Skip to content

HDDS-15094. Add protocol and cipher config to gRPC TLS config#10114

Merged
adoroszlai merged 1 commit into
apache:masterfrom
fapifta:HDDS-15094
Apr 28, 2026
Merged

HDDS-15094. Add protocol and cipher config to gRPC TLS config#10114
adoroszlai merged 1 commit into
apache:masterfrom
fapifta:HDDS-15094

Conversation

@fapifta

@fapifta fapifta commented Apr 23, 2026

Copy link
Copy Markdown
Contributor

What changes were proposed in this pull request?

Add protocol and cipher config to gRPC TLS config

Please describe your PR in detail:
This change enables Ozone administrators to restrict TLS protocol versions and cipher suites on all gRPC server endpoints (OzoneManager, XceiverServer, ReplicationServer, InterSCMGrpcProtocolService) via two new configuration keys: hdds.grpc.tls.protocols (e.g. "TLSv1.3") and hdds.grpc.tls.ciphers
(e.g. "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256").
When unset, provider defaults are preserved for full backward compatibility. The configuration is parsed in SecurityConfig and applied server-side only — clients are intentionally unrestricted since the server controls TLS handshake negotiation.
The PR is generated by: Claude - Opus 4.6

What is the link to the Apache JIRA

https://issues.apache.org/jira/browse/HDDS-15094

How was this patch tested?

New tests verify both config parsing (7 cases in TestSecurityConfigTlsSettings) and actual TLS handshake enforcement including protocol version rejection and cipher mismatch failure (5 cases in TestGrpcTlsConfig).

@dombizita dombizita left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for working on this @fapifta, looks good to me

@adoroszlai adoroszlai left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @fapifta for the patch.

Comment on lines +148 to +153
if (secConf.getGrpcTlsProtocols() != null) {
sslContextBuilder.protocols(secConf.getGrpcTlsProtocols());
}
if (secConf.getGrpcTlsCiphers() != null) {
sslContextBuilder.ciphers(secConf.getGrpcTlsCiphers());
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@adoroszlai adoroszlai merged commit c408f6e into apache:master Apr 28, 2026
90 of 91 checks passed
@adoroszlai

Copy link
Copy Markdown
Contributor

Thanks @fapifta for the patch, @dombizita for the review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants