GH-38460: [Java][FlightRPC] Add mTLS support for Flight SQL JDBC driver

[prmoore77]

Rationale for this change

I wanted to add additional security capabilities to the Arrow Flight SQL JDBC driver so that it catches up to ADBC. ADBC already supports mTLS - and it is a great security feature. I wanted to bring this to the JDBC driver as well.

What changes are included in this PR?

This PR adds support for mTLS (client certificate verification/authentication) to the Arrow Flight SQL JDBC driver.

Are these changes tested?

Yes, I've added tests of the new mTLS functionality - and have ensured that the change is backward compatible by verifying all existing tests pass.

Are there any user-facing changes?

Yes - but the end-user documentation for the Arrow Flight SQL JDBC driver has been updated in the PR itself.

• Closes: [Java][FlightRPC] Add mTLS support to the Arrow Flight SQL JDBC driver #38460

[github-actions]

⚠️ GitHub issue #38460 has been automatically assigned in GitHub to PR creator.

[danepitkin]

Thanks @prmoore77 ! @vibhatha @davisusanibar and I can take a look this week.

[jbonofre]

Thanks for the PR. I'm doing a pass and testing as well.

[danepitkin]

The tests are quite thorough, nice work! I'll defer to others who have more experience on Flight SQL for approval.

[danepitkin]

We could use @ParameterizedTest to reduce some code duplication in the test files.

[danepitkin]

Out of curiosity, why is there a 300 second timeout for ArrowFlightJdbcDataSource connections, but 0 second timeouts for ArrowFlightJdbcDriver/DriverManager connections?

[prmoore77]

Very good question :) - I copied the tests from the ConnectionTlsTest.java code - while modifying the tests for mTLS of course. I'm not sure of the rationale for the timeout, but I'll research it.

[jduo]

If the user calls this method repeatedly we will leak File handles. Need to close the current one if it exists. Perhaps it would be better to defer opening the physical file until starting the connection, though that delays notification if there's a problem opening it.

[prmoore77]

Hey @jduo - I'm not a very good Java developer - but I'm learning (thanks for your patience). Would it be like this?

    public Builder useMTlsClientVerification(final File mTlsCACert) throws IOException {
      if (this.mTlsCACert != null) {
            this.mTlsCACert.close();
        }
      this.mTlsCACert = new FileInputStream(mTlsCACert); 

Thanks for your help!

[jduo]

Yes this would work. However I'm leaning towards deferring opening mTlsCACert until the connection is made. It's odd for builders to have more logic than setting fields.

[vibhatha]

@jduo just for my knowledge and to clarify a point, would it be more easier if we use try-with-resources here?

[prmoore77]

hi @jduo - this is the FlightServer - I'd rather not change the overall design of the current class's builder. It already uses this approach for useTls - and I think my change is consistent with that.

[jduo]

@vibhatha , try-with-resources wouldn't help here since we need the stream to have a longer lifetime than this builder function. This is more of a case of tracking ownership.

[vibhatha]

Got it, thanks @jduo

[prmoore77]

@jduo - I've added small changes that detect if the InputStream attributes are not null, and if so - closes them. Could you please re-review?

[jduo]

Thanks @prmoore77 minor comment about another possible error scenario in useTls() that applies here.

[jduo]

Similar comment as above about this potentially leaking a file. Also, now it is ambiguous whether the Flight client should close() mTlsCACert (presumably it should but there should be a comment).

[prmoore77]

I mirrored the existing useTls method here

Does that code have the issue as well?

[jduo]

Correct. It looks to have this issue too.

[lidavidm]

@vibhatha @davisusanibar can you file an issue to fix this?

[vibhatha]

@lidavidm I will file one. Will study a bit and file one.

[prmoore77]

given that this issue will be filed separately - is it acceptable to approve/merge this PR?

[lidavidm]

@vibhatha @davisusanibar

[lidavidm]

Filed #38586

[davisusanibar]

Thank you for the PR. I am adding a few minor questions.

[davisusanibar]

Will it be necessary to provide an optional client key password argument if this client private key is password-protected?

[prmoore77]

Hello – it could be added, but the Java Flight client doesn’t yet support that to my knowledge – so I just wanted to catch up to that for now. We can add it in a later PR, unless you feel strongly that it should be included here.

[vibhatha]

@prmoore77 I left a few comments and nice work with the test cases and comments. Thanks for working on this issue.

[lidavidm]

Filed #38586

[jduo]

@prmoore77 heads up, after #38521 a copy constructor was added to ArrowFlightSqlClientHandler.Builder
So any new fields that this PR adds will need to be added to that copy constructor.

#38580 also changes ArrowFligthSqlClientHandler to set defaults correctly and adds tests for verifying defaults, so if that goes in first, new fields will be added there too.

[prmoore77]

@prmoore77 heads up, after #38521 a copy constructor was added to ArrowFlightSqlClientHandler.Builder So any new fields that this PR adds will need to be added to that copy constructor.

#38580 also changes ArrowFligthSqlClientHandler to set defaults correctly and adds tests for verifying defaults, so if that goes in first, new fields will be added there too.

Hi @jduo - I've added the new fields to the new copy constructor (from #38521) - per your recommendation.

See: 1975786 - for details.

Thanks!

[jbonofre]

I did a quick test and review. LGTM. Thanks !

[conbench-apache-arrow]

After merging your PR, Conbench analyzed the 5 benchmarking runs that have been run so far on merge-commit 4ff1a29.

There were no benchmark performance regressions. 🎉

The full Conbench report has more details. It also includes information about 3 possible false positives for unstable benchmarks that are known to sometimes produce them.