[GitHub] [doris] gavinchou commented on a diff in pull request #16340: [feature](mysql) Support secure MySQL connection to FE

Thu, 16 Feb 2023 18:04:14 -0800 


gavinchou commented on code in PR #16340:
URL: https://github.com/apache/doris/pull/16340#discussion_r1109188938


##########
fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlChannel.java:
##########
@@ -44,17 +48,27 @@ public class MysqlChannel {
     protected SocketChannel channel;
     // used to receive/send header, avoiding new this many time.
     protected ByteBuffer headerByteBuffer = 
ByteBuffer.allocate(PACKET_HEADER_LEN);
+    // used to receive/send ssl header, avoiding new this many time.
+    protected ByteBuffer sslHeaderByteBuffer = 
ByteBuffer.allocate(SSL_PACKET_HEADER_LEN);
     // default packet byte buffer for most packet
     protected ByteBuffer defaultBuffer = ByteBuffer.allocate(16 * 1024);
     protected ByteBuffer sendBuffer;
+
+    protected ByteBuffer sendSslBuffer;
     // for log and show
     protected String remoteHostPortString;
     protected String remoteIp;
     protected boolean isSend;
+    protected boolean isSslMode;
+    protected boolean isHandshaking;

Review Comment:
   Is it better to rename `isHandshaking` to `isSslHandShaking`?



##########
fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlChannel.java:
##########
@@ -197,6 +264,16 @@ protected void realNetSend(ByteBuffer buffer) throws 
IOException {
         isSend = true;
     }
 
+    private void encryptData(ByteBuffer dstBuf) throws SSLException {
+        if (isSslMode) {

Review Comment:
   Try this to reduce lines of code and indention
   ```
   if (!isSslMode) return;
   ByteBuffer netData = ...
   ...
   ```



##########
fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlChannel.java:
##########
@@ -126,32 +162,60 @@ protected int readAll(ByteBuffer dstBuf) throws 
IOException {
             int ret = channel.read(dstBuf);
             // return -1 when remote peer close the channel
             if (ret == -1) {
+                decryptData(dstBuf);
                 return readLen;
             }
             readLen += ret;
         }
+        // if use ssl mode, wo need to decrypt received net data(ciphertext) 
to app data(plaintext).
+        decryptData(dstBuf);
         return readLen;
     }
 
+    private void decryptData(ByteBuffer dstBuf) throws SSLException {
+        if (isSslMode) {
+            ByteBuffer appData = 
ByteBuffer.allocate(sslEngine.getSession().getApplicationBufferSize());

Review Comment:
   Do we have to allocate a buffer every time we need to decrypt/encrypt data?
   Is it possible we allocate (not on heap) 2 large enough buffers for 
decryption and encryption to reduce allocation?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@doris.apache.org
For additional commands, e-mail: commits-h...@doris.apache.org

Reply via email to