[improve][admin-cli] Add TLS provider support (apache#16700)

(cherry picked from commit de42e15)
datastax · Sep 14, 2022 · 9517704 · 9517704
1 parent 90c9d89
commit 9517704
Show file tree

Hide file tree

Showing 7 changed files with 2,502 additions and 10 deletions.
diff --git a/conf/client.conf b/conf/client.conf
@@ -68,6 +68,11 @@ tlsTrustStorePath=
 # TLS TrustStore password
 tlsTrustStorePassword=
 
+# Set up TLS provider for web service
+# When TLS authentication with CACert is used, the valid value is either OPENSSL or JDK.
+# When TLS authentication with KeyStore is used, available options can be SunJSSE, Conscrypt and so on.
+webserviceTlsProvider=
+
 # Pulsar Admin Custom Commands
 #customCommandFactoriesDirectory=commandFactories
 #customCommandFactories=
diff --git a/pulsar-client-tools/src/main/java/org/apache/pulsar/admin/cli/PulsarAdminTool.java b/pulsar-client-tools/src/main/java/org/apache/pulsar/admin/cli/PulsarAdminTool.java
@@ -87,6 +87,12 @@ public static class RootParams {
                 description = "Enable TLS common name verification")
         Boolean tlsEnableHostnameVerification;
 
+        @Parameter(names = {"--tls-provider"}, description = "Set up TLS provider. "
+                + "When TLS authentication with CACert is used, the valid value is either OPENSSL or JDK. "
+                + "When TLS authentication with KeyStore is used, available options can be SunJSSE, Conscrypt "
+                + "and so on.")
+        String tlsProvider;
+
         @Parameter(names = { "-v", "--version" }, description = "Get version of pulsar admin client")
         boolean version;
 
@@ -245,6 +251,12 @@ boolean run(String[] args, Function<PulsarAdminBuilder, ? extends PulsarAdmin> a
             adminBuilder.serviceHttpUrl(rootParams.serviceUrl);
             adminBuilder.authentication(rootParams.authPluginClassName, rootParams.authParams);
             adminBuilder.requestTimeout(rootParams.requestTimeout, TimeUnit.SECONDS);
+            if (isBlank(rootParams.tlsProvider)) {
+                rootParams.tlsProvider = properties.getProperty("webserviceTlsProvider");
+            }
+            if (isNotBlank(rootParams.tlsProvider)) {
+                adminBuilder.sslProvider(rootParams.tlsProvider);
+            }
         } catch (Exception e) {
             System.err.println(e.getMessage());
             System.err.println();

diff --git a/pulsar-client-tools/src/test/java/org/apache/pulsar/admin/cli/TestRunMain.java b/pulsar-client-tools/src/test/java/org/apache/pulsar/admin/cli/TestRunMain.java
@@ -18,12 +18,11 @@
  */
 package org.apache.pulsar.admin.cli;
 
-import org.testng.annotations.Test;
-
+import static org.testng.Assert.assertEquals;
 import java.nio.file.Files;
 import java.nio.file.Path;
-
-import static org.testng.Assert.assertEquals;
+import java.util.Properties;
+import org.testng.annotations.Test;
 
 public class TestRunMain {
 
@@ -40,7 +39,40 @@ public void runMainDummyConfigFile() throws Exception {
         PulsarAdminTool.resetLastExitCode();
         PulsarAdminTool.setAllowSystemExit(false);
         Path dummyEmptyFile = Files.createTempFile("test", ".conf");
-        PulsarAdminTool.main(new String[] {dummyEmptyFile.toAbsolutePath().toString()});
+        PulsarAdminTool.main(new String[]{dummyEmptyFile.toAbsolutePath().toString()});
         assertEquals(PulsarAdminTool.getLastExitCode(), 1);
     }
+
+    @Test
+    public void testRunWithTlsProviderFlag() throws Exception {
+        PulsarAdminTool pulsarAdminTool = new PulsarAdminTool(new Properties());
+        pulsarAdminTool.run(new String[]{
+                "--admin-url", "https://localhost:8081",
+                "--tls-provider", "JDK",
+                "tenants"});
+        assertEquals(pulsarAdminTool.rootParams.tlsProvider, "JDK");
+    }
+
+    @Test
+    public void testRunWithTlsProviderConfigFile() throws Exception {
+        Properties properties = new Properties();
+        properties.setProperty("webserviceTlsProvider", "JDK");
+        PulsarAdminTool pulsarAdminTool = new PulsarAdminTool(properties);
+        pulsarAdminTool.run(new String[]{
+                "--admin-url", "https://localhost:8081",
+                "tenants"});
+        assertEquals(pulsarAdminTool.rootParams.tlsProvider, "JDK");
+    }
+
+    @Test
+    public void testRunWithTlsProviderFlagWithConfigFile() throws Exception {
+        Properties properties = new Properties();
+        properties.setProperty("webserviceTlsProvider", "JDK");
+        PulsarAdminTool pulsarAdminTool = new PulsarAdminTool(properties);
+        pulsarAdminTool.run(new String[]{
+                "--admin-url", "https://localhost:8081",
+                "--tls-provider", "OPENSSL",
+                "tenants"});
+        assertEquals(pulsarAdminTool.rootParams.tlsProvider, "OPENSSL");
+    }
 }
diff --git a/site2/docs/reference-configuration.md b/site2/docs/reference-configuration.md
@@ -415,11 +415,7 @@ You can use the [`pulsar-client`](reference-cli-tools.md#pulsar-client) CLI tool
 | tlsTrustStoreType | TLS TrustStore type configuration. <li>JKS <li>PKCS12 |JKS|
 | tlsTrustStore | TLS TrustStore path. | |
 | tlsTrustStorePassword | TLS TrustStore password. | |
-
-
-
-
-
+| webserviceTlsProvider | The TLS provider for the web service. <br />When TLS authentication with CACert is used, the valid value is either `OPENSSL` or `JDK`.<br />When TLS authentication with KeyStore is used, available options can be `SunJSSE`, `Conscrypt` and so on. | N/A |
 
 ## Log4j