diff --git a/src/yb/client/client_utils.cc b/src/yb/client/client_utils.cc index bcf9a0dcc0fc..9919109fde61 100644 --- a/src/yb/client/client_utils.cc +++ b/src/yb/client/client_utils.cc @@ -28,7 +28,7 @@ #include "yb/rpc/messenger.h" #include "yb/rpc/rpc.h" -#include "yb/server/secure.h" +#include "yb/rpc/secure.h" #include "yb/util/atomic.h" #include "yb/util/locks.h" @@ -65,7 +65,7 @@ Result> CreateClientMessenger( builder.set_metric_entity(metric_entity); builder.UseDefaultConnectionContextFactory(parent_mem_tracker); if (secure_context) { - server::ApplySecureContext(secure_context, &builder); + rpc::ApplySecureContext(secure_context, &builder); } auto messenger = VERIFY_RESULT(builder.Build()); if (PREDICT_FALSE(FLAGS_TEST_running_test)) { diff --git a/src/yb/client/stateful_services/stateful_service_client_base.cc b/src/yb/client/stateful_services/stateful_service_client_base.cc index 621af92c6d0f..5728cdc811b6 100644 --- a/src/yb/client/stateful_services/stateful_service_client_base.cc +++ b/src/yb/client/stateful_services/stateful_service_client_base.cc @@ -16,8 +16,10 @@ #include #include "yb/master/master_client.proxy.h" -#include "yb/tserver/tablet_server.h" +#include "yb/rpc/messenger.h" +#include "yb/rpc/secure.h" #include "yb/rpc/secure_stream.h" +#include "yb/tserver/tablet_server.h" #include "yb/client/client-internal.h" #include "yb/util/backoff_waiter.h" #include "yb/util/status_format.h" @@ -53,8 +55,8 @@ Status StatefulServiceClientBase::Init(tserver::TabletServer* server) { std::lock_guard lock(mutex_); rpc::MessengerBuilder messenger_builder(service_name_ + "_Client"); - secure_context_ = VERIFY_RESULT( - server::SetupInternalSecureContext(local_hosts, *server->fs_manager(), &messenger_builder)); + secure_context_ = VERIFY_RESULT(rpc::SetupInternalSecureContext( + local_hosts, server->fs_manager()->GetDefaultRootDir(), &messenger_builder)); messenger_ = VERIFY_RESULT(messenger_builder.Build()); @@ -79,8 +81,8 @@ Status StatefulServiceClientBase::TESTInit( const std::string& local_host, const std::string& master_addresses) { std::lock_guard lock(mutex_); rpc::MessengerBuilder messenger_builder(service_name_ + "Client"); - secure_context_ = VERIFY_RESULT(server::SetupSecureContext( - FLAGS_certs_dir, local_host, server::SecureContextType::kInternal, &messenger_builder)); + secure_context_ = VERIFY_RESULT(rpc::SetupSecureContext( + FLAGS_certs_dir, local_host, rpc::SecureContextType::kInternal, &messenger_builder)); messenger_ = VERIFY_RESULT(messenger_builder.Build()); diff --git a/src/yb/client/stateful_services/stateful_service_client_base.h b/src/yb/client/stateful_services/stateful_service_client_base.h index c39e029f22c6..ad901857fd4a 100644 --- a/src/yb/client/stateful_services/stateful_service_client_base.h +++ b/src/yb/client/stateful_services/stateful_service_client_base.h @@ -14,24 +14,25 @@ #pragma once #include -#include "yb/client/client.h" -#include "yb/rpc/messenger.h" -#include "yb/server/secure.h" -#include "yb/util/net/net_util.h" -#include "yb/util/status.h" -#include "yb/rpc/proxy.h" -#include "yb/rpc/rpc_context.h" -#include "yb/gutil/thread_annotations.h" + #include "yb/common/wire_protocol.h" +#include "yb/common/wire_protocol.pb.h" +#include "yb/gutil/thread_annotations.h" +#include "yb/rpc/rpc_fwd.h" +#include "yb/util/status.h" using namespace std::placeholders; namespace yb { + +class HostPort; + namespace tserver { class TabletServer; } namespace client { +class YBClient; #define STATEFUL_SERVICE_RPC(r, service, method_name) \ template \ diff --git a/src/yb/client/transaction_manager.cc b/src/yb/client/transaction_manager.cc index 27da13b008a6..1d34533fe584 100644 --- a/src/yb/client/transaction_manager.cc +++ b/src/yb/client/transaction_manager.cc @@ -43,6 +43,10 @@ DEFINE_test_flag(string, transaction_manager_preferred_tablet, "", "For testing only. If non-empty, transaction manager will try to use the status " "tablet with id matching this flag, if present in the list of status tablets."); +DECLARE_string(placement_cloud); +DECLARE_string(placement_region); +DECLARE_string(placement_zone); + namespace yb { namespace client { @@ -159,6 +163,20 @@ class TransactionTableState { TransactionStatusTablets tablets_ GUARDED_BY(mutex_); }; +const CloudInfoPB& GetPlacementFromGFlags() { + static GoogleOnceType once = GOOGLE_ONCE_INIT; + static CloudInfoPB cloud_info; + auto set_placement_from_gflags = [](CloudInfoPB* cloud_info) { + cloud_info->set_placement_cloud(FLAGS_placement_cloud); + cloud_info->set_placement_region(FLAGS_placement_region); + cloud_info->set_placement_zone(FLAGS_placement_zone); + }; + GoogleOnceInitArg( + &once, static_cast(set_placement_from_gflags), &cloud_info); + + return cloud_info; +} + // Loads transaction tablets list to cache. class LoadStatusTabletsTask { public: @@ -200,8 +218,7 @@ class LoadStatusTabletsTask { private: Result GetTransactionStatusTablets() { - CloudInfoPB this_pb = yb::server::GetPlacementFromGFlags(); - return client_->GetTransactionStatusTablets(this_pb); + return client_->GetTransactionStatusTablets(GetPlacementFromGFlags()); } YBClient* client_; diff --git a/src/yb/client/universe_key_client.cc b/src/yb/client/universe_key_client.cc index 2d672777f79f..e3546514f571 100644 --- a/src/yb/client/universe_key_client.cc +++ b/src/yb/client/universe_key_client.cc @@ -18,15 +18,13 @@ #include "yb/encryption/encryption.pb.h" -#include "yb/fs/fs_manager.h" - #include "yb/master/master_encryption.proxy.h" #include "yb/rpc/messenger.h" #include "yb/rpc/rpc_controller.h" #include "yb/rpc/secure_stream.h" -#include "yb/server/secure.h" +#include "yb/rpc/secure.h" #include "yb/util/backoff_waiter.h" #include "yb/util/logging.h" @@ -84,13 +82,12 @@ void UniverseKeyClient::ProcessGetUniverseKeyRegistryResponse( callback_(resp->universe_keys()); } -ResultUniverseKeyClient::GetFullUniverseKeyRegistry( - const std::string& local_hosts, - const std::string& master_addresses, - const FsManager& fs_manager) { +Result UniverseKeyClient::GetFullUniverseKeyRegistry( + const std::string& local_hosts, const std::string& master_addresses, + const std::string& root_dir) { rpc::MessengerBuilder messenger_builder("universe_key_client"); - auto secure_context = VERIFY_RESULT( - server::SetupInternalSecureContext(local_hosts, fs_manager, &messenger_builder)); + auto secure_context = + VERIFY_RESULT(rpc::SetupInternalSecureContext(local_hosts, root_dir, &messenger_builder)); auto messenger = VERIFY_RESULT(messenger_builder.Build()); auto se = ScopeExit([&] { if (messenger) { diff --git a/src/yb/client/universe_key_client.h b/src/yb/client/universe_key_client.h index 17fbecdb70e3..d50bc7ff5b30 100644 --- a/src/yb/client/universe_key_client.h +++ b/src/yb/client/universe_key_client.h @@ -30,8 +30,6 @@ namespace yb { -class FsManager; - namespace client { class UniverseKeyClient { @@ -47,9 +45,9 @@ class UniverseKeyClient { // Synchronous call from tserver Init to get the full universe key registry from master // leader. static Result GetFullUniverseKeyRegistry( - const std::string& local_hosts, - const std::string& master_addresses, - const FsManager& fs_manager); + const std::string& local_hosts, const std::string& master_addresses, + const std::string& root_dir); + private: void ProcessGetUniverseKeyRegistryResponse( diff --git a/src/yb/client/xcluster_client.cc b/src/yb/client/xcluster_client.cc index f8998443f440..48f599772537 100644 --- a/src/yb/client/xcluster_client.cc +++ b/src/yb/client/xcluster_client.cc @@ -19,7 +19,7 @@ #include "yb/rpc/messenger.h" #include "yb/rpc/proxy.h" #include "yb/rpc/secure_stream.h" -#include "yb/server/secure.h" +#include "yb/rpc/secure.h" #include "yb/util/path_util.h" DECLARE_bool(use_node_to_node_encryption); @@ -48,8 +48,8 @@ Status XClusterRemoteClient::Init( if (!certs_for_cdc_dir_.empty()) { certs_dir = JoinPathSegments(certs_for_cdc_dir_, replication_group_id.ToString()); } - secure_context_ = VERIFY_RESULT(server::SetupSecureContext( - certs_dir, /*root_dir=*/"", /*name=*/"", server::SecureContextType::kInternal, + secure_context_ = VERIFY_RESULT(rpc::SetupSecureContext( + certs_dir, /*root_dir=*/"", /*name=*/"", rpc::SecureContextType::kInternal, &messenger_builder)); } messenger_ = VERIFY_RESULT(messenger_builder.Build()); diff --git a/src/yb/common/common_flags.cc b/src/yb/common/common_flags.cc index c43ebc288662..f73b3404be76 100644 --- a/src/yb/common/common_flags.cc +++ b/src/yb/common/common_flags.cc @@ -113,6 +113,21 @@ DEFINE_RUNTIME_PG_FLAG(bool, TEST_enable_replication_slot_consumption, false, TAG_FLAG(ysql_TEST_enable_replication_slot_consumption, unsafe); TAG_FLAG(ysql_TEST_enable_replication_slot_consumption, hidden); +// The following flags related to the cloud, region and availability zone that an instance is +// started in. These are passed in from whatever provisioning mechanics start the servers. They +// are used for generic placement policies on table creation and tablet load balancing, to +// either constrain data to a certain location (table A should only live in aws.us-west2.a), or to +// define the required level of fault tolerance expected (table B should have N replicas, across +// two regions of AWS and one of GCE). +// +// These are currently for use in a cloud-based deployment, but could be retrofitted to work for +// an on-premise deployment as well, with datacenter, cluster and rack levels, for example. +DEFINE_NON_RUNTIME_string(placement_cloud, "cloud1", + "The cloud in which this instance is started."); +DEFINE_NON_RUNTIME_string(placement_region, "datacenter1", + "The cloud region in which this instance is started."); +DEFINE_NON_RUNTIME_string(placement_zone, "rack1", + "The cloud availability zone in which this instance is started."); namespace { constexpr const auto kMinRpcThrottleThresholdBytes = 16; diff --git a/src/yb/fs/fs_manager.cc b/src/yb/fs/fs_manager.cc index 5025ac07d4b1..3a3825c28c1f 100644 --- a/src/yb/fs/fs_manager.cc +++ b/src/yb/fs/fs_manager.cc @@ -129,7 +129,6 @@ const char kConsensusMetadataDirName[] = "consensus-meta"; const char kLogsDirName[] = "logs"; const char kTmpInfix[] = ".tmp"; const char kCheckFileTemplate[] = "check.XXXXXX"; -const char kSecureCertsDirName[] = "certs"; const char kPrefixMetricId[] = "drive:"; std::string DataDir(const std::string& root, const std::string& server_type) { @@ -836,10 +835,6 @@ std::string FsManager::GetDefaultRootDir() const { return GetServerTypeDataPath(canonicalized_default_fs_root_, server_type_); } -std::string FsManager::GetCertsDir(const std::string& root_dir) { - return JoinPathSegments(root_dir, kSecureCertsDirName); -} - std::vector FsManager::GetConsensusMetadataDirs() const { DCHECK(initted_); vector data_paths; diff --git a/src/yb/fs/fs_manager.h b/src/yb/fs/fs_manager.h index b0e7b5624ce2..28263860f978 100644 --- a/src/yb/fs/fs_manager.h +++ b/src/yb/fs/fs_manager.h @@ -211,7 +211,6 @@ class FsManager { // Return the directory where the certs are stored. std::string GetDefaultRootDir() const; - static std::string GetCertsDir(const std::string& root_dir); std::vector GetConsensusMetadataDirs() const; // Return the directory where the consensus metadata is stored. diff --git a/src/yb/integration-tests/external_mini_cluster.cc b/src/yb/integration-tests/external_mini_cluster.cc index d4a8f600218e..a83b23e43fad 100644 --- a/src/yb/integration-tests/external_mini_cluster.cc +++ b/src/yb/integration-tests/external_mini_cluster.cc @@ -76,7 +76,7 @@ #include "yb/server/server_base.pb.h" #include "yb/server/server_base.proxy.h" -#include "yb/server/secure.h" +#include "yb/rpc/secure.h" #include "yb/tserver/tserver_admin.proxy.h" #include "yb/tserver/tserver_service.proxy.h" @@ -3023,8 +3023,8 @@ void StartSecure( std::unique_ptr* messenger, const std::vector& master_flags) { rpc::MessengerBuilder messenger_builder("test_client"); - *secure_context = ASSERT_RESULT(server::SetupSecureContext( - "", "127.0.0.100", server::SecureContextType::kInternal, &messenger_builder)); + *secure_context = ASSERT_RESULT(rpc::SetupSecureContext( + /*root_dir=*/"", "127.0.0.100", rpc::SecureContextType::kInternal, &messenger_builder)); *messenger = ASSERT_RESULT(messenger_builder.Build()); (**messenger).TEST_SetOutboundIpBase(ASSERT_RESULT(HostToAddress("127.0.0.1"))); diff --git a/src/yb/integration-tests/mini_cluster_base.cc b/src/yb/integration-tests/mini_cluster_base.cc index 231dbb7319e7..b99fac6a0e75 100644 --- a/src/yb/integration-tests/mini_cluster_base.cc +++ b/src/yb/integration-tests/mini_cluster_base.cc @@ -17,7 +17,7 @@ #include "yb/client/stateful_services/stateful_service_client_base.h" #include "yb/server/hybrid_clock.h" -#include "yb/server/secure.h" +#include "yb/rpc/secure.h" #include "yb/util/net/net_util.h" #include "yb/util/result.h" #include "yb/rpc/messenger.h" @@ -32,8 +32,8 @@ Result> CreateSecureClientInternal( const std::string& name, const std::string& host, std::unique_ptr* secure_context, client::YBClientBuilder* builder) { rpc::MessengerBuilder messenger_builder("test_client"); - *secure_context = VERIFY_RESULT(server::SetupSecureContext( - FLAGS_certs_dir, name, server::SecureContextType::kInternal, &messenger_builder)); + *secure_context = VERIFY_RESULT(rpc::SetupSecureContext( + FLAGS_certs_dir, name, rpc::SecureContextType::kInternal, &messenger_builder)); auto messenger = VERIFY_RESULT(messenger_builder.Build()); messenger->TEST_SetOutboundIpBase(VERIFY_RESULT(HostToAddress(host))); auto clock = make_scoped_refptr(); diff --git a/src/yb/integration-tests/secure_connection_test.cc b/src/yb/integration-tests/secure_connection_test.cc index 69b6ffe345be..9f1771095be8 100644 --- a/src/yb/integration-tests/secure_connection_test.cc +++ b/src/yb/integration-tests/secure_connection_test.cc @@ -22,7 +22,7 @@ #include "yb/rpc/messenger.h" #include "yb/rpc/secure_stream.h" -#include "yb/server/secure.h" +#include "yb/rpc/secure.h" #include "yb/util/size_literals.h" #include "yb/util/env_util.h" diff --git a/src/yb/master/master.cc b/src/yb/master/master.cc index 27b4bde9a4a7..9e307cd8753a 100644 --- a/src/yb/master/master.cc +++ b/src/yb/master/master.cc @@ -70,7 +70,7 @@ #include "yb/rpc/yb_rpc.h" #include "yb/server/rpc_server.h" -#include "yb/server/secure.h" +#include "yb/rpc/secure.h" #include "yb/server/hybrid_clock.h" @@ -103,7 +103,6 @@ DEFINE_NON_RUNTIME_int32(master_backup_svc_queue_length, 50, "RPC queue length for master backup service"); TAG_FLAG(master_backup_svc_queue_length, advanced); -DECLARE_string(cert_node_filename); DECLARE_bool(master_join_existing_universe); METRIC_DEFINE_entity(cluster); @@ -685,8 +684,8 @@ Status Master::get_ysql_db_oid_to_cat_version_info_map( Status Master::SetupMessengerBuilder(rpc::MessengerBuilder* builder) { RETURN_NOT_OK(DbServerBase::SetupMessengerBuilder(builder)); - secure_context_ = VERIFY_RESULT( - server::SetupInternalSecureContext(options_.HostsString(), *fs_manager_, builder)); + secure_context_ = VERIFY_RESULT(rpc::SetupInternalSecureContext( + options_.HostsString(), fs_manager_->GetDefaultRootDir(), builder)); return Status::OK(); } @@ -696,11 +695,9 @@ Status Master::ReloadKeysAndCertificates() { return Status::OK(); } - return server::ReloadSecureContextKeysAndCertificates( - secure_context_.get(), - fs_manager_->GetDefaultRootDir(), - server::SecureContextType::kInternal, - options_.HostsString()); + return rpc::ReloadSecureContextKeysAndCertificates( + secure_context_.get(), fs_manager_->GetDefaultRootDir(), rpc::SecureContextType::kInternal, + options_.HostsString()); } std::string Master::GetCertificateDetails() { diff --git a/src/yb/master/xcluster_rpc_tasks.cc b/src/yb/master/xcluster_rpc_tasks.cc index e8e00dbb6fd3..f8902fec3b1c 100644 --- a/src/yb/master/xcluster_rpc_tasks.cc +++ b/src/yb/master/xcluster_rpc_tasks.cc @@ -26,7 +26,7 @@ #include "yb/rpc/messenger.h" #include "yb/rpc/secure_stream.h" -#include "yb/server/secure.h" +#include "yb/rpc/secure.h" #include "yb/util/logging.h" #include "yb/util/path_util.h" @@ -75,8 +75,8 @@ Result> XClusterRpcTasks::CreateWithMasterAddr FLAGS_certs_for_cdc_dir, xcluster::GetOriginalReplicationGroupId(replication_group_id).ToString()); } - xcluster_rpc_tasks->secure_context_ = VERIFY_RESULT(server::SetupSecureContext( - dir, "", "", server::SecureContextType::kInternal, &messenger_builder)); + xcluster_rpc_tasks->secure_context_ = VERIFY_RESULT(rpc::SetupSecureContext( + dir, /*root_dir=*/"", /*name=*/"", rpc::SecureContextType::kInternal, &messenger_builder)); xcluster_rpc_tasks->messenger_ = VERIFY_RESULT(messenger_builder.Build()); } diff --git a/src/yb/rpc/CMakeLists.txt b/src/yb/rpc/CMakeLists.txt index 1bdbeedb4fab..768dbc3e5eda 100644 --- a/src/yb/rpc/CMakeLists.txt +++ b/src/yb/rpc/CMakeLists.txt @@ -98,6 +98,7 @@ set(YRPC_SRCS rpc_with_queue.cc rpc_util.cc scheduler.cc + secure.cc secure_stream.cc serialization.cc service_if.cc diff --git a/src/yb/rpc/rpc_fwd.h b/src/yb/rpc/rpc_fwd.h index 7adb4913c45b..97f7be0aa557 100644 --- a/src/yb/rpc/rpc_fwd.h +++ b/src/yb/rpc/rpc_fwd.h @@ -51,6 +51,7 @@ class LightweightMessage; class MessengerBuilder; class PeriodicTimer; class Proxy; +class ProxyBase; class ProxyCache; class ProxyContext; class Reactor; diff --git a/src/yb/server/secure.cc b/src/yb/rpc/secure.cc similarity index 52% rename from src/yb/server/secure.cc rename to src/yb/rpc/secure.cc index 02bc47183cdb..e150ebcbdb3a 100644 --- a/src/yb/server/secure.cc +++ b/src/yb/rpc/secure.cc @@ -11,9 +11,7 @@ // under the License. // -#include "yb/server/secure.h" - -#include "yb/fs/fs_manager.h" +#include "yb/rpc/secure.h" #include "yb/rpc/compressed_stream.h" #include "yb/rpc/messenger.h" @@ -29,42 +27,42 @@ using std::string; -DEFINE_UNKNOWN_bool(use_node_to_node_encryption, false, "Use node to node encryption."); +DEFINE_NON_RUNTIME_bool(use_node_to_node_encryption, false, "Use node to node encryption."); -DEFINE_UNKNOWN_bool(node_to_node_encryption_use_client_certificates, false, - "Should client certificates be sent and verified for encrypted node to node " - "communication."); +DEFINE_NON_RUNTIME_bool(node_to_node_encryption_use_client_certificates, false, + "Should client certificates be sent and verified for encrypted node to node " + "communication."); -DEFINE_UNKNOWN_string(node_to_node_encryption_required_uid, "", - "Allow only certificates with specified uid. Empty to allow any."); +DEFINE_NON_RUNTIME_string(node_to_node_encryption_required_uid, "", + "Allow only certificates with specified uid. Empty to allow any."); -DEFINE_UNKNOWN_string(certs_dir, "", - "Directory that contains certificate authority, private key and certificates for " - "this server. By default 'certs' subdir in data folder is used."); +DEFINE_NON_RUNTIME_string(certs_dir, "", + "Directory that contains certificate authority, private key and certificates for " + "this server. By default 'certs' subdir in data folder is used."); -DEFINE_UNKNOWN_bool(use_client_to_server_encryption, false, "Use client to server encryption"); +DEFINE_NON_RUNTIME_bool(use_client_to_server_encryption, false, "Use client to server encryption"); -DEFINE_UNKNOWN_string(certs_for_client_dir, "", - "Directory that contains certificate authority, private key and certificates for " - "this server that should be used for client to server communications. " - "When empty, the same dir as for server to server communications is used."); +DEFINE_NON_RUNTIME_string(certs_for_client_dir, "", + "Directory that contains certificate authority, private key and certificates for " + "this server that should be used for client to server communications. " + "When empty, the same dir as for server to server communications is used."); -DEFINE_UNKNOWN_string(cert_node_filename, "", - "The file name that will be used in the names of the node " - "certificates and keys. These files will be named : " - "'node.{cert_node_filename}.{key|crt}'. " - "If this flag is not set, then --server_broadcast_addresses will be " - "used if it is set, and if not, --rpc_bind_addresses will be used."); +DEFINE_NON_RUNTIME_string(cert_node_filename, "", + "The file name that will be used in the names of the node " + "certificates and keys. These files will be named : " + "'node.{cert_node_filename}.{key|crt}'. " + "If this flag is not set, then --server_broadcast_addresses will be " + "used if it is set, and if not, --rpc_bind_addresses will be used."); -DEFINE_UNKNOWN_string(key_file_pattern, "node.$0.key", "Pattern used for key file"); +DEFINE_NON_RUNTIME_string(key_file_pattern, "node.$0.key", "Pattern used for key file"); -DEFINE_UNKNOWN_string(cert_file_pattern, "node.$0.crt", "Pattern used for certificate file"); +DEFINE_NON_RUNTIME_string(cert_file_pattern, "node.$0.crt", "Pattern used for certificate file"); -DEFINE_UNKNOWN_bool(enable_stream_compression, true, +DEFINE_NON_RUNTIME_bool(enable_stream_compression, true, "Whether it is allowed to use stream compression."); namespace yb { -namespace server { +namespace rpc { namespace { @@ -77,13 +75,19 @@ string CertsDir(const std::string& root_dir, SecureContextType type) { certs_dir = FLAGS_certs_dir; } if (certs_dir.empty()) { - certs_dir = FsManager::GetCertsDir(root_dir); + certs_dir = GetCertsDir(root_dir); } return certs_dir; } +static constexpr char kSecureCertsDirName[] = "certs"; + } // namespace +std::string GetCertsDir(const std::string& root_dir) { + return JoinPathSegments(root_dir, kSecureCertsDirName); +} + bool IsNodeToNodeEncryptionEnabled() { return FLAGS_use_node_to_node_encryption; } @@ -92,63 +96,48 @@ bool IsClientToServerEncryptionEnabled() { return FLAGS_use_client_to_server_encryption; } -string DefaultCertsDir(const FsManager& fs_manager) { - return fs_manager.GetCertsDir(fs_manager.GetDefaultRootDir()); -} - -Result> SetupSecureContext( - const std::string& hosts, const FsManager& fs_manager, SecureContextType type, - rpc::MessengerBuilder* builder) { - std::vector host_ports; - RETURN_NOT_OK(HostPort::ParseStrings(hosts, 0, &host_ports)); - - return server::SetupSecureContext( - fs_manager.GetDefaultRootDir(), host_ports[0].host(), type, builder); -} - -Result> SetupSecureContext( - const std::string& root_dir, const std::string& name, - SecureContextType type, rpc::MessengerBuilder* builder) { +Result> SetupSecureContext( + const std::string& root_dir, const std::string& name, SecureContextType type, + MessengerBuilder* builder) { return SetupSecureContext(std::string(), root_dir, name, type, builder); } -Result> SetupInternalSecureContext( - const string& local_hosts, const FsManager& fs_manager, - rpc::MessengerBuilder* messenger_builder) { +Result> SetupInternalSecureContext( + const string& local_hosts, const std::string& root_dir, MessengerBuilder* messenger_builder) { if (!FLAGS_cert_node_filename.empty()) { - return VERIFY_RESULT(server::SetupSecureContext( - fs_manager.GetDefaultRootDir(), - FLAGS_cert_node_filename, - server::SecureContextType::kInternal, + return VERIFY_RESULT(rpc::SetupSecureContext( + root_dir, FLAGS_cert_node_filename, SecureContextType::kInternal, messenger_builder)); } - return VERIFY_RESULT(server::SetupSecureContext( - local_hosts, fs_manager, server::SecureContextType::kInternal, messenger_builder)); + std::vector host_ports; + RETURN_NOT_OK(HostPort::ParseStrings(local_hosts, /*default_port=*/0, &host_ports)); + + return rpc::SetupSecureContext( + root_dir, host_ports[0].host(), SecureContextType::kInternal, messenger_builder); } -void ApplyCompressedStream( - rpc::MessengerBuilder* builder, const rpc::StreamFactoryPtr lower_layer_factory) { +void ApplyCompressedStream(MessengerBuilder* builder, const StreamFactoryPtr lower_layer_factory) { if (!FLAGS_enable_stream_compression) { return; } - builder->SetListenProtocol(rpc::CompressedStreamProtocol()); + builder->SetListenProtocol(CompressedStreamProtocol()); auto parent_mem_tracker = builder->last_used_parent_mem_tracker(); auto buffer_tracker = MemTracker::FindOrCreateTracker( -1, "Compressed Read Buffer", parent_mem_tracker); builder->AddStreamFactory( - rpc::CompressedStreamProtocol(), - rpc::CompressedStreamFactory(std::move(lower_layer_factory), buffer_tracker)); + CompressedStreamProtocol(), + CompressedStreamFactory(std::move(lower_layer_factory), buffer_tracker)); } -Result> SetupSecureContext( +Result> SetupSecureContext( const std::string& cert_dir, const std::string& root_dir, const std::string& name, - SecureContextType type, rpc::MessengerBuilder* builder) { + SecureContextType type, MessengerBuilder* builder) { auto use = type == SecureContextType::kInternal ? FLAGS_use_node_to_node_encryption : FLAGS_use_client_to_server_encryption; LOG(INFO) << __func__ << ": " << type << ", " << use; if (!use) { - ApplyCompressedStream(builder, rpc::TcpStream::Factory()); + ApplyCompressedStream(builder, TcpStream::Factory()); return nullptr; } @@ -165,12 +154,11 @@ Result> SetupSecureContext( return context; } -Result> CreateSecureContext( +Result> CreateSecureContext( const std::string& certs_dir, UseClientCerts use_client_certs, const std::string& node_name, const std::string& required_uid) { - - auto result = std::make_unique( - rpc::RequireClientCertificate(use_client_certs), rpc::UseClientCertificate(use_client_certs), + auto result = std::make_unique( + RequireClientCertificate(use_client_certs), UseClientCertificate(use_client_certs), required_uid); RETURN_NOT_OK(ReloadSecureContextKeysAndCertificates(result.get(), certs_dir, node_name)); @@ -179,7 +167,7 @@ Result> CreateSecureContext( } Status ReloadSecureContextKeysAndCertificates( - rpc::SecureContext* context, const std::string& root_dir, SecureContextType type, + SecureContext* context, const std::string& root_dir, SecureContextType type, const std::string& hosts) { std::string node_name = FLAGS_cert_node_filename; @@ -193,15 +181,14 @@ Status ReloadSecureContextKeysAndCertificates( } Status ReloadSecureContextKeysAndCertificates( - rpc::SecureContext* context, const std::string& node_name, const std::string& root_dir, + SecureContext* context, const std::string& node_name, const std::string& root_dir, SecureContextType type) { std::string certs_dir = CertsDir(root_dir, type); return ReloadSecureContextKeysAndCertificates(context, certs_dir, node_name); } Status ReloadSecureContextKeysAndCertificates( - rpc::SecureContext* context, const std::string& certs_dir, const std::string& node_name) { - + SecureContext* context, const std::string& certs_dir, const std::string& node_name) { LOG(INFO) << "Certs directory: " << certs_dir << ", node name: " << node_name; auto ca_cert_file = JoinPathSegments(certs_dir, "ca.crt"); @@ -222,17 +209,16 @@ Status ReloadSecureContextKeysAndCertificates( return Status::OK(); } -void ApplySecureContext(const rpc::SecureContext* context, rpc::MessengerBuilder* builder) { +void ApplySecureContext(const SecureContext* context, MessengerBuilder* builder) { auto parent_mem_tracker = builder->last_used_parent_mem_tracker(); auto buffer_tracker = MemTracker::FindOrCreateTracker( -1, "Encrypted Read Buffer", parent_mem_tracker); - auto secure_stream_factory = rpc::SecureStreamFactory( - rpc::TcpStream::Factory(), buffer_tracker, context); - builder->SetListenProtocol(rpc::SecureStreamProtocol()); - builder->AddStreamFactory(rpc::SecureStreamProtocol(), secure_stream_factory); + auto secure_stream_factory = SecureStreamFactory(TcpStream::Factory(), buffer_tracker, context); + builder->SetListenProtocol(SecureStreamProtocol()); + builder->AddStreamFactory(SecureStreamProtocol(), secure_stream_factory); ApplyCompressedStream(builder, secure_stream_factory); } -} // namespace server +} // namespace rpc } // namespace yb diff --git a/src/yb/server/secure.h b/src/yb/rpc/secure.h similarity index 55% rename from src/yb/server/secure.h rename to src/yb/rpc/secure.h index 0e2ca879e733..17cb2e5a820a 100644 --- a/src/yb/server/secure.h +++ b/src/yb/rpc/secure.h @@ -13,70 +13,54 @@ #pragma once -#include "yb/util/flags.h" - #include "yb/rpc/rpc_fwd.h" #include "yb/util/enums.h" -DECLARE_string(cert_node_filename); - namespace yb { -class FsManager; - namespace rpc { -class SecureContext; - -} - -namespace server { - YB_DEFINE_ENUM(SecureContextType, (kInternal)(kExternal)); -std::string DefaultCertsDir(const FsManager& fs_manager); +std::string GetCertsDir(const std::string& root_dir); // Creates secure context and sets up messenger builder to use it. -Result> SetupSecureContext( - const std::string& hosts, const FsManager& fs_manager, SecureContextType type, - rpc::MessengerBuilder* builder); - -Result> SetupSecureContext( +Result> SetupSecureContext( const std::string& root_dir, const std::string& name, SecureContextType type, - rpc::MessengerBuilder* builder); + MessengerBuilder* builder); -Result> SetupSecureContext( +Result> SetupSecureContext( const std::string& cert_dir, const std::string& root_dir, const std::string& name, - SecureContextType type, rpc::MessengerBuilder* builder); + SecureContextType type, MessengerBuilder* builder); -Result> SetupInternalSecureContext( - const std::string& local_hosts, const FsManager& fs_manager, - rpc::MessengerBuilder* messenger_builder); +Result> SetupInternalSecureContext( + const std::string& local_hosts, const std::string& root_dir, + MessengerBuilder* messenger_builder); YB_STRONGLY_TYPED_BOOL(UseClientCerts); -Result> CreateSecureContext( +Result> CreateSecureContext( const std::string& certs_dir, UseClientCerts use_client_certs, const std::string& node_name = std::string(), const std::string& required_uid = std::string()); Status ReloadSecureContextKeysAndCertificates( - rpc::SecureContext* context, const std::string& root_dir, SecureContextType type, + SecureContext* context, const std::string& root_dir, SecureContextType type, const std::string& hosts); Status ReloadSecureContextKeysAndCertificates( - rpc::SecureContext* context, const std::string& node_name, const std::string& root_dir, + SecureContext* context, const std::string& node_name, const std::string& root_dir, SecureContextType type); Status ReloadSecureContextKeysAndCertificates( - rpc::SecureContext* context, const std::string& certs_dir, const std::string& node_name); + SecureContext* context, const std::string& certs_dir, const std::string& node_name); -void ApplySecureContext(const rpc::SecureContext* context, rpc::MessengerBuilder* builder); +void ApplySecureContext(const SecureContext* context, MessengerBuilder* builder); bool IsNodeToNodeEncryptionEnabled(); bool IsClientToServerEncryptionEnabled(); -} // namespace server +} // namespace rpc } // namespace yb diff --git a/src/yb/server/CMakeLists.txt b/src/yb/server/CMakeLists.txt index ee4680cfd305..5290a81ec89f 100644 --- a/src/yb/server/CMakeLists.txt +++ b/src/yb/server/CMakeLists.txt @@ -101,7 +101,6 @@ set(SERVER_PROCESS_SRCS webserver_options.cc webui_util.cc random_error_clock.cc - secure.cc ) add_library(server_process ${SERVER_PROCESS_SRCS}) diff --git a/src/yb/server/auto_flags_manager_base.cc b/src/yb/server/auto_flags_manager_base.cc index caab68fd0fb9..fa850a16843b 100644 --- a/src/yb/server/auto_flags_manager_base.cc +++ b/src/yb/server/auto_flags_manager_base.cc @@ -23,7 +23,7 @@ #include "yb/rpc/messenger.h" #include "yb/rpc/secure_stream.h" -#include "yb/server/secure.h" +#include "yb/rpc/secure.h" #include "yb/util/flags/auto_flags.h" #include "yb/util/net/net_util.h" @@ -108,8 +108,8 @@ AutoFlagsManagerBase::~AutoFlagsManagerBase() { Status AutoFlagsManagerBase::Init(const std::string& local_hosts) { rpc::MessengerBuilder messenger_builder("auto_flags_client"); - secure_context_ = VERIFY_RESULT( - server::SetupInternalSecureContext(local_hosts, *fs_manager_, &messenger_builder)); + secure_context_ = VERIFY_RESULT(rpc::SetupInternalSecureContext( + local_hosts, fs_manager_->GetDefaultRootDir(), &messenger_builder)); messenger_ = VERIFY_RESULT(messenger_builder.Build()); diff --git a/src/yb/server/default-path-handlers.cc b/src/yb/server/default-path-handlers.cc index 6d7f833c9183..7aca1f91b481 100644 --- a/src/yb/server/default-path-handlers.cc +++ b/src/yb/server/default-path-handlers.cc @@ -71,7 +71,7 @@ #include "yb/rpc/secure_stream.h" #include "yb/server/pprof-path-handlers.h" #include "yb/server/server_base.h" -#include "yb/server/secure.h" +#include "yb/rpc/secure.h" #include "yb/server/webserver.h" #include "yb/util/flags.h" #include "yb/util/format.h" @@ -746,10 +746,10 @@ static void CertificateHandler(server::RpcServerBase* server, (*output) << tags.pre_tag; (*output) << "Node to node encryption enabled: " - << (yb::server::IsNodeToNodeEncryptionEnabled() ? "true" : "false"); + << (yb::rpc::IsNodeToNodeEncryptionEnabled() ? "true" : "false"); (*output) << tags.line_break << "Client to server encryption enabled: " - << (yb::server::IsClientToServerEncryptionEnabled() ? "true" : "false"); + << (yb::rpc::IsClientToServerEncryptionEnabled() ? "true" : "false"); (*output) << tags.line_break << "Allow insecure connections: " << (yb::rpc::AllowInsecureConnections() ? "on" : "off"); diff --git a/src/yb/server/server_base_options.cc b/src/yb/server/server_base_options.cc index ea2c8045c63c..182df5d14d39 100644 --- a/src/yb/server/server_base_options.cc +++ b/src/yb/server/server_base_options.cc @@ -62,21 +62,6 @@ #include "yb/util/status.h" #include "yb/util/status_format.h" -// The following flags related to the cloud, region and availability zone that an instance is -// started in. These are passed in from whatever provisioning mechanics start the servers. They -// are used for generic placement policies on table creation and tablet load balancing, to -// either constrain data to a certain location (table A should only live in aws.us-west2.a), or to -// define the required level of fault tolerance expected (table B should have N replicas, across -// two regions of AWS and one of GCE). -// -// These are currently for use in a cloud-based deployment, but could be retrofitted to work for -// an on-premise deployment as well, with datacenter, cluster and rack levels, for example. -DEFINE_UNKNOWN_string(placement_cloud, "cloud1", - "The cloud in which this instance is started."); -DEFINE_UNKNOWN_string(placement_region, "datacenter1", - "The cloud region in which this instance is started."); -DEFINE_UNKNOWN_string(placement_zone, "rack1", - "The cloud availability zone in which this instance is started."); DEFINE_UNKNOWN_string(placement_uuid, "", "The uuid of the tservers cluster/placement."); @@ -86,6 +71,10 @@ TAG_FLAG(master_discovery_timeout_ms, hidden); DECLARE_bool(TEST_mini_cluster_mode); +DECLARE_string(placement_cloud); +DECLARE_string(placement_region); +DECLARE_string(placement_zone); + namespace yb { namespace server { @@ -336,14 +325,6 @@ std::string MasterAddressesToString(const MasterAddresses& addresses) { return result; } -CloudInfoPB GetPlacementFromGFlags() { - CloudInfoPB result; - result.set_placement_cloud(FLAGS_placement_cloud); - result.set_placement_region(FLAGS_placement_region); - result.set_placement_zone(FLAGS_placement_zone); - return result; -} - CloudInfoPB ServerBaseOptions::MakeCloudInfoPB() const { CloudInfoPB result; result.set_placement_cloud(placement_cloud()); diff --git a/src/yb/server/server_base_options.h b/src/yb/server/server_base_options.h index 3c4090e81566..b9dd20289f65 100644 --- a/src/yb/server/server_base_options.h +++ b/src/yb/server/server_base_options.h @@ -133,7 +133,5 @@ std::string MasterAddressesToString(const MasterAddresses& addresses); Result> ResolveMasterAddresses(const MasterAddresses& master_addresses); -CloudInfoPB GetPlacementFromGFlags(); - } // namespace server } // namespace yb diff --git a/src/yb/tools/ts-cli.cc b/src/yb/tools/ts-cli.cc index dd4609136853..b64b38b60985 100644 --- a/src/yb/tools/ts-cli.cc +++ b/src/yb/tools/ts-cli.cc @@ -47,7 +47,7 @@ #include "yb/rpc/secure_stream.h" #include "yb/consensus/metadata.pb.h" -#include "yb/server/secure.h" +#include "yb/rpc/secure.h" #include "yb/server/server_base.proxy.h" #include "yb/tablet/tablet.pb.h" @@ -279,9 +279,9 @@ Status TsAdminClient::Init() { auto messenger_builder = MessengerBuilder("ts-cli"); if (!FLAGS_certs_dir_name.empty()) { const std::string& cert_name = FLAGS_client_node_name; - secure_context_ = VERIFY_RESULT(server::CreateSecureContext( - FLAGS_certs_dir_name, server::UseClientCerts(!cert_name.empty()), cert_name)); - server::ApplySecureContext(secure_context_.get(), &messenger_builder); + secure_context_ = VERIFY_RESULT(rpc::CreateSecureContext( + FLAGS_certs_dir_name, rpc::UseClientCerts(!cert_name.empty()), cert_name)); + rpc::ApplySecureContext(secure_context_.get(), &messenger_builder); } messenger_ = VERIFY_RESULT(messenger_builder.Build()); diff --git a/src/yb/tools/yb-admin_client.cc b/src/yb/tools/yb-admin_client.cc index bae9a3a83cce..757562235775 100644 --- a/src/yb/tools/yb-admin_client.cc +++ b/src/yb/tools/yb-admin_client.cc @@ -83,7 +83,7 @@ #include "yb/rpc/proxy.h" #include "yb/rpc/secure_stream.h" -#include "yb/server/secure.h" +#include "yb/rpc/secure.h" #include "yb/tools/yb-admin_util.h" #include "yb/tserver/tserver_admin.proxy.h" #include "yb/tserver/tserver_service.proxy.h" @@ -613,9 +613,9 @@ Status ClusterAdminClient::Init() { if (!FLAGS_certs_dir_name.empty()) { LOG(INFO) << "Built secure client using certs dir " << FLAGS_certs_dir_name; const auto& cert_name = FLAGS_client_node_name; - secure_context_ = VERIFY_RESULT(server::CreateSecureContext( - FLAGS_certs_dir_name, server::UseClientCerts(!cert_name.empty()), cert_name)); - server::ApplySecureContext(secure_context_.get(), &messenger_builder); + secure_context_ = VERIFY_RESULT(rpc::CreateSecureContext( + FLAGS_certs_dir_name, rpc::UseClientCerts(!cert_name.empty()), cert_name)); + rpc::ApplySecureContext(secure_context_.get(), &messenger_builder); } messenger_ = VERIFY_RESULT(messenger_builder.Build()); diff --git a/src/yb/tserver/tablet_server.cc b/src/yb/tserver/tablet_server.cc index 6efac5fbd5cf..1f58d750f560 100644 --- a/src/yb/tserver/tablet_server.cc +++ b/src/yb/tserver/tablet_server.cc @@ -67,7 +67,7 @@ #include "yb/rpc/secure_stream.h" #include "yb/server/rpc_server.h" -#include "yb/server/secure.h" +#include "yb/rpc/secure.h" #include "yb/server/webserver.h" #include "yb/server/hybrid_clock.h" @@ -206,7 +206,6 @@ DEFINE_UNKNOWN_int32(xcluster_svc_queue_length, 5000, "RPC queue length for the xCluster service"); TAG_FLAG(xcluster_svc_queue_length, advanced); -DECLARE_string(cert_node_filename); DECLARE_bool(ysql_enable_table_mutation_counter); DEFINE_NON_RUNTIME_bool(allow_encryption_at_rest, true, @@ -462,7 +461,8 @@ Status TabletServer::Init() { encryption::UniverseKeyRegistryPB universe_key_registry; while (true) { auto res = client::UniverseKeyClient::GetFullUniverseKeyRegistry( - options_.HostsString(), JoinStrings(master_addresses, ","), *fs_manager()); + options_.HostsString(), JoinStrings(master_addresses, ","), + fs_manager()->GetDefaultRootDir()); if (res.ok()) { universe_key_registry = *res; break; @@ -1173,8 +1173,8 @@ void TabletServer::InvalidatePgTableCache() { Status TabletServer::SetupMessengerBuilder(rpc::MessengerBuilder* builder) { RETURN_NOT_OK(DbServerBase::SetupMessengerBuilder(builder)); - secure_context_ = VERIFY_RESULT( - server::SetupInternalSecureContext(options_.HostsString(), *fs_manager_, builder)); + secure_context_ = VERIFY_RESULT(rpc::SetupInternalSecureContext( + options_.HostsString(), fs_manager_->GetDefaultRootDir(), builder)); return Status::OK(); } @@ -1326,10 +1326,8 @@ Status TabletServer::ReloadKeysAndCertificates() { return Status::OK(); } - RETURN_NOT_OK(server::ReloadSecureContextKeysAndCertificates( - secure_context_.get(), - fs_manager_->GetDefaultRootDir(), - server::SecureContextType::kInternal, + RETURN_NOT_OK(rpc::ReloadSecureContextKeysAndCertificates( + secure_context_.get(), fs_manager_->GetDefaultRootDir(), rpc::SecureContextType::kInternal, options_.HostsString())); std::lock_guard l(xcluster_consumer_mutex_); diff --git a/src/yb/tserver/tablet_server_main_impl.cc b/src/yb/tserver/tablet_server_main_impl.cc index 37f461deab36..b3a7da9231d7 100644 --- a/src/yb/tserver/tablet_server_main_impl.cc +++ b/src/yb/tserver/tablet_server_main_impl.cc @@ -57,7 +57,7 @@ #include "yb/rpc/scheduler.h" #include "yb/rpc/secure_stream.h" #include "yb/server/skewed_clock.h" -#include "yb/server/secure.h" +#include "yb/rpc/secure.h" #include "yb/tserver/factory.h" #include "yb/tserver/metrics_snapshotter.h" #include "yb/tserver/tablet_server.h" @@ -191,18 +191,17 @@ void SetProxyAddresses() { Status SetSslConf(const std::unique_ptr &server, yb::ProcessWrapperCommonConfig* config) { - config->certs_dir = FLAGS_certs_dir.empty() - ? server::DefaultCertsDir(*server->fs_manager()) - : FLAGS_certs_dir; - config->certs_for_client_dir = FLAGS_certs_for_client_dir.empty() - ? config->certs_dir - : FLAGS_certs_for_client_dir; - config->enable_tls = FLAGS_use_client_to_server_encryption; - - // Follow the same logic as elsewhere, check FLAGS_cert_node_filename then - // server_broadcast_addresses then rpc_bind_addresses. - if (!FLAGS_cert_node_filename.empty()) { - config->cert_base_name = FLAGS_cert_node_filename; + config->certs_dir = FLAGS_certs_dir.empty() + ? rpc::GetCertsDir(server->fs_manager()->GetDefaultRootDir()) + : FLAGS_certs_dir; + config->certs_for_client_dir = + FLAGS_certs_for_client_dir.empty() ? config->certs_dir : FLAGS_certs_for_client_dir; + config->enable_tls = FLAGS_use_client_to_server_encryption; + + // Follow the same logic as elsewhere, check FLAGS_cert_node_filename then + // server_broadcast_addresses then rpc_bind_addresses. + if (!FLAGS_cert_node_filename.empty()) { + config->cert_base_name = FLAGS_cert_node_filename; } else { const auto server_broadcast_addresses = HostPort::ParseStrings(server->options().server_broadcast_addresses, 0); diff --git a/src/yb/tserver/xcluster_consumer.cc b/src/yb/tserver/xcluster_consumer.cc index b6e2e1506d01..37c6d590c4b0 100644 --- a/src/yb/tserver/xcluster_consumer.cc +++ b/src/yb/tserver/xcluster_consumer.cc @@ -45,7 +45,7 @@ #include "yb/rocksdb/util/rate_limiter.h" #include "yb/gutil/map-util.h" -#include "yb/server/secure.h" +#include "yb/rpc/secure.h" #include "yb/util/callsite_profiling.h" #include "yb/util/flags.h" @@ -137,8 +137,8 @@ Result> CreateXClusterConsumer( rpc::MessengerBuilder messenger_builder("xcluster-consumer"); if (FLAGS_use_node_to_node_encryption) { - local_client->secure_context = VERIFY_RESULT(server::SetupSecureContext( - "", "", server::SecureContextType::kInternal, &messenger_builder)); + local_client->secure_context = VERIFY_RESULT(rpc::SetupSecureContext( + /*root_dir=*/"", /*name=*/"", rpc::SecureContextType::kInternal, &messenger_builder)); } local_client->messenger = VERIFY_RESULT(messenger_builder.Build()); @@ -529,8 +529,9 @@ void XClusterConsumer::TriggerPollForNewTablets() { xcluster::GetOriginalReplicationGroupId(replication_group_id).ToString()); } - auto secure_context_result = server::SetupSecureContext( - dir, "", "", server::SecureContextType::kInternal, &messenger_builder); + auto secure_context_result = rpc::SetupSecureContext( + dir, /*root_dir=*/"", /*name=*/"", rpc::SecureContextType::kInternal, + &messenger_builder); if (!secure_context_result.ok()) { LOG(WARNING) << "Could not create secure context for " << replication_group_id << ": " << secure_context_result.status().ToString(); @@ -734,9 +735,9 @@ int32_t XClusterConsumer::cluster_config_version() const { Status XClusterConsumer::ReloadCertificates() { if (local_client_->secure_context) { - RETURN_NOT_OK(server::ReloadSecureContextKeysAndCertificates( + RETURN_NOT_OK(rpc::ReloadSecureContextKeysAndCertificates( local_client_->secure_context.get(), "" /* node_name */, "" /* root_dir*/, - server::SecureContextType::kInternal)); + rpc::SecureContextType::kInternal)); } SharedLock read_lock(pollers_map_mutex_); @@ -751,7 +752,7 @@ Status XClusterConsumer::ReloadCertificates() { FLAGS_certs_for_cdc_dir, xcluster::GetOriginalReplicationGroupId(replication_group_id).ToString()); } - RETURN_NOT_OK(server::ReloadSecureContextKeysAndCertificates( + RETURN_NOT_OK(rpc::ReloadSecureContextKeysAndCertificates( client->secure_context.get(), cert_dir, "" /* node_name */)); } diff --git a/src/yb/yql/cql/cqlserver/cql_server.cc b/src/yb/yql/cql/cqlserver/cql_server.cc index af053c621e9e..f9eeef492307 100644 --- a/src/yb/yql/cql/cqlserver/cql_server.cc +++ b/src/yb/yql/cql/cqlserver/cql_server.cc @@ -28,7 +28,7 @@ #include "yb/tserver/tablet_server_interface.h" -#include "yb/server/secure.h" +#include "yb/rpc/secure.h" #include "yb/rpc/secure_stream.h" #include "yb/util/flags.h" @@ -58,6 +58,7 @@ TAG_FLAG(cql_limit_nodelist_refresh_to_subscribed_conns, advanced); DEFINE_UNKNOWN_int64(cql_rpc_memory_limit, 0, "CQL RPC memory limit"); DECLARE_bool(ysql_yb_enable_ash); +DECLARE_string(cert_node_filename); namespace yb { namespace cqlserver { @@ -221,24 +222,24 @@ Status CQLServer::ReloadKeysAndCertificates() { return Status::OK(); } - return server::ReloadSecureContextKeysAndCertificates( - secure_context_.get(), - fs_manager_->GetDefaultRootDir(), - server::SecureContextType::kExternal, + return rpc::ReloadSecureContextKeysAndCertificates( + secure_context_.get(), fs_manager_->GetDefaultRootDir(), rpc::SecureContextType::kExternal, options_.HostsString()); } Status CQLServer::SetupMessengerBuilder(rpc::MessengerBuilder* builder) { RETURN_NOT_OK(RpcAndWebServerBase::SetupMessengerBuilder(builder)); if (!FLAGS_cert_node_filename.empty()) { - secure_context_ = VERIFY_RESULT(server::SetupSecureContext( - fs_manager_->GetDefaultRootDir(), - FLAGS_cert_node_filename, - server::SecureContextType::kExternal, - builder)); + secure_context_ = VERIFY_RESULT(rpc::SetupSecureContext( + fs_manager_->GetDefaultRootDir(), FLAGS_cert_node_filename, + rpc::SecureContextType::kExternal, builder)); } else { - secure_context_ = VERIFY_RESULT(server::SetupSecureContext( - options_.HostsString(), *fs_manager_, server::SecureContextType::kExternal, builder)); + std::vector host_ports; + RETURN_NOT_OK(HostPort::ParseStrings(options_.HostsString(), 0, &host_ports)); + + secure_context_ = VERIFY_RESULT(rpc::SetupSecureContext( + fs_manager_->GetDefaultRootDir(), host_ports[0].host(), rpc::SecureContextType::kExternal, + builder)); } return Status::OK(); } diff --git a/src/yb/yql/pggate/pggate.cc b/src/yb/yql/pggate/pggate.cc index 563b5d16cc1a..b449833a0721 100644 --- a/src/yb/yql/pggate/pggate.cc +++ b/src/yb/yql/pggate/pggate.cc @@ -43,7 +43,7 @@ #include "yb/rpc/proxy.h" #include "yb/rpc/secure_stream.h" -#include "yb/server/secure.h" +#include "yb/rpc/secure.h" #include "yb/tserver/pg_client.pb.h" #include "yb/tserver/tserver_shared_mem.h" @@ -135,9 +135,9 @@ Result BuildMessenger( const std::shared_ptr& parent_mem_tracker) { std::unique_ptr secure_context; if (FLAGS_use_node_to_node_encryption) { - secure_context = VERIFY_RESULT(server::CreateSecureContext( + secure_context = VERIFY_RESULT(rpc::CreateSecureContext( FLAGS_certs_dir, - server::UseClientCerts(FLAGS_node_to_node_encryption_use_client_certificates))); + rpc::UseClientCerts(FLAGS_node_to_node_encryption_use_client_certificates))); } auto messenger = VERIFY_RESULT(client::CreateClientMessenger( client_name, num_reactors, metric_entity, parent_mem_tracker, secure_context.get()));