pool: encrypted p2p transfer modes

Motivation Admins should have choices of enabling secure p2p, for example, transfer within the pools in the same organization might be expencive, while when the receiving pool is in another organization/country/zone using encrypted p2p obviously is better choice. Modifications pool.enable.encrypted.p2p-transfers property should be described by three modes. never: encrypted p2p transfer disabled always: encrypted p2p transfer enabled crosszones: enabled only for crosszones Target: master Require-book: yes Require-notes: yes Patch: Acked-by:
dCache · Nov 28, 2019 · daabc90 · daabc90
1 parent d911506
commit daabc90
Show file tree

Hide file tree

Showing 4 changed files with 54 additions and 11 deletions.
diff --git a/modules/dcache/src/main/java/org/dcache/pool/p2p/Companion.java b/modules/dcache/src/main/java/org/dcache/pool/p2p/Companion.java
@@ -31,11 +31,12 @@
 import java.util.List;
 import java.util.OptionalLong;
 import java.util.Set;
+
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.ScheduledFuture;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicInteger;
-import java.util.stream.Collectors;
+import java.util.function.Supplier;
 
 import diskCacheV111.util.CacheException;
 import diskCacheV111.util.CacheFileAvailable;
@@ -178,9 +179,7 @@ class Companion
               CacheFileAvailable callback,
               boolean forceSourceMode,
               Long atime,
-              SSLContext sslContext
-              )
-    {
+              Supplier<SSLContext> getContextIfNeeded) {
         _fsm = new CompanionContext(this);
 
         _executor = executor;
@@ -194,7 +193,9 @@ class Companion
         _destinationPoolCellname = checkNotNull(destinationPoolCellname, "Destination pool name is unknown.");
         _destinationPoolCellDomainName = checkNotNull(destinationPoolCellDomainName, "Destination domain name is unknown.");
         _fileAttributes = checkNotNull(fileAttributes, "File attributes is missing.");
-        _sslContext = sslContext;
+
+        _sslContext = getContextIfNeeded.get();
+
 
         if (!_fileAttributes.isDefined(FileAttribute.PNFSID)) {
             throw new IllegalArgumentException("PNFSID is required, got " + _fileAttributes.getDefinedAttributes());

diff --git a/modules/dcache/src/main/java/org/dcache/pool/p2p/P2PClient.java b/modules/dcache/src/main/java/org/dcache/pool/p2p/P2PClient.java
@@ -13,6 +13,7 @@
 import java.util.Map;
 import java.util.concurrent.Callable;
 import java.util.concurrent.ScheduledExecutorService;
+import java.util.function.Supplier;
 
 import diskCacheV111.util.CacheException;
 import diskCacheV111.util.CacheFileAvailable;
@@ -38,6 +39,13 @@
 
 import static java.util.stream.Collectors.joining;
 
+ enum TlsMode {
+    NEVER,
+    ALWAYS,
+    CROSSZONES
+
+}
+
 public class P2PClient
     extends AbstractCellComponent
     implements CellMessageReceiver, CellCommandListener, CellSetupProvider, CellInfoProvider,
@@ -51,10 +59,17 @@ public class P2PClient
     private CellStub _pnfs;
     private CellStub _pool;
     private InetAddress _interface;
-
+    private TlsMode _p2pTlsMode;
 
     private SSLContext _sslContext;
 
+    // TODO: cross zone behaves as ALYWAYS as long as we can't distinct zones
+    private Supplier<SSLContext> getContextIfNeeded = () -> {
+
+        return _p2pTlsMode == TlsMode.NEVER ? null :  _sslContext;
+    };
+
+
     public synchronized void setExecutor(ScheduledExecutorService executor)
     {
         _executor = executor;
@@ -90,7 +105,11 @@ public synchronized void setSslContext(SSLContext sslContext)
         _sslContext = sslContext;
     }
 
+    public synchronized void setTlsMode(TlsMode p2pTlslMode)
+    {
+        _p2pTlsMode = p2pTlslMode;
 
+    }
 
     public synchronized void messageArrived(DoorTransferFinishedMessage message)
     {
@@ -256,7 +275,8 @@ public synchronized int newCompanion(String sourcePoolName,
                         targetState, stickyRecords,
                         cb, forceSourceMode,
                         atime,
-                        _sslContext);
+                        getContextIfNeeded
+                        );
 
         int id = addCompanion(companion);
         cb.setId(id);

diff --git a/modules/dcache/src/main/resources/org/dcache/pool/classic/pool.xml b/modules/dcache/src/main/resources/org/dcache/pool/classic/pool.xml
@@ -665,20 +665,34 @@
     </beans>
 
 
-    <beans profile="p2phttps-false">
+    <beans profile="p2phttps-NEVER">
 
         <bean id="p2p" parent="p2p-parent">
             <description>Pool to pool transfer manager</description>
+            <property name="tlsMode" value="${pool.enable.encrypted.p2p-transfers}"/>
+
         </bean>
     </beans>
 
 
-    <beans profile="p2phttps-true">
+    <beans profile="p2phttps-ALWAYS">
+
+        <bean id="p2p" parent="p2p-parent">
+            <description>Pool to pool transfer manager with encryption</description>
+            <property name="sslContext" ref="ssl-context-builder"/>
+            <property name="tlsMode" value="${pool.enable.encrypted.p2p-transfers}"/>
+        </bean>
+
+    </beans>
+
+    <beans profile="p2phttps-CROSSZONES">
 
         <bean id="p2p" parent="p2p-parent">
             <description>Pool to pool transfer manager with encryption</description>
             <property name="sslContext" ref="ssl-context-builder"/>
+            <property name="tlsMode" value="${pool.enable.encrypted.p2p-transfers}"/>
         </bean>
+
     </beans>
 
     <beans profile="httpsredirect-false">

diff --git a/skel/share/defaults/pool.properties b/skel/share/defaults/pool.properties
@@ -673,8 +673,16 @@ pool.kafka.producer.configs!max.block.ms = ${dcache.kafka.maximum-block}
 #
 (one-of?true|false)pool.enable.encrypted-transfers=false
 
-#when enabling p2p https transfer the sender pool is not local pool.enable.encrypted-transfers should be set to true
-(one-of?true|false)pool.enable.encrypted.p2p-transfers=false
+# enbaling/disabling https for p2p
+# always: encrypted p2p transfer enabled
+# when enabling p2p https transfer the sender pool is not local pool.enable.encrypted-transfers should be set to ALWAYS
+#
+# never: encrypted p2p transfer disabled
+# when the sender pool is not local enabling https transfer might be expensive so NEVER will disable it.
+#
+# crosszones: enabled only for crosszones
+# when the pools are in the different zone
+(one-of?NEVER|ALWAYS|CROSSZONES)pool.enable.encrypted.p2p-transfers=NEVER
 
 # Host (server) certificate for https authentication
 pool.mover.https.hostcert.cert=${dcache.authn.hostcert.cert}