Skip to content

Commit

Permalink
Configure SSL for unauthenticated client
Browse files Browse the repository at this point in the history 
Unauthenticated client can connect to the Trino cluster when loading segment data.
If cluster has its' own certificate chain - client needs to accept it according to the configuration.
  • Loading branch information
@wendigo
wendigo committed Dec 31, 2024
1 parent fdf4964 commit f9a553a
Showing 1 changed file with 35 additions and 33 deletions.
68 changes: 35 additions & 33 deletions client/trino-client/src/main/java/io/trino/client/uri/HttpClientFactory.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,45 +54,13 @@ public static OkHttpClient.Builder toHttpClientBuilder(TrinoUri uri, String user
OkHttpClient.Builder builder = unauthenticatedClientBuilder(uri, userAgent);
setupCookieJar(builder);

if (!uri.isUseSecureConnection()) {
setupInsecureSsl(builder);
}

if (uri.hasPassword()) {
if (!uri.isUseSecureConnection()) {
throw new RuntimeException("TLS/SSL is required for authentication with username and password");
}
builder.addNetworkInterceptor(basicAuth(uri.getRequiredUser(), uri.getPassword().orElseThrow(() -> new RuntimeException("Password expected"))));
}

if (uri.isUseSecureConnection()) {
ConnectionProperties.SslVerificationMode sslVerificationMode = uri.getSslVerification();
if (sslVerificationMode.equals(FULL) || sslVerificationMode.equals(CA)) {
setupSsl(
builder,
uri.getSslKeyStorePath(),
uri.getSslKeyStorePassword(),
uri.getSslKeyStoreType(),
uri.getSslUseSystemKeyStore(),
uri.getSslTrustStorePath(),
uri.getSslTrustStorePassword(),
uri.getSslTrustStoreType(),
uri.getSslUseSystemTrustStore());
}
if (sslVerificationMode.equals(FULL)) {
uri.getHostnameInCertificate().ifPresent(certHostname ->
setupAlternateHostnameVerification(builder, certHostname));
}

if (sslVerificationMode.equals(CA)) {
builder.hostnameVerifier((hostname, session) -> true);
}

if (sslVerificationMode.equals(NONE)) {
setupInsecureSsl(builder);
}
}

if (uri.getKerberosRemoteServiceName().isPresent()) {
if (!uri.isUseSecureConnection()) {
throw new RuntimeException("TLS/SSL is required for Kerberos authentication");
Expand Down Expand Up @@ -145,7 +113,6 @@ public static OkHttpClient.Builder toHttpClientBuilder(TrinoUri uri, String user
builder.addNetworkInterceptor(authenticator);
}

uri.getDnsResolver().ifPresent(resolverClass -> builder.dns(instantiateDnsResolver(resolverClass, uri.getDnsResolverContext())::lookup));
return builder;
}

Expand All @@ -157,6 +124,41 @@ public static OkHttpClient.Builder unauthenticatedClientBuilder(TrinoUri uri, St
setupHttpProxy(builder, uri.getHttpProxy());
setupTimeouts(builder, toIntExact(uri.getTimeout().toMillis()), TimeUnit.MILLISECONDS);
setupHttpLogging(builder, uri.getHttpLoggingLevel());

if (!uri.isUseSecureConnection()) {
setupInsecureSsl(builder);
}

if (uri.isUseSecureConnection()) {
ConnectionProperties.SslVerificationMode sslVerificationMode = uri.getSslVerification();
if (sslVerificationMode.equals(FULL) || sslVerificationMode.equals(CA)) {
setupSsl(
builder,
uri.getSslKeyStorePath(),
uri.getSslKeyStorePassword(),
uri.getSslKeyStoreType(),
uri.getSslUseSystemKeyStore(),
uri.getSslTrustStorePath(),
uri.getSslTrustStorePassword(),
uri.getSslTrustStoreType(),
uri.getSslUseSystemTrustStore());
}
if (sslVerificationMode.equals(FULL)) {
uri.getHostnameInCertificate().ifPresent(certHostname ->
setupAlternateHostnameVerification(builder, certHostname));
}

if (sslVerificationMode.equals(CA)) {
builder.hostnameVerifier((hostname, session) -> true);
}

if (sslVerificationMode.equals(NONE)) {
setupInsecureSsl(builder);
}
}

uri.getDnsResolver().ifPresent(resolverClass -> builder.dns(instantiateDnsResolver(resolverClass, uri.getDnsResolverContext())::lookup));

return builder;
}

Expand Down

0 comments on commit f9a553a

Please sign in to comment.