Centralize SSL Context Handling and Client SSL Provider#17358
Centralize SSL Context Handling and Client SSL Provider#17358xiangfu0 merged 1 commit intoapache:masterfrom
Conversation
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## master #17358 +/- ##
============================================
- Coverage 63.20% 63.17% -0.03%
- Complexity 1476 1477 +1
============================================
Files 3170 3172 +2
Lines 189523 189751 +228
Branches 28997 29036 +39
============================================
+ Hits 119779 119877 +98
- Misses 60451 60566 +115
- Partials 9293 9308 +15
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
9b2b3e9 to
ed0217a
Compare
ed0217a to
f158985
Compare
There was a problem hiding this comment.
Pull request overview
This PR centralizes SSL/TLS context handling across Pinot components by introducing module-local context singletons (BrokerContext, ControllerContext, ServerContext) that delegate to a shared QueryRuntimeContext for gRPC SSL contexts. It also adds a pluggable SslContextProvider mechanism for client SSL configuration with JDK/BCJSSE support.
Key Changes:
- Centralized SSL context management through module-specific context classes backed by QueryRuntimeContext
- Introduced SslContextProvider interface with factory-based lookup and default JDK implementation
- Enhanced client SSL configuration with protocol/keystore/algorithm customization
Reviewed changes
Copilot reviewed 26 out of 26 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| pinot-server/src/main/java/org/apache/pinot/server/ServerContext.java | New singleton context for server SSL contexts delegating to QueryRuntimeContext |
| pinot-broker/src/main/java/org/apache/pinot/broker/BrokerContext.java | New singleton context for broker SSL contexts delegating to QueryRuntimeContext |
| pinot-controller/src/main/java/org/apache/pinot/controller/ControllerContext.java | New singleton context for controller SSL contexts delegating to QueryRuntimeContext |
| pinot-query-runtime/src/main/java/org/apache/pinot/query/runtime/context/QueryRuntimeContext.java | Renamed from BrokerContext, added gRPC SSL context fields |
| pinot-query-runtime/src/main/java/org/apache/pinot/query/runtime/context/ServerContext.java | Removed (functionality moved to module-specific contexts) |
| pinot-query-runtime/src/main/java/org/apache/pinot/query/runtime/context/ControllerContext.java | Removed (functionality moved to module-specific contexts) |
| pinot-server/src/main/java/org/apache/pinot/server/worker/WorkerQueryServer.java | Initialize server context SSL contexts during worker query server setup |
| pinot-server/src/main/java/org/apache/pinot/server/starter/helix/BaseServerStarter.java | Initialize server context HTTPS contexts on startup |
| pinot-controller/src/main/java/org/apache/pinot/controller/BaseControllerStarter.java | Initialize controller context SSL contexts on startup |
| pinot-broker/src/main/java/org/apache/pinot/broker/broker/helix/BaseBrokerStarter.java | Initialize broker context HTTPS contexts on startup |
| pinot-broker/src/main/java/org/apache/pinot/broker/requesthandler/MultiStageBrokerRequestHandler.java | Initialize broker context SSL contexts in multi-stage handler |
| pinot-query-runtime/.../QueryServer.java | Reuse cached server gRPC SSL context from QueryRuntimeContext |
| pinot-query-runtime/.../QueryDispatcher.java | Initialize and reuse client gRPC SSL context from QueryRuntimeContext |
| pinot-query-runtime/.../DispatchClient.java | Accept optional SslContext parameter to reuse cached context |
| pinot-query-runtime/.../MailboxService.java | Resolve SSL contexts from QueryRuntimeContext for broker/server/controller instances |
| pinot-query-runtime/.../GrpcMailboxServer.java | Accept optional SslContext parameter to reuse cached context |
| pinot-query-runtime/.../ChannelManager.java | Accept optional SslContext parameter to reuse cached context |
| pinot-query-runtime/.../OpChainExecutionContext.java | Simplified to use QueryRuntimeContext instead of separate broker/server contexts |
| pinot-clients/.../SslContextProvider.java | New interface for pluggable SSL configuration |
| pinot-clients/.../SslContextProviderFactory.java | Factory for loading SslContextProvider via property/ServiceLoader |
| pinot-clients/.../DefaultSslContextProvider.java | Default JDK/BCJSSE provider implementation |
| pinot-clients/.../JsonAsyncHttpPinotClientTransport.java | Updated to use SslContextProvider for SSL configuration |
| pinot-common/.../ClientSSLContextGenerator.java | Added configurable protocol/keystore/algorithm with try-with-resources |
| pinot-broker/.../BrokerGrpcServer.java | Added warning for non-JDK providers and provider-aware GrpcSslContexts configuration |
| pinot-controller/pom.xml | Added pinot-query-runtime dependency |
pinot-query-runtime/src/main/java/org/apache/pinot/query/mailbox/MailboxService.java
Outdated
Show resolved
Hide resolved
pinot-query-runtime/src/main/java/org/apache/pinot/query/mailbox/MailboxService.java
Outdated
Show resolved
Hide resolved
pinot-common/src/main/java/org/apache/pinot/common/utils/ClientSSLContextGenerator.java
Outdated
Show resolved
Hide resolved
f158985 to
82c7250
Compare
8fc4852 to
f2dc959
Compare
f2dc959 to
0051c48
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 27 out of 27 changed files in this pull request and generated 1 comment.
Comments suppressed due to low confidence (1)
pinot-common/src/main/java/org/apache/pinot/common/utils/ClientSSLContextGenerator.java:1
- The
setCertificateEntrymethod is being called with the loop indexiinstead of the certificatecertas the second argument. This will cause a runtime error sincesetCertificateEntryexpects aCertificateobject, not an integer. Change line 122 totrustStore.setCertificateEntry(serverKey, cert);.
/**
pinot-query-runtime/src/main/java/org/apache/pinot/query/mailbox/MailboxService.java
Show resolved
Hide resolved
19edb0a to
bfbcc60
Compare
Jackie-Jiang
left a comment
There was a problem hiding this comment.
Putting context class in the component module could potentially make them hard to use. pinot-core won't be able to access them. We probably need to put them into lower module so that they are more accessible.
bfbcc60 to
05af5ee
Compare
pinot-query-runtime/src/main/java/org/apache/pinot/query/mailbox/MailboxService.java
Show resolved
Hide resolved
...ients/pinot-java-client/src/main/java/org/apache/pinot/client/DefaultSslContextProvider.java
Outdated
Show resolved
Hide resolved
pinot-common/src/main/java/org/apache/pinot/common/utils/ClientSSLContextGenerator.java
Show resolved
Hide resolved
...-clients/pinot-java-client/src/test/java/org/apache/pinot/client/SslContextProviderTest.java
Show resolved
Hide resolved
05af5ee to
3bfa60d
Compare
pinot-common/src/main/java/org/apache/pinot/context/BrokerContext.java
Outdated
Show resolved
Hide resolved
pinot-core/src/main/java/org/apache/pinot/core/instance/context/BrokerContext.java
Show resolved
Hide resolved
3bfa60d to
df46ee8
Compare
pinot-query-runtime/src/main/java/org/apache/pinot/query/mailbox/channel/GrpcMailboxServer.java
Show resolved
Hide resolved
pinot-query-runtime/src/main/java/org/apache/pinot/query/mailbox/channel/ChannelManager.java
Show resolved
Hide resolved
...ients/pinot-java-client/src/main/java/org/apache/pinot/client/DefaultSslContextProvider.java
Outdated
Show resolved
Hide resolved
...-clients/pinot-java-client/src/test/java/org/apache/pinot/client/SslContextProviderTest.java
Show resolved
Hide resolved
pinot-broker/src/main/java/org/apache/pinot/broker/grpc/BrokerGrpcServer.java
Show resolved
Hide resolved
pinot-broker/src/main/java/org/apache/pinot/broker/broker/helix/BaseBrokerStarter.java
Outdated
Show resolved
Hide resolved
...ker/src/main/java/org/apache/pinot/broker/requesthandler/MultiStageBrokerRequestHandler.java
Outdated
Show resolved
Hide resolved
pinot-core/src/main/java/org/apache/pinot/core/instance/context/BrokerContext.java
Outdated
Show resolved
Hide resolved
df46ee8 to
f67b57e
Compare
ed61aad to
01f2e16
Compare
...ients/pinot-java-client/src/main/java/org/apache/pinot/client/SslContextProviderFactory.java
Show resolved
Hide resolved
01f2e16 to
db413f5
Compare
This pull request introduces a more flexible and configurable approach to SSL/TLS context management for both the Pinot broker and the Java client. The main changes include adding pluggable SSL context providers for the client, refactoring how SSL contexts are set up and used in the broker, and improving support for custom TLS protocols and providers. These updates enhance security, allow easier integration with different environments (e.g., FIPS/BCJSSE), and make it possible to override SSL handling via configuration or service loader.
SSL/TLS Context Provider Framework (Client):
SslContextProviderinterface and a default implementation (DefaultSslContextProvider) to allow custom configuration of the AsyncHttpClient's SSL/TLS settings. A factory (SslContextProviderFactory) resolves the provider using system properties or Java service loader, falling back to the default. [1] [2] [3]JsonAsyncHttpPinotClientTransportto use the newSslContextProviderfor configuring SSL/TLS, replacing direct Netty context usage and improving protocol selection. [1] [2]Broker SSL/TLS Context Management:
BaseBrokerStarter) and request handler (MultiStageBrokerRequestHandler) to set up and cache SSLContext and GRPC SslContext in the singletonBrokerContext, supporting both HTTPS and GRPC with auto-renewal and insecure mode handling. [1] [2]GrpcSslContexts.configure.Dependency and Import Updates: