diff --git a/iotdb-client/client-py/tests/integration/sqlalchemy/test_dialect.py b/iotdb-client/client-py/tests/integration/sqlalchemy/test_dialect.py index c0ff1ddced6ae..9ed0c808917ee 100644 --- a/iotdb-client/client-py/tests/integration/sqlalchemy/test_dialect.py +++ b/iotdb-client/client-py/tests/integration/sqlalchemy/test_dialect.py @@ -77,7 +77,7 @@ def test_dialect(): # test get_schema_names schema_names = insp.get_schema_names() if not operator.ge( - schema_names, ["root.__system", "root.cursor", "root.cursor_s1"] + schema_names, ["root.__audit", "root.cursor", "root.cursor_s1"] ): test_fail() print_message("Actual result " + str(schema_names)) diff --git a/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/ratis/RatisClient.java b/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/ratis/RatisClient.java index 43f0a82561c87..7b674493e1b05 100644 --- a/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/ratis/RatisClient.java +++ b/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/ratis/RatisClient.java @@ -27,6 +27,7 @@ import org.apache.commons.pool2.impl.DefaultPooledObject; import org.apache.ratis.client.RaftClient; import org.apache.ratis.client.RaftClientRpc; +import org.apache.ratis.conf.Parameters; import org.apache.ratis.conf.RaftProperties; import org.apache.ratis.protocol.RaftGroup; import org.apache.ratis.protocol.exceptions.LeaderSteppingDownException; @@ -89,16 +90,19 @@ static class Factory extends BaseClientFactory { private final RaftProperties raftProperties; private final RaftClientRpc clientRpc; private final RatisConfig.Client config; + private final Parameters parameters; public Factory( ClientManager clientManager, RaftProperties raftProperties, RaftClientRpc clientRpc, - RatisConfig.Client config) { + RatisConfig.Client config, + Parameters parameters) { super(clientManager); this.raftProperties = raftProperties; this.clientRpc = clientRpc; this.config = config; + this.parameters = parameters; } @Override @@ -116,6 +120,7 @@ public PooledObject makeObject(RaftGroup group) { .setRaftGroup(group) .setRetryPolicy(new RatisRetryPolicy(config)) .setClientRpc(clientRpc) + .setParameters(parameters) .build(), clientManager)); } @@ -131,16 +136,19 @@ static class EndlessRetryFactory extends BaseClientFactory clientManager, RaftProperties raftProperties, RaftClientRpc clientRpc, - RatisConfig.Client config) { + RatisConfig.Client config, + Parameters parameters) { super(clientManager); this.raftProperties = raftProperties; this.clientRpc = clientRpc; this.config = config; + this.parameters = parameters; } @Override @@ -157,6 +165,7 @@ public PooledObject makeObject(RaftGroup group) { .setProperties(raftProperties) .setRaftGroup(group) .setRetryPolicy(new RatisEndlessRetryPolicy(config)) + .setParameters(parameters) .setClientRpc(clientRpc) .build(), clientManager)); diff --git a/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/ratis/RatisConsensus.java b/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/ratis/RatisConsensus.java index 434411dd051c8..045fa77917441 100644 --- a/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/ratis/RatisConsensus.java +++ b/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/ratis/RatisConsensus.java @@ -122,6 +122,7 @@ class RatisConsensus implements IConsensus { private final RaftProperties properties = new RaftProperties(); private final RaftClientRpc clientRpc; + private final Parameters parameters; private final IClientManager clientManager; private final IClientManager reconfigurationClientManager; @@ -158,7 +159,7 @@ public RatisConsensus(ConsensusConfig config, IStateMachine.Registry registry) { RaftServerConfigKeys.setStorageDir(properties, Collections.singletonList(storageDir)); GrpcConfigKeys.Server.setPort(properties, config.getThisNodeEndPoint().getPort()); - Parameters parameters = Utils.initRatisConfig(properties, config.getRatisConfig()); + this.parameters = Utils.initRatisConfig(properties, config.getRatisConfig()); this.config = config.getRatisConfig(); this.readOption = this.config.getRead().getReadOption(); this.canServeStaleRead = @@ -223,6 +224,7 @@ public RatisConsensus(ConsensusConfig config, IStateMachine.Registry registry) { .setServerId(myself.getId()) .setProperties(properties) .setOption(RaftStorage.StartupOption.RECOVER) + .setParameters(parameters) .setStateMachineRegistry( raftGroupId -> new ApplicationStateMachineProxy( @@ -1034,8 +1036,9 @@ public GenericKeyedObjectPool createClientPool( new GenericKeyedObjectPool<>( isReconfiguration ? new RatisClient.EndlessRetryFactory( - manager, properties, clientRpc, config.getClient()) - : new RatisClient.Factory(manager, properties, clientRpc, config.getClient()), + manager, properties, clientRpc, config.getClient(), parameters) + : new RatisClient.Factory( + manager, properties, clientRpc, config.getClient(), parameters), new ClientPoolProperty.Builder() .setMaxClientNumForEachNode(config.getClient().getMaxClientNumForEachNode()) .build() diff --git a/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/ratis/utils/NoHostnameVerificationTrustManager.java b/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/ratis/utils/NoHostnameVerificationTrustManager.java new file mode 100644 index 0000000000000..fb5c908548861 --- /dev/null +++ b/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/ratis/utils/NoHostnameVerificationTrustManager.java @@ -0,0 +1,88 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.iotdb.consensus.ratis.utils; + +import javax.net.ssl.SSLEngine; +import javax.net.ssl.X509ExtendedTrustManager; +import javax.net.ssl.X509TrustManager; + +import java.net.Socket; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; + +public class NoHostnameVerificationTrustManager extends X509ExtendedTrustManager { + + private final X509TrustManager delegate; + + public NoHostnameVerificationTrustManager(X509TrustManager delegate) { + this.delegate = delegate; + } + + @Override + public X509Certificate[] getAcceptedIssuers() { + return delegate.getAcceptedIssuers(); + } + + @Override + public void checkClientTrusted(X509Certificate[] chain, String authType) + throws CertificateException { + delegate.checkClientTrusted(chain, authType); + } + + @Override + public void checkServerTrusted(X509Certificate[] chain, String authType) + throws CertificateException { + delegate.checkServerTrusted(chain, authType); + } + + @Override + public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) + throws CertificateException { + if (delegate instanceof X509ExtendedTrustManager) { + ((X509ExtendedTrustManager) delegate).checkClientTrusted(chain, authType, socket); + } else { + delegate.checkClientTrusted(chain, authType); + } + } + + @Override + public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) + throws CertificateException { + // Skip hostname check by calling base method + delegate.checkServerTrusted(chain, authType); + } + + @Override + public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) + throws CertificateException { + if (delegate instanceof X509ExtendedTrustManager) { + ((X509ExtendedTrustManager) delegate).checkClientTrusted(chain, authType, engine); + } else { + delegate.checkClientTrusted(chain, authType); + } + } + + @Override + public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine) + throws CertificateException { + // Skip hostname check by calling base method + delegate.checkServerTrusted(chain, authType); + } +} diff --git a/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/ratis/utils/Utils.java b/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/ratis/utils/Utils.java index ca8f71ddf9ec8..1a62743d2d752 100644 --- a/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/ratis/utils/Utils.java +++ b/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/ratis/utils/Utils.java @@ -55,6 +55,7 @@ import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; +import javax.net.ssl.X509TrustManager; import java.io.File; import java.io.InputStream; @@ -385,7 +386,13 @@ public static Parameters initRatisConfig(RaftProperties properties, RatisConfig TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init(trustStore); - TrustManager trustManager = tmf.getTrustManagers()[0]; + TrustManager originalTrustManager = tmf.getTrustManagers()[0]; + + // The self-signed certification may not set Subject Alternative Name (SAN) + // Thrift with ssl didn't check it, but Grpc did. + // Wrap to disable the verification + TrustManager trustManager = + new NoHostnameVerificationTrustManager((X509TrustManager) originalTrustManager); GrpcConfigKeys.TLS.setConf(parameters, new GrpcTlsConfig(keyManager, trustManager, true)); } catch (Exception e) { LOGGER.error("Failed to read key store or trust store.", e); diff --git a/pom.xml b/pom.xml index dd35c7987f099..8f962181a0276 100644 --- a/pom.xml +++ b/pom.xml @@ -155,6 +155,7 @@ target/jacoco-merged-reports/jacoco.xml **/generated-sources + **/test/** https://sonarcloud.io target/checkstyle-report.xml