Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS Configuration Support for QueryServer and Dispatch Client #13645

Merged
merged 15 commits into from
Sep 18, 2024
Merged

TLS Configuration Support for QueryServer and Dispatch Client #13645

merged 15 commits into from
Sep 18, 2024

Conversation

anandheritage
Copy link
Contributor

@anandheritage anandheritage commented Jul 17, 2024
edited
Loading

TLS support for the QueryServer and Dispatch client in Apache Pinot. The changes include:

TLS Configuration for QueryServer:

Addition of TLS settings to enable secure communication for the QueryServer.
Implementation of SSL context building to manage certificates and keys.
Dispatch Client Updates:

Integration of TLS support for the Dispatch client to ensure secure data dispatch.
These enhancements aim to improve the security of inter-service communication within Apache Pinot, aligning with modern security standards.

image

@anandheritage anandheritage changed the title Anandsh/tlsconfig [Draft] TLS config support for QueryServer and Dispatch client Jul 17, 2024
@anandheritage anandheritage mentioned this pull request Jul 17, 2024
Closed
@anandheritage anandheritage changed the title [Draft] TLS config support for QueryServer and Dispatch client TLS Configuration Support for QueryServer and Dispatch Client Jul 24, 2024
@anandheritage anandheritage mentioned this pull request Jul 24, 2024
Closed
@anandheritage
Copy link
Contributor Author

@Jackie-Jiang @xiangfu0
Can you enable the workflow here.

@codecov-commenter
Copy link

codecov-commenter commented Jul 24, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 23.52941% with 26 lines in your changes missing coverage. Please review.

Project coverage is 57.91%. Comparing base (59551e4) to head (a5acd61).
Report is 1060 commits behind head on master.

Files with missing lines Patch % Lines
...rg/apache/pinot/server/starter/ServerInstance.java 0.00% 12 Missing ⚠️
.../apache/pinot/server/worker/WorkerQueryServer.java 0.00% 6 Missing ⚠️
...e/pinot/query/service/dispatch/DispatchClient.java 50.00% 3 Missing and 1 partial ⚠️
...apache/pinot/query/service/server/QueryServer.java 50.00% 3 Missing and 1 partial ⚠️
Additional details and impacted files 
@@             Coverage Diff              @@
##             master   #13645      +/-   ##
============================================
- Coverage     61.75%   57.91%   -3.84%     
- Complexity      207      219      +12     
============================================
  Files          2436     2613     +177     
  Lines        133233   143283   +10050     
  Branches      20636    21998    +1362     
============================================
+ Hits          82274    82987     +713     
- Misses        44911    53804    +8893     
- Partials       6048     6492     +444
Flag Coverage Δ
custom-integration1 <0.01% <0.00%> (-0.01%) ⬇️
integration <0.01% <0.00%> (-0.01%) ⬇️
integration1 <0.01% <0.00%> (-0.01%) ⬇️
integration2 0.00% <0.00%> (ø)
java-11 57.89% <23.52%> (-3.82%) ⬇️
java-21 57.77% <23.52%> (-3.86%) ⬇️
skip-bytebuffers-false 57.91% <23.52%> (-3.84%) ⬇️
skip-bytebuffers-true 57.74% <23.52%> (+30.02%) ⬆️
temurin 57.91% <23.52%> (-3.84%) ⬇️
unittests 57.91% <23.52%> (-3.84%) ⬇️
unittests1 40.73% <50.00%> (-6.16%) ⬇️
unittests2 27.97% <0.00%> (+0.24%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@anandheritage
Copy link
Contributor Author

@xiangfu0 @npawar Can you help me get it reviewed ?

@ankitsultana ankitsultana merged commit 21ff6bf into apache:master Sep 18, 2024
21 checks passed
soumitra-st
soumitra-st reviewed Oct 19, 2024
View reviewed changes
pinot-query-runtime/src/main/java/org/apache/pinot/query/service/dispatch/DispatchClient.java
this(host, port, new GrpcConfig(Collections.emptyMap()));
}

public DispatchClient(String host, int port, GrpcConfig grpcConfig) {
Copy link
Contributor

@soumitra-st soumitra-st Oct 19, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This constructor is only used in the other constructor to create non-tls DispatchClient. Does it mean that if gRPC TLS is enabled on the server side, then DispatchClient will always fail? I don't see a place where TLS enabled DispatchClient is created. cc: @gortiz @Jackie-Jiang

soumitra-st added a commit to soumitra-st/pinot that referenced this pull request Oct 19, 2024
@soumitra-st
Reverting apache#13645 PR
b8d42f1
@soumitra-st soumitra-st mentioned this pull request Oct 19, 2024
Merged
gortiz
gortiz reviewed Oct 19, 2024
View reviewed changes
pinot-query-runtime/src/main/java/org/apache/pinot/query/service/server/QueryServer.java
@@ -55,16 +58,18 @@ public class QueryServer extends PinotQueryWorkerGrpc.PinotQueryWorkerImplBase {

private final int _port;
private final QueryRunner _queryRunner;
private final TlsConfig _tlsConfig;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nullable annotation is needed here

gortiz
gortiz reviewed Oct 19, 2024
View reviewed changes
pinot-query-runtime/src/main/java/org/apache/pinot/query/service/server/QueryServer.java
// query submission service is only used for plan submission for now.
// TODO: with complex query submission logic we should allow asynchronous query submission return instead of
// directly return from submission response observer.
private final ExecutorService _querySubmissionExecutorService;

private Server _server = null;

public QueryServer(int port, QueryRunner queryRunner) {
public QueryServer(int port, QueryRunner queryRunner, TlsConfig tlsConfig) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nullabe annotation is needed here

@gortiz
Copy link
Contributor

gortiz commented Oct 22, 2024

This PR is buggy. It looks like QueryServer enables TLS when it is enabled in netty config but query dispatcher is never using TLS, so multi-stage query engine ends up not working at all if TLS is enabled in netty.

@anandheritage
Copy link
Contributor Author

@gortiz Can you help me with the changes expected ?

When I had made the changes didn't had the dev env to test.

@anandheritage
Copy link
Contributor Author

Let me know if you want me to revert this for now and maybe we discuss if major changes are required ?

@gortiz gortiz mentioned this pull request Oct 22, 2024
Closed
gortiz pushed a commit that referenced this pull request Oct 22, 2024
@soumitra-st
Reverting #13645 PR (#14259)
736733d
@yashmayya yashmayya mentioned this pull request Nov 5, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@soumitra-st soumitra-st soumitra-st left review comments

@mcvsubbu mcvsubbu mcvsubbu left review comments

@gortiz gortiz gortiz left review comments

@mgranderath mgranderath mgranderath approved these changes

@Jackie-Jiang Jackie-Jiang Jackie-Jiang approved these changes

@xiangfu0 xiangfu0 Awaiting requested review from xiangfu0

@klsince klsince Awaiting requested review from klsince

@ankitsultana ankitsultana Awaiting requested review from ankitsultana

Assignees
No one assigned
Labels
feature security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@anandheritage @codecov-commenter @gortiz @mcvsubbu @ankitsultana @Jackie-Jiang @mgranderath @soumitra-st @anandkrshaw