Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature/ssl #2584

Merged
merged 26 commits into from
Sep 24, 2021
Merged
Show file tree
Hide file tree
Changes from 21 commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
5af8420
Add the ssl support.
Shylock-Hg Aug 23, 2021
e35963b
Merge branch 'master' into feature/ssl
Shylock-Hg Aug 23, 2021
ec1b093
Add tests to tck.
Shylock-Hg Aug 23, 2021
5d4426a
Support CA signed certificate.
Shylock-Hg Aug 25, 2021
364b276
Remove the pssword configuration.
Shylock-Hg Aug 25, 2021
0c842b9
Remove the comment.
Shylock-Hg Aug 25, 2021
d11ac19
Support independent meta server ssl.
Shylock-Hg Aug 25, 2021
b6d7ba3
Merge branch 'master' into feature/ssl
Shylock-Hg Aug 25, 2021
46b7677
Merge branch 'master' into feature/ssl
Shylock-Hg Aug 26, 2021
179662b
Initialize the ssl when enable meta ssl.
Shylock-Hg Aug 26, 2021
d042007
Merge branch 'master' of https://github.com/vesoft-inc/nebula into fe…
Shylock-Hg Aug 26, 2021
4688bb0
Merge branch 'master' into feature/ssl
Shylock-Hg Aug 27, 2021
0c10bef
Merge branch 'master' into feature/ssl
Shylock-Hg Aug 27, 2021
87509df
Merge branch 'master' into feature/ssl
Shylock-Hg Sep 13, 2021
025353c
Merge branch 'master' into feature/ssl
Shylock-Hg Sep 22, 2021
0d03f4b
Fix typo.
Shylock-Hg Sep 22, 2021
00bfa71
Fix the header order.
Shylock-Hg Sep 22, 2021
a2cf5df
Merge branch 'master' into feature/ssl
darionyaphet Sep 23, 2021
4824e01
Merge branch 'master' into feature/ssl
Shylock-Hg Sep 23, 2021
cbb901a
clear logic.
Shylock-Hg Sep 23, 2021
392a49a
Merge branch 'master' into feature/ssl
Shylock-Hg Sep 23, 2021
6d9dbb9
Add test for ca signed mode.
Shylock-Hg Sep 24, 2021
1e3b24b
Fix flag note.
Shylock-Hg Sep 24, 2021
17f5bfc
Merge branch 'master' into feature/ssl
Aiee Sep 24, 2021
334ad61
Merge branch 'master' into feature/ssl
Aiee Sep 24, 2021
48f475c
Merge branch 'master' into feature/ssl
yixinglu Sep 24, 2021
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 18 additions & 1 deletion .github/workflows/pull_request.yml
Original file line number Diff line number Diff line change
Expand Up @@ -127,7 +127,24 @@ jobs:
timeout-minutes: 20
- name: Setup cluster
run: |
make up
case ${{ matrix.compiler }} in
gcc-*)
case ${{ matrix.os }} in
centos7)
# normal cluster
make up
;;
ubuntu2004)
# ssl cluster
make ENABLE_SSL=true up
;;
esac
;;
clang-*)
# graph ssl only cluster
make ENABLE_SSL=false ENABLE_GRAPH_SSL=true up
Shylock-Hg marked this conversation as resolved.
Show resolved Hide resolved
;;
esac
working-directory: tests/
timeout-minutes: 2
- name: Pytest
Expand Down
4 changes: 3 additions & 1 deletion src/clients/meta/MetaClient.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
#include "common/http/HttpClient.h"
#include "common/meta/NebulaSchemaProvider.h"
#include "common/network/NetworkUtils.h"
#include "common/ssl/SSLConfig.h"
#include "common/stats/StatsManager.h"
#include "common/time/TimeUtils.h"
#include "version/Version.h"
Expand Down Expand Up @@ -49,7 +50,8 @@ MetaClient::MetaClient(std::shared_ptr<folly::IOThreadPoolExecutor> ioThreadPool
CHECK(ioThreadPool_ != nullptr) << "IOThreadPool is required";
CHECK(!addrs_.empty())
<< "No meta server address is specified or can be solved. Meta server is required";
clientsMan_ = std::make_shared<thrift::ThriftClientManager<cpp2::MetaServiceAsyncClient>>();
clientsMan_ = std::make_shared<thrift::ThriftClientManager<cpp2::MetaServiceAsyncClient>>(
FLAGS_enable_ssl || FLAGS_enable_meta_ssl);
updateActive();
updateLeader();
bgThread_ = std::make_unique<thread::GenericWorker>();
Expand Down
1 change: 1 addition & 0 deletions src/clients/meta/test/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,6 @@ nebula_add_test(
$<TARGET_OBJECTS:file_based_cluster_id_man_obj>
$<TARGET_OBJECTS:base_obj>
$<TARGET_OBJECTS:fs_obj>
$<TARGET_OBJECTS:ssl_obj>
LIBRARIES gtest
)
3 changes: 2 additions & 1 deletion src/clients/storage/StorageClientBase-inl.h
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@

#include <folly/Try.h>

#include "common/ssl/SSLConfig.h"
#include "common/time/WallClock.h"

namespace nebula {
Expand Down Expand Up @@ -72,7 +73,7 @@ template <typename ClientType>
StorageClientBase<ClientType>::StorageClientBase(
std::shared_ptr<folly::IOThreadPoolExecutor> threadPool, meta::MetaClient* metaClient)
: metaClient_(metaClient), ioThreadPool_(threadPool) {
clientsMan_ = std::make_unique<thrift::ThriftClientManager<ClientType>>();
clientsMan_ = std::make_unique<thrift::ThriftClientManager<ClientType>>(FLAGS_enable_ssl);
}

template <typename ClientType>
Expand Down
1 change: 1 addition & 0 deletions src/codec/test/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ set(CODEC_TEST_LIBS
$<TARGET_OBJECTS:agg_function_manager_obj>
$<TARGET_OBJECTS:time_utils_obj>
$<TARGET_OBJECTS:version_obj>
$<TARGET_OBJECTS:ssl_obj>
)


Expand Down
1 change: 1 addition & 0 deletions src/common/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -25,3 +25,4 @@ nebula_add_subdirectory(function)
nebula_add_subdirectory(graph)
nebula_add_subdirectory(plugin)
nebula_add_subdirectory(utils)
nebula_add_subdirectory(ssl)
10 changes: 10 additions & 0 deletions src/common/ssl/CMakeLists.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# Copyright (c) 2021 vesoft inc. All rights reserved.
#
# This source code is licensed under Apache 2.0 License,
# attached with Common Clause Condition 1.0, found in the LICENSES directory.

nebula_add_library(
ssl_obj
OBJECT
SSLConfig.cpp
)
38 changes: 38 additions & 0 deletions src/common/ssl/SSLConfig.cpp
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
/* Copyright (c) 2021 vesoft inc. All rights reserved.
*
* This source code is licensed under Apache 2.0 License,
* attached with Common Clause Condition 1.0, found in the LICENSES directory.
*/

#include "common/ssl/SSLConfig.h"

DEFINE_string(cert_path, "", "Path to cert pem.");
DEFINE_string(key_path, "", "Path to cert key.");
DEFINE_string(ca_path, "", "Path to trusted CA file.");
DEFINE_bool(enable_ssl, false, "Whether enable ssl.");
Shylock-Hg marked this conversation as resolved.
Show resolved Hide resolved
DEFINE_bool(enable_graph_ssl, false, "Whether enable ssl of graph server.");
DEFINE_bool(enable_meta_ssl, false, "Whether enable ssl of meta server.");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it seems that two flags is enough to cover the cases about inside and outside the nebula cluster. Do we really need to add another meta_ssl for users to make a decision?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's the suggestion from @sherman-the-tank , which to encrypt the sensitive data in meta.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean whether enable_ssl and enable_graphd_ssl can already cover the enable_meta_ssl scenario, just like below:

* enable_graphd_ssl=true & enable_ssl=false

clients <- ssl -> graphd <- no ssl -> metad <- no ssl -> storaged
                     ^                                    ^
                     |______________ no ssl ______________|


* enable_graphd_ssl=false & enable_ssl=true

clients <- no ssl -> graphd <- ssl -> metad <- ssl -> storaged
                       ^                                 ^
                       |______________ ssl ______________|


* enable_graphd_ssl=true & enable_ssl=true

clients <- ssl -> graphd <- ssl -> metad <- ssl -> storaged
                    ^                                 ^
                    |______________ ssl ______________|

* enable_graphd_ssl=false & enable_ssl=false

clients <- no ssl -> graphd <- no ssl -> metad <- no ssl -> storaged
                        ^                                    ^
                        |______________ no ssl ______________|

Is enable_meta_ssl just to encrypt schema information when communicating with meta? If so, make sense.


namespace nebula {

std::shared_ptr<wangle::SSLContextConfig> sslContextConfig() {
auto sslCfg = std::make_shared<wangle::SSLContextConfig>();
sslCfg->addCertificate(FLAGS_cert_path, FLAGS_key_path, "");
sslCfg->isDefault = true;
return sslCfg;
}

std::shared_ptr<folly::SSLContext> createSSLContext() {
auto context = std::make_shared<folly::SSLContext>();
if (!FLAGS_ca_path.empty()) {
context->loadTrustedCertificates(FLAGS_ca_path.c_str());
// don't do peer name validation
context->authenticate(true, false);
// verify the server cert
context->setVerificationOption(folly::SSLContext::SSLVerifyPeerEnum::VERIFY);
}
folly::ssl::setSignatureAlgorithms<folly::ssl::SSLCommonOptions>(*context);
return context;
}

} // namespace nebula
26 changes: 26 additions & 0 deletions src/common/ssl/SSLConfig.h
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@

/* Copyright (c) 2021 vesoft inc. All rights reserved.
*
* This source code is licensed under Apache 2.0 License,
* attached with Common Clause Condition 1.0, found in the LICENSES directory.
*/

#pragma once

#include <folly/io/async/SSLContext.h>
#include <gflags/gflags.h>
#include <wangle/ssl/SSLContextConfig.h>

#include <memory>

DECLARE_bool(enable_ssl);
DECLARE_bool(enable_graph_ssl);
DECLARE_bool(enable_meta_ssl);

namespace nebula {

extern std::shared_ptr<wangle::SSLContextConfig> sslContextConfig();

extern std::shared_ptr<folly::SSLContext> createSSLContext();

} // namespace nebula
13 changes: 10 additions & 3 deletions src/common/thrift/ThriftClientManager-inl.h
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,13 @@

#pragma once

#include <folly/io/async/AsyncSSLSocket.h>
#include <folly/io/async/AsyncSocket.h>
#include <folly/system/ThreadName.h>
#include <thrift/lib/cpp2/async/HeaderClientChannel.h>

#include "common/network/NetworkUtils.h"
#include "common/ssl/SSLConfig.h"

DECLARE_int32(conn_timeout_ms);

Expand Down Expand Up @@ -71,9 +73,14 @@ std::shared_ptr<ClientType> ThriftClientManager<ClientType>::client(const HostAd

VLOG(2) << "Connecting to " << host << " for " << ++connectionCount << " times";
std::shared_ptr<folly::AsyncSocket> socket;
evb->runImmediatelyOrRunInEventBaseThreadAndWait([&socket, evb, resolved]() {
socket =
folly::AsyncSocket::newSocket(evb, resolved.host, resolved.port, FLAGS_conn_timeout_ms);
evb->runImmediatelyOrRunInEventBaseThreadAndWait([this, &socket, evb, resolved]() {
if (enableSSL_) {
socket = folly::AsyncSSLSocket::newSocket(nebula::createSSLContext(), evb);
socket->connect(nullptr, resolved.host, resolved.port, FLAGS_conn_timeout_ms);
} else {
socket =
folly::AsyncSocket::newSocket(evb, resolved.host, resolved.port, FLAGS_conn_timeout_ms);
}
Shylock-Hg marked this conversation as resolved.
Show resolved Hide resolved
});
auto headerClientChannel = apache::thrift::HeaderClientChannel::newChannel(socket);
if (timeout > 0) {
Expand Down
7 changes: 6 additions & 1 deletion src/common/thrift/ThriftClientManager.h
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
#ifndef COMMON_THRIFT_THRIFTCLIENTMANAGER_H_
#define COMMON_THRIFT_THRIFTCLIENTMANAGER_H_

#include <folly/io/async/AsyncSocket.h>
#include <folly/io/async/EventBaseManager.h>

#include "common/base/Base.h"
Expand All @@ -25,7 +26,9 @@ class ThriftClientManager final {

~ThriftClientManager() { VLOG(3) << "~ThriftClientManager"; }

ThriftClientManager() { VLOG(3) << "ThriftClientManager"; }
explicit ThriftClientManager(bool enableSSL = false) : enableSSL_(enableSSL) {
VLOG(3) << "ThriftClientManager";
}

private:
using ClientMap = std::unordered_map<std::pair<HostAddr, folly::EventBase*>, // <ip, port>
Expand All @@ -34,6 +37,8 @@ class ThriftClientManager final {
>;

folly::ThreadLocal<ClientMap> clientMap_;
// whether enable ssl
bool enableSSL_{false};
};

} // namespace thrift
Expand Down
1 change: 1 addition & 0 deletions src/daemons/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ set(common_deps
$<TARGET_OBJECTS:agg_function_manager_obj>
$<TARGET_OBJECTS:time_utils_obj>
$<TARGET_OBJECTS:version_obj>
$<TARGET_OBJECTS:ssl_obj>
)

set(storage_meta_deps
Expand Down
8 changes: 8 additions & 0 deletions src/daemons/GraphDaemon.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
*/

#include <errno.h>
#include <folly/ssl/Init.h>
Shylock-Hg marked this conversation as resolved.
Show resolved Hide resolved
#include <signal.h>
#include <string.h>
#include <thrift/lib/cpp2/server/ThriftServer.h>
Expand All @@ -15,6 +16,7 @@
#include "common/fs/FileUtils.h"
#include "common/network/NetworkUtils.h"
#include "common/process/ProcessUtils.h"
#include "common/ssl/SSLConfig.h"
#include "common/time/TimezoneInfo.h"
#include "graph/service/GraphFlags.h"
#include "graph/service/GraphService.h"
Expand Down Expand Up @@ -52,6 +54,9 @@ int main(int argc, char *argv[]) {
}

folly::init(&argc, &argv, true);
if (FLAGS_enable_ssl || FLAGS_enable_graph_ssl || FLAGS_enable_meta_ssl) {
folly::ssl::init();
}
nebula::initCounters();

if (FLAGS_flagfile.empty()) {
Expand Down Expand Up @@ -149,6 +154,9 @@ int main(int argc, char *argv[]) {
gServer->setIdleTimeout(std::chrono::seconds(FLAGS_client_idle_timeout_secs));
gServer->setNumAcceptThreads(FLAGS_num_accept_threads);
gServer->setListenBacklog(FLAGS_listen_backlog);
if (FLAGS_enable_ssl || FLAGS_enable_graph_ssl) {
gServer->setSSLConfig(nebula::sslContextConfig());
}
setupThreadManager();

// Setup the signal handlers
Expand Down
8 changes: 8 additions & 0 deletions src/daemons/MetaDaemon.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
* attached with Common Clause Condition 1.0, found in the LICENSES directory.
*/

#include <folly/ssl/Init.h>
#include <thrift/lib/cpp2/server/ThriftServer.h>

#include "common/base/Base.h"
Expand All @@ -12,6 +13,7 @@
#include "common/hdfs/HdfsHelper.h"
#include "common/network/NetworkUtils.h"
#include "common/process/ProcessUtils.h"
#include "common/ssl/SSLConfig.h"
#include "common/thread/GenericThreadPool.h"
#include "common/time/TimezoneInfo.h"
#include "kvstore/NebulaStore.h"
Expand Down Expand Up @@ -204,6 +206,9 @@ int main(int argc, char* argv[]) {
}

folly::init(&argc, &argv, true);
if (FLAGS_enable_ssl || FLAGS_enable_meta_ssl) {
folly::ssl::init();
}
if (FLAGS_data_path.empty()) {
LOG(ERROR) << "Meta Data Path should not empty";
return EXIT_FAILURE;
Expand Down Expand Up @@ -307,6 +312,9 @@ int main(int argc, char* argv[]) {
gServer->setPort(FLAGS_port);
gServer->setIdleTimeout(std::chrono::seconds(0)); // No idle timeout on client connection
gServer->setInterface(std::move(handler));
if (FLAGS_enable_ssl || FLAGS_enable_meta_ssl) {
gServer->setSSLConfig(nebula::sslContextConfig());
}
gServer->serve(); // Will wait until the server shuts down
} catch (const std::exception& e) {
LOG(ERROR) << "Exception thrown: " << e.what();
Expand Down
4 changes: 4 additions & 0 deletions src/daemons/StorageDaemon.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
* attached with Common Clause Condition 1.0, found in the LICENSES directory.
*/

#include <folly/ssl/Init.h>
#include <thrift/lib/cpp2/server/ThriftServer.h>

#include "common/base/Base.h"
Expand Down Expand Up @@ -69,6 +70,9 @@ int main(int argc, char *argv[]) {
}

folly::init(&argc, &argv, true);
if (FLAGS_enable_ssl || FLAGS_enable_meta_ssl) {
folly::ssl::init();
}
if (FLAGS_daemonize) {
google::SetStderrLogging(google::FATAL);
} else {
Expand Down
1 change: 1 addition & 0 deletions src/graph/context/test/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ SET(CONTEXT_TEST_LIBS
$<TARGET_OBJECTS:graph_session_obj>
$<TARGET_OBJECTS:planner_obj>
$<TARGET_OBJECTS:idgenerator_obj>
$<TARGET_OBJECTS:ssl_obj>
)

nebula_add_test(
Expand Down
1 change: 1 addition & 0 deletions src/graph/executor/test/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ SET(EXEC_QUERY_TEST_OBJS
$<TARGET_OBJECTS:graph_auth_obj>
$<TARGET_OBJECTS:expr_visitor_obj>
$<TARGET_OBJECTS:graph_obj>
$<TARGET_OBJECTS:ssl_obj>
)

SET(EXEC_QUERY_TEST_LIBS
Expand Down
1 change: 1 addition & 0 deletions src/graph/optimizer/test/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ set(OPTIMIZER_TEST_LIB
$<TARGET_OBJECTS:graph_context_obj>
$<TARGET_OBJECTS:validator_obj>
$<TARGET_OBJECTS:optimizer_obj>
$<TARGET_OBJECTS:ssl_obj>
)

nebula_add_test(
Expand Down
1 change: 1 addition & 0 deletions src/graph/util/test/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ nebula_add_test(
$<TARGET_OBJECTS:ft_es_graph_adapter_obj>
$<TARGET_OBJECTS:ws_common_obj>
$<TARGET_OBJECTS:version_obj>
$<TARGET_OBJECTS:ssl_obj>
$<TARGET_OBJECTS:idgenerator_obj>
$<TARGET_OBJECTS:expr_visitor_obj>
$<TARGET_OBJECTS:graph_session_obj>
Expand Down
1 change: 1 addition & 0 deletions src/graph/validator/test/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ set(VALIDATOR_TEST_LIBS
$<TARGET_OBJECTS:ft_es_graph_adapter_obj>
$<TARGET_OBJECTS:ws_common_obj>
$<TARGET_OBJECTS:version_obj>
$<TARGET_OBJECTS:ssl_obj>
)

nebula_add_test(
Expand Down
1 change: 1 addition & 0 deletions src/graph/visitor/test/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ nebula_add_test(
$<TARGET_OBJECTS:ft_es_graph_adapter_obj>
$<TARGET_OBJECTS:ws_common_obj>
$<TARGET_OBJECTS:version_obj>
$<TARGET_OBJECTS:ssl_obj>
LIBRARIES
gtest
${THRIFT_LIBRARIES}
Expand Down
4 changes: 3 additions & 1 deletion src/kvstore/NebulaStore.h
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
#include <gtest/gtest_prod.h>

#include "common/base/Base.h"
#include "common/ssl/SSLConfig.h"
#include "common/utils/Utils.h"
#include "interface/gen-cpp2/RaftexServiceAsyncClient.h"
#include "kvstore/DiskManager.h"
Expand Down Expand Up @@ -65,7 +66,8 @@ class NebulaStore : public KVStore, public Handler {
options_(std::move(options)) {
CHECK_NOTNULL(options_.partMan_);
clientMan_ =
std::make_shared<thrift::ThriftClientManager<raftex::cpp2::RaftexServiceAsyncClient>>();
std::make_shared<thrift::ThriftClientManager<raftex::cpp2::RaftexServiceAsyncClient>>(
FLAGS_enable_ssl);
}

~NebulaStore();
Expand Down
4 changes: 4 additions & 0 deletions src/kvstore/raftex/RaftexService.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
#include <folly/ScopeGuard.h>

#include "common/base/Base.h"
#include "common/ssl/SSLConfig.h"
#include "kvstore/raftex/RaftPart.h"

namespace nebula {
Expand Down Expand Up @@ -60,6 +61,9 @@ void RaftexService::initThriftServer(std::shared_ptr<folly::IOThreadPoolExecutor
std::shared_ptr<folly::Executor> workers,
uint16_t port) {
LOG(INFO) << "Init thrift server for raft service, port: " << port;
if (FLAGS_enable_ssl) {
server_->setSSLConfig(nebula::sslContextConfig());
}
server_->setPort(port);
server_->setIdleTimeout(std::chrono::seconds(0));
if (pool != nullptr) {
Expand Down
Loading