fix(pd): resolve hostname entries in IpAuthHandler allowlist (#2962)

- Resolve allowlist hostnames to IPs using InetAddress.getAllByName
- Add refresh() to update resolved IPs when Raft peer list changes
- Wire refresh into RaftEngine.changePeerList()
- Add IpAuthHandlerTest covering hostname resolution, refresh behavior, and failure cases

Author: bitflicker64

hugegraph-pd/hg-pd-core/src/main/java/org/apache/hugegraph/pd/raft/RaftEngine.java

@@ -23,9 +23,11 @@
 import java.util.HashSet;
 import java.util.List;
 import java.util.Objects;
+import java.util.Set;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.ExecutionException;
+import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicReference;
 import java.util.stream.Collectors;
 
@@ -40,7 +42,6 @@
 import com.alipay.sofa.jraft.JRaftUtils;
 import com.alipay.sofa.jraft.Node;
 import com.alipay.sofa.jraft.RaftGroupService;
-import com.alipay.sofa.jraft.ReplicatorGroup;
 import com.alipay.sofa.jraft.Status;
 import com.alipay.sofa.jraft.conf.Configuration;
 import com.alipay.sofa.jraft.core.Replicator;
@@ -54,7 +55,6 @@
 import com.alipay.sofa.jraft.rpc.RpcServer;
 import com.alipay.sofa.jraft.rpc.impl.BoltRpcServer;
 import com.alipay.sofa.jraft.util.Endpoint;
-import com.alipay.sofa.jraft.util.ThreadId;
 import com.alipay.sofa.jraft.util.internal.ThrowUtil;
 
 import io.netty.channel.ChannelHandler;
@@ -313,23 +313,66 @@ public List<Metapb.Member> getMembers() throws ExecutionException, InterruptedEx
 
     public Status changePeerList(String peerList) {
         AtomicReference<Status> result = new AtomicReference<>();
+        Configuration newPeers = new Configuration();
         try {
             String[] peers = peerList.split(",", -1);
             if ((peers.length & 1) != 1) {
                 throw new PDException(-1, "the number of peer list must be odd.");
             }
-            Configuration newPeers = new Configuration();
             newPeers.parse(peerList);
             CountDownLatch latch = new CountDownLatch(1);
             this.raftNode.changePeers(newPeers, status -> {
-                result.set(status);
+                // Use compareAndSet so a late callback does not overwrite a timeout status
+                result.compareAndSet(null, status);
+                // Refresh inside callback so it fires even if caller already timed out
+                // Note: changePeerList() uses Configuration.parse() which only supports
+                // plain comma-separated peer addresses with no learner syntax.
+                // getLearners() will always be empty here. Learner support is handled
+                // in PDService.updatePdRaft() which uses PeerUtil.parseConfig()
+                // and supports the /learner suffix.
+                if (status != null && status.isOk()) {
+                    IpAuthHandler handler = IpAuthHandler.getInstance();
+                    if (handler != null) {
+                        Set<String> newIps = newPeers.getPeers()
+                                                     .stream()
+                                                     .map(PeerId::getIp)
+                                                     .collect(Collectors.toSet());
+                        handler.refresh(newIps);
+                        log.info("IpAuthHandler refreshed after peer list change to: {}",
+                                 peerList);
+                    } else {
+                        log.warn("IpAuthHandler not initialized, skipping refresh for "
+                                 + "peer list: {}", peerList);
+                    }
+                }
                 latch.countDown();
             });
-            latch.await();
+            // Use 3x configured RPC timeout — bare await() would block forever if
+            // the callback is never invoked (e.g. node not started / RPC failure)
+            boolean completed = latch.await(3L * config.getRpcTimeout(),
+                                            TimeUnit.MILLISECONDS);
+            if (!completed && result.get() == null) {
+                Status timeoutStatus = new Status(RaftError.EINTERNAL,
+                                                  "changePeerList timed out after %d ms",
+                                                  3L * config.getRpcTimeout());
+                if (!result.compareAndSet(null, timeoutStatus)) {
+                    // Callback arrived just before us — keep its result
+                    timeoutStatus = null;
+                }
+                if (timeoutStatus != null) {
+                    log.error("changePeerList to {} timed out after {} ms",
+                              peerList, 3L * config.getRpcTimeout());
+                }
+            }
+        } catch (InterruptedException e) {
+            Thread.currentThread().interrupt();
+            result.set(new Status(RaftError.EINTERNAL, "changePeerList interrupted"));
+            log.error("changePeerList to {} was interrupted", peerList, e);
         } catch (Exception e) {
             log.error("failed to changePeerList to {},{}", peerList, e);
             result.set(new Status(-1, e.getMessage()));
         }
+
         return result.get();
     }
 
@@ -366,7 +409,8 @@ private boolean peerEquals(PeerId p1, PeerId p2) {
         if (p1 == null || p2 == null) {
             return false;
         }
-        return Objects.equals(p1.getIp(), p2.getIp()) && Objects.equals(p1.getPort(), p2.getPort());
+        return Objects.equals(p1.getIp(), p2.getIp()) &&
+               Objects.equals(p1.getPort(), p2.getPort());
     }
 
     private Replicator.State getReplicatorState(PeerId peerId) {

hugegraph-pd/hg-pd-core/src/main/java/org/apache/hugegraph/pd/raft/auth/IpAuthHandler.java

@@ -17,8 +17,11 @@
 
 package org.apache.hugegraph.pd.raft.auth;
 
+import java.net.InetAddress;
 import java.net.InetSocketAddress;
+import java.net.UnknownHostException;
 import java.util.Collections;
+import java.util.HashSet;
 import java.util.Set;
 
 import io.netty.channel.ChannelDuplexHandler;
@@ -30,11 +33,11 @@
 @ChannelHandler.Sharable
 public class IpAuthHandler extends ChannelDuplexHandler {
 
-    private final Set<String> allowedIps;
+    private volatile Set<String> resolvedIps;
     private static volatile IpAuthHandler instance;
 
     private IpAuthHandler(Set<String> allowedIps) {
-        this.allowedIps = Collections.unmodifiableSet(allowedIps);
+        this.resolvedIps = resolveAll(allowedIps);
     }
 
     public static IpAuthHandler getInstance(Set<String> allowedIps) {
@@ -48,6 +51,25 @@ public static IpAuthHandler getInstance(Set<String> allowedIps) {
         return instance;
     }
 
+    /**
+     * Returns the existing singleton instance, or null if not yet initialized.
+     * Should only be called after getInstance(Set) has been called during startup.
+     */
+    public static IpAuthHandler getInstance() {
+        return instance;
+    }
+
+    /**
+     * Refreshes the resolved IP allowlist from a new set of hostnames or IPs.
+     * Should be called when the Raft peer list changes via RaftEngine#changePeerList().
+     * Note: DNS-only changes (e.g. container restart with new IP, same hostname)
+     * are not automatically detected and still require a process restart.
+     */
+    public void refresh(Set<String> newAllowedIps) {
+        this.resolvedIps = resolveAll(newAllowedIps);
+        log.info("IpAuthHandler allowlist refreshed, resolved {} entries", resolvedIps.size());
+    }
+
     @Override
     public void channelActive(ChannelHandlerContext ctx) throws Exception {
         String clientIp = getClientIp(ctx);
@@ -65,7 +87,25 @@ private static String getClientIp(ChannelHandlerContext ctx) {
     }
 
     private boolean isIpAllowed(String ip) {
-        return allowedIps.isEmpty() || allowedIps.contains(ip);
+        Set<String> resolved = this.resolvedIps;
+        // Empty allowlist means no restriction is configured — allow all
+        return resolved.isEmpty() || resolved.contains(ip);
+    }
+
+    private static Set<String> resolveAll(Set<String> entries) {
+        Set<String> result = new HashSet<>(entries);
+
+        for (String entry : entries) {
+            try {
+                for (InetAddress addr : InetAddress.getAllByName(entry)) {
+                    result.add(addr.getHostAddress());
+                }
+            } catch (UnknownHostException e) {
+                log.warn("Could not resolve allowlist entry '{}': {}", entry, e.getMessage());
+            }
+        }
+
+        return Collections.unmodifiableSet(result);
     }
 
     @Override

hugegraph-pd/hg-pd-service/src/main/java/org/apache/hugegraph/pd/rest/MemberAPI.java

@@ -113,6 +113,9 @@ public RestApiResponse getMembers() throws InterruptedException, ExecutionExcept
      * @return Returns a JSON string containing the modification results
      * @throws Exception If an exception occurs during request processing, service invocation, or Peer list modification, it is captured and returned as the JSON representation of the exception
      */
+    // TODO: this endpoint has no authentication check — any caller with network
+    // access to the management port can trigger a peer list change.
+    // Wire authentication here as part of the planned auth refactor.
     @PostMapping(value = "/members/change", consumes = MediaType.APPLICATION_JSON_VALUE,
                  produces = MediaType.APPLICATION_JSON_VALUE)
     @ResponseBody

hugegraph-pd/hg-pd-service/src/main/java/org/apache/hugegraph/pd/service/PDService.java

@@ -25,6 +25,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
+import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeUnit;
@@ -85,6 +86,7 @@
 import org.apache.hugegraph.pd.raft.PeerUtil;
 import org.apache.hugegraph.pd.raft.RaftEngine;
 import org.apache.hugegraph.pd.raft.RaftStateListener;
+import org.apache.hugegraph.pd.raft.auth.IpAuthHandler;
 import org.apache.hugegraph.pd.util.grpc.StreamObserverUtil;
 import org.apache.hugegraph.pd.watch.PDWatchSubject;
 import org.lognet.springboot.grpc.GRpcService;
@@ -1735,6 +1737,17 @@ public void updatePdRaft(Pdpb.UpdatePdRaftRequest request,
             node.changePeers(config, status -> {
                 if (status.isOk()) {
                     log.info("updatePdRaft, change peers success");
+                    // Refresh IpAuthHandler so newly added peers are not blocked
+                    IpAuthHandler handler = IpAuthHandler.getInstance();
+                    if (handler != null) {
+                        Set<String> newIps = new HashSet<>();
+                        config.getPeers().forEach(p -> newIps.add(p.getIp()));
+                        config.getLearners().forEach(p -> newIps.add(p.getIp()));
+                        handler.refresh(newIps);
+                        log.info("IpAuthHandler refreshed after updatePdRaft peer change");
+                    } else {
+                        log.warn("IpAuthHandler not initialized, skipping refresh");
+                    }
                 } else {
                     log.error("changePeers status: {}, msg:{}, code: {}, raft error:{}",
                               status, status.getErrorMsg(), status.getCode(),

hugegraph-pd/hg-pd-service/src/main/java/org/apache/hugegraph/pd/service/interceptor/Authentication.java

@@ -77,6 +77,8 @@ protected <T> T authenticate(String authority, String token, Function<String, T>
             }
 
             String name = info.substring(0, delim);
+            // TODO: password validation is skipped — only service name is checked against
+            // innerModules. Full credential validation should be added as part of the auth refactor.
             //String pwd = info.substring(delim + 1);
             if (innerModules.contains(name)) {
                 return call.get();

hugegraph-pd/hg-pd-service/src/main/java/org/apache/hugegraph/pd/util/grpc/GRpcServerConfig.java

@@ -40,6 +40,8 @@ public void configure(ServerBuilder<?> serverBuilder) {
                 HgExecutorUtil.createExecutor(EXECUTOR_NAME, poolGrpc.getCore(), poolGrpc.getMax(),
                                               poolGrpc.getQueue()));
         serverBuilder.maxInboundMessageSize(MAX_INBOUND_MESSAGE_SIZE);
+        // TODO: GrpcAuthentication is instantiated as a Spring bean but never registered
+        // here — add serverBuilder.intercept(grpcAuthentication) once auth is refactored.
     }
 
 }

hugegraph-pd/hg-pd-test/src/main/java/org/apache/hugegraph/pd/core/PDCoreSuiteTest.java

@@ -19,6 +19,8 @@
 
 import org.apache.hugegraph.pd.core.meta.MetadataKeyHelperTest;
 import org.apache.hugegraph.pd.core.store.HgKVStoreImplTest;
+import org.apache.hugegraph.pd.raft.IpAuthHandlerTest;
+import org.apache.hugegraph.pd.raft.RaftEngineIpAuthIntegrationTest;
 import org.junit.runner.RunWith;
 import org.junit.runners.Suite;
 
@@ -36,6 +38,8 @@
         StoreMonitorDataServiceTest.class,
         StoreServiceTest.class,
         TaskScheduleServiceTest.class,
+        IpAuthHandlerTest.class,
+        RaftEngineIpAuthIntegrationTest.class,
         // StoreNodeServiceTest.class,
 })
 @Slf4j