New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mongo SQL TLS support [HZ-2498] #25301
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is missing support for configuring keystore and truststore for the connection. Using system properties is not a valid option for a production-ready component.
Here is a simple way how to create an SSLContext
from some basic parameters:
private static SSLContext createSSLContext(String ksFile, String ksType, char[] ksPass, String tsFile, String tsType,
char[] tsPass) throws IOException, GeneralSecurityException {
KeyStore ks = loadKeystore(ksFile, ksType, ksPass);
KeyManagerFactory kmf = null;
if (ks != null) {
kmf = KeyManagerFactory.getInstance("PKIX");
kmf.init(ks, ksPass);
}
KeyStore ts = loadKeystore(tsFile, tsType, tsPass);
TrustManagerFactory tmf = null;
if (ts != null) {
tmf = TrustManagerFactory.getInstance("PKIX");
tmf.init(ts);
}
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(kmf == null ? null : kmf.getKeyManagers(), tmf == null ? null : tmf.getTrustManagers(), null);
return sslContext;
}
private static KeyStore loadKeystore(String ksFile, String ksType, char[] ksPass) throws IOException, GeneralSecurityException {
if (ksFile == null) {
return null;
}
KeyStore ks = KeyStore.getInstance(ksType == null ? KeyStore.getDefaultType() : ksType);
try (InputStream stream = new FileInputStream(ksFile)) {
ks.load(stream, ksPass);
}
return ks;
}
If MongoDB supports mutualTLS then we should test it too.
@kwart Please check now :) |
The job Click to expand the log file---------ERRORS----------- -------------------------- [ERROR] Failed to execute goal pl.project13.maven:git-commit-id-plugin:4.9.10:revision (default) on project hazelcast: Could not complete Mojo execution... Missing tree 2a16e70f898cd00b6ae18a9967010c239ffe6d55 -> [Help 1] -------------------------- [ERROR] -------------------------- [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch. -------------------------- [ERROR] Re-run Maven using the -X switch to enable full debug logging. -------------------------- [ERROR] -------------------------- [ERROR] For more information about the errors and possible solutions, please read the following articles: -------------------------- [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException -------------------------- [ERROR] -------------------------- [ERROR] After correcting the problems, you can resume the build with the command -------------------------- [ERROR] mvn -rf :hazelcast -------------------------- |
Files.copy(resourceKS, tempFileKS.toPath(), StandardCopyOption.REPLACE_EXISTING); | ||
|
||
System.setProperty("https.protocols", "TLSv1,TLSv1.1,TLSv1.2,TLSv1.3"); | ||
System.setProperty("javax.net.debug", "ssl:handshake"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The system properties reconfiguration shouldn't be needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, removed
...ngodb/src/test/java/com/hazelcast/jet/mongodb/dataconnection/MongoDataConnectionSslTest.java
Outdated
Show resolved
Hide resolved
@kwart Removed csr/crt files and other leftovers and extracted base class :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks for the feature!
The job Click to expand the log file---------ERRORS----------- -------------------------- [ERROR] Failed to execute goal org.codehaus.mojo:license-maven-plugin:2.2.0:add-third-party (add-third-party) on project hazelcast-jet-s3: There are some forbidden licenses used, please check your dependencies. -> [Help 1] -------------------------- [ERROR] -------------------------- [ERROR] Re-run Maven using the -X switch to enable full debug logging. -------------------------- [ERROR] -------------------------- [ERROR] For more information about the errors and possible solutions, please read the following articles: -------------------------- [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException -------------------------- [ERROR] -------------------------- [ERROR] After correcting the problems, you can resume the build with the command -------------------------- [ERROR] mvn -rf :hazelcast-jet-s3 -------------------------- |
extensions/mongodb/src/test/java/com/hazelcast/jet/mongodb/AbstractMongoTest.java
Show resolved
Hide resolved
...b/src/test/java/com/hazelcast/jet/mongodb/dataconnection/MongoDataConnectionSslTestBase.java
Outdated
Show resolved
Hide resolved
Co-authored-by: František Hartman <frant.hartm@gmail.com>
Co-authored-by: František Hartman <frant.hartm@gmail.com>
@frant-hartm ready for re-review |
User will be able to provide 8 new parameters in Data Connections:
enableSsl
- defaultfalse
invalidHostNameAllowed
- defaultfalse
keyStore
- location of the key store, file must be present on all memberskeyStoreType
- type of the key store, defaults to system default keyStore typekeyStorePassword
- password of the key storetrustStore
- location of the trust store, file must be present on all memberstrustStoreType
- type of the trust store, defaults to system default keyStore typetrustStorePassword
- password of the trust storeGenerated certs come from
create_keymaterial_openssl
script.Fixes https://hazelcast.atlassian.net/browse/HZ-2498
Checklist:
Team:
,Type:
,Source:
,Module:
) and Milestone setAdd to Release Notes
orNot Release Notes content
set@Nonnull/@Nullable
annotations@since
tags in Javadoc