Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JAMES-4072 Support Redis TLS/SSL connection #2418

Merged
merged 5 commits into from
Oct 4, 2024
Merged

JAMES-4072 Support Redis TLS/SSL connection #2418

merged 5 commits into from
Oct 4, 2024

Conversation

hungphan227
Copy link
Contributor

No description provided.

@hungphan227 hungphan227 mentioned this pull request Sep 22, 2024
Closed
@hungphan227 hungphan227 force-pushed the JAMES-4072-Support-Redis-TLS/SSL-connection branch from 94e4505 to 3a613e6 Compare September 23, 2024 05:10
chibenwa
chibenwa reviewed Sep 23, 2024
View reviewed changes
Copy link
Contributor

@chibenwa chibenwa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is a rather big changeset and I would like that we asks ourselves if we could deliver something shorter and more concise. I would suggest investing time (at least a halth day) to try to refactor this.

@hungphan227 hungphan227 force-pushed the JAMES-4072-Support-Redis-TLS/SSL-connection branch from 3a613e6 to 4b651bc Compare September 24, 2024 07:42
@hungphan227
Copy link
Contributor Author

Broke to smaller commits

Arsnael
Arsnael reviewed Sep 24, 2024
View reviewed changes
Copy link
Contributor

@Arsnael Arsnael left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I honeestly quickly stopped reading... I bet like @chibenwa that there should be a much simpler way. I don't really see why the need of duplicated configuration depending if tls or not, I would believe there might be a way to just have one ssl conf for all topologies, like any other implementation we have?

Maybe we should do a MOB around this

backends-common/redis/src/main/java/org/apache/james/backends/redis/RedisConfiguration.scala Show resolved Hide resolved
@Arsnael
Copy link
Contributor

Arsnael commented Sep 26, 2024
edited
Loading

So I had an other check on this... Can't we try to do something similar to RabbitMQ ssl configuration for example?

For example, don't try to figure out if ssl or not depending on the URI, have just a conf for that (ssl.enabled)

We should have in RedisConfiguration a subclass regrouping ssl conf, like SSLConfiguration

looking at rabbitmq conf for example:

| ssl.enabled
| Is using ssl enabled
Optional boolean, defaults to false

| ssl.validation.strategy
| Configure the validation strategy used for rabbitmq connections. Possible values are default, ignore and override.
Optional string, defaults to using systemwide ssl configuration

| ssl.truststore
| Points to the truststore (PKCS12) used for verifying rabbitmq connection. If configured then "ssl.truststore.password" must also be configured,
Optional string, defaults to systemwide truststore. "ssl.validation.strategy: override" must be configured if you want to use this

| ssl.truststore.password
| Configure the truststore password. If configured then "ssl.truststore" must also be configured,
Optional string, defaults to empty string. "ssl.validation.strategy: override" must be configured if you want to use this

| ssl.hostname.verifier
| Configure host name verification. Possible options are default and accept_any_hostname
Optional string, defaults to subject alternative name host verifier

| ssl.keystore
| Points to the keystore(PKCS12) used for client certificate authentication. If configured then "ssl.keystore.password" must also be configured,
Optional string, defaults to empty string

| ssl.keystore.password
| Configure the keystore password. If configured then "ssl.keystore" must also be configured,
Optional string, defaults to empty string

I don't know if all of those are necessary but maybe. It seems this PR is expecting keystore for some reason. Not automatically, it depends how ssl is configured on Redis side (cf hostname.verifier and validation.strategy that could bypass those mechanisms for example, and I would bet SSLOptions is the way)

Depending on how your SSLConfiguration ends up, you might inject different things in your redis client then. No need to modify all confs that much.

=> #307 rabbitmq ssl PR

I really think we could do something closer to that, let's keep doing things in a similar fashion

@Arsnael
Copy link
Contributor

Arsnael commented Sep 26, 2024

Maybe as well having something like a RedisClientFactory that would build the redis client depending if it's cluster, replica, ssl, etc... could help regroup the RedisClient build amongs the two factories we have? (RedisRateLimiterFactory and RedisEventBusClientFactory)

@chibenwa
Copy link
Contributor

Maybe as well having something like a RedisClientFactory

Looks like a good idea to me!

@hungphan227 hungphan227 force-pushed the JAMES-4072-Support-Redis-TLS/SSL-connection branch 3 times, most recently from e631d83 to 4df585a Compare September 30, 2024 11:12
@hungphan227 hungphan227 force-pushed the JAMES-4072-Support-Redis-TLS/SSL-connection branch 2 times, most recently from b718f62 to f6c46ec Compare October 1, 2024 05:02
Arsnael
Arsnael reviewed Oct 1, 2024
View reviewed changes
Copy link
Contributor

@Arsnael Arsnael left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Much better, thanks for the refactoring! Still a few comments

backends-common/redis/src/main/java/org/apache/james/backends/redis/RedisClientFactory.scala Show resolved Hide resolved
...st/java/org/apache/james/rate/limiter/RedisRateLimiterWithTLSMasterReplicaTopologyTest.scala Outdated Show resolved Hide resolved
...-redis/src/test/java/org/apache/james/rate/limiter/RedisRateLimiterWithTLSSentinelTest.scala Outdated Show resolved Hide resolved
...-limiter-redis/src/test/java/org/apache/james/rate/limiter/RedisRateLimiterWithTLSTest.scala Outdated Show resolved Hide resolved
docs/modules/servers/partials/configure/redis.adoc Outdated Show resolved Hide resolved
quantranhong1999
quantranhong1999 approved these changes Oct 1, 2024
View reviewed changes
Copy link
Contributor

@quantranhong1999 quantranhong1999 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall good to me.
+1 for the way commits have been refactored.

@hungphan227 hungphan227 force-pushed the JAMES-4072-Support-Redis-TLS/SSL-connection branch 2 times, most recently from b4c30c3 to adc0e93 Compare October 1, 2024 10:44
@hungphan227 hungphan227 force-pushed the JAMES-4072-Support-Redis-TLS/SSL-connection branch from adc0e93 to 354a34e Compare October 1, 2024 11:13
@hungphan227 hungphan227 force-pushed the JAMES-4072-Support-Redis-TLS/SSL-connection branch from 354a34e to b4ad581 Compare October 2, 2024 03:13
@Arsnael Arsnael merged commit cff5714 into apache:master Oct 4, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@HoussemNasri HoussemNasri HoussemNasri requested changes

@chibenwa chibenwa chibenwa left review comments

@quantranhong1999 quantranhong1999 quantranhong1999 approved these changes

@Arsnael Arsnael Arsnael approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@hungphan227 @Arsnael @chibenwa @HoussemNasri @quantranhong1999