	7271	7240
q19	1194	1174	1145	1145
q20	2238	2259	1964	1964
q21	6306	5668	4974	4974
q22	592	530	421	421
Total cold run time: 60451 ms
Total hot run time: 54533 ms

@hello-stephen
Copy link
Copy Markdown
Contributor

hello-stephen commented May 14, 2026

TPC-DS: Total hot run time: 170568 ms 
machine: 'aliyun_ecs.c7a.8xlarge_32C64G'
scripts: https://github.com/apache/doris/tree/master/tools/tpcds-tools
TPC-DS sf100 test result on commit 32e638f18c98907b89e265a08765f26e3796fe29, data reload: false

query5	4338	654	508	508
query6	358	219	226	219
query7	4325	553	292	292
query8	327	258	215	215
query9	8814	4004	3953	3953
query10	447	345	289	289
query11	5814	2400	2199	2199
query12	184	126	129	126
query13	1271	598	447	447
query14	6672	5338	5029	5029
query14_1	4359	4357	4326	4326
query15	211	203	183	183
query16	1025	464	441	441
query17	1379	740	617	617
query18	2799	481	344	344
query19	239	200	170	170
query20	136	130	128	128
query21	212	138	118	118
query22	13625	13951	14513	13951
query23	17457	16490	15981	15981
query23_1	16224	16195	16243	16195
query24	8085	1817	1383	1383
query24_1	1370	1395	1377	1377
query25	573	482	442	442
query26	1170	317	169	169
query27	2673	607	328	328
query28	4346	1939	1931	1931
query29	1002	623	503	503
query30	347	238	195	195
query31	1125	1067	936	936
query32	89	72	71	71
query33	523	343	292	292
query34	1157	1106	631	631
query35	744	784	659	659
query36	1345	1357	1121	1121
query37	149	96	86	86
query38	3190	3095	3040	3040
query39	928	926	893	893
query39_1	872	872	861	861
query40	235	148	137	137
query41	68	60	60	60
query42	113	109	109	109
query43	321	330	274	274
query44	
query45	216	201	190	190
query46	1055	1156	723	723
query47	2256	2255	2165	2165
query48	404	411	294	294
query49	634	525	433	433
query50	708	288	213	213
query51	4300	4305	4218	4218
query52	106	102	95	95
query53	251	277	206	206
query54	322	286	255	255
query55	91	92	83	83
query56	310	313	299	299
query57	1409	1394	1324	1324
query58	304	271	267	267
query59	1538	1650	1388	1388
query60	353	337	323	323
query61	160	159	165	159
query62	665	615	563	563
query63	241	204	207	204
query64	2149	801	729	729
query65	
query66	1681	528	426	426
query67	29293	29986	29885	29885
query68	
query69	466	340	315	315
query70	1034	973	954	954
query71	317	270	272	270
query72	3143	2837	2581	2581
query73	831	774	428	428
query74	5054	4901	4719	4719
query75	2774	2643	2314	2314
query76	2298	1120	754	754
query77	408	411	339	339
query78	13005	12819	12284	12284
query79	2318	875	745	745
query80	1378	580	496	496
query81	515	279	237	237
query82	922	169	121	121
query83	352	274	246	246
query84	258	137	113	113
query85	926	540	456	456
query86	444	318	329	318
query87	3419	3329	3183	3183
query88	3497	2650	2620	2620
query89	432	380	336	336
query90	1992	169	177	169
query91	187	176	140	140
query92	82	71	70	70
query93	1336	959	560	560
query94	724	342	296	296
query95	672	469	373	373
query96	1078	747	329	329
query97	2702	2692	2567	2567
query98	240	228	224	224
query99	1096	1131	989	989
Total cold run time: 256045 ms
Total hot run time: 170568 ms

@hello-stephen
Copy link
Copy Markdown
Contributor

hello-stephen commented May 14, 2026

BE UT Coverage Report

Increment line coverage 40.91% (18/44) 🎉

Increment coverage report
Complete coverage report

Category Coverage
Function Coverage 53.24% (20547/38591)
Line Coverage 37.02% (194370/525111)
Region Coverage 33.33% (151789/455436)
Branch Coverage 34.42% (66302/192641)

@hello-stephen
Copy link
Copy Markdown
Contributor

hello-stephen commented May 14, 2026

FE Regression Coverage Report

Increment line coverage 38.81% (248/639) 🎉
Increment coverage report
Complete coverage report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zclllyybb zclllyybb Awaiting requested review from zclllyybb zclllyybb is a code owner

@BiteTheDDDDt BiteTheDDDDt Awaiting requested review from BiteTheDDDDt BiteTheDDDDt is a code owner

@gavinchou gavinchou Awaiting requested review from gavinchou gavinchou is a code owner

@dataroaring dataroaring Awaiting requested review from dataroaring dataroaring is a code owner

@w41ter w41ter Awaiting requested review from w41ter w41ter is a code owner

@CalvinKirs CalvinKirs Awaiting requested review from CalvinKirs CalvinKirs is a code owner

@morningman morningman Awaiting requested review from morningman morningman is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Hastyshell @hello-stephen