This is an automated email from the ASF dual-hosted git repository.
xiangfu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pinot.git
The following commit(s) were added to refs/heads/master by this push:
new f1fec060a6 Support runtime reload for TLS resources (#12277)
f1fec060a6 is described below
commit f1fec060a62c43ee8544e0730b453452cedcf32d
Author: Haitao Zhang <[email protected]>
AuthorDate: Mon Jan 22 12:28:49 2024 -0800
Support runtime reload for TLS resources (#12277)
* build swappable tls resource bundle when possible
* fix format
* remove the limitation that secrets are from files
* simplify logic
---
pinot-common/pom.xml | 4 +
.../org/apache/pinot/common/utils/TlsUtils.java | 114 +++++++++++-----
.../pinot/common/utils/grpc/GrpcQueryClient.java | 14 +-
.../apache/pinot/common/utils/TlsUtilsTest.java | 143 +++++++++++++++++++++
pinot-common/src/test/resources/tls/keystore.p12 | Bin 0 -> 2581 bytes
pinot-common/src/test/resources/tls/truststore.p12 | Bin 0 -> 1186 bytes
.../pinot/core/transport/grpc/GrpcQueryServer.java | 8 +-
.../apache/pinot/core/util/ListenerConfigUtil.java | 2 +-
pom.xml | 7 +
9 files changed, 242 insertions(+), 50 deletions(-)
diff --git a/pinot-common/pom.xml b/pinot-common/pom.xml
index 3fb09c7340..d5b3ee6a7e 100644
--- a/pinot-common/pom.xml
+++ b/pinot-common/pom.xml
@@ -397,6 +397,10 @@
<groupId>com.github.seancfoley</groupId>
<artifactId>ipaddress</artifactId>
</dependency>
+ <dependency>
+ <groupId>io.github.hakky54</groupId>
+ <artifactId>sslcontext-kickstart-for-netty</artifactId>
+ </dependency>
</dependencies>
<profiles>
<profile>
diff --git
a/pinot-common/src/main/java/org/apache/pinot/common/utils/TlsUtils.java
b/pinot-common/src/main/java/org/apache/pinot/common/utils/TlsUtils.java
index 6504bdf5ce..f883b88fcf 100644
--- a/pinot-common/src/main/java/org/apache/pinot/common/utils/TlsUtils.java
+++ b/pinot-common/src/main/java/org/apache/pinot/common/utils/TlsUtils.java
@@ -18,6 +18,7 @@
*/
package org.apache.pinot.common.utils;
+import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.SslContext;
@@ -28,15 +29,15 @@ import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
-import java.security.GeneralSecurityException;
import java.security.KeyStore;
+import java.security.SecureRandom;
import java.util.concurrent.atomic.AtomicReference;
import javax.net.ssl.HttpsURLConnection;
-import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
-import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
+import nl.altindag.ssl.SSLFactory;
+import nl.altindag.ssl.exception.GenericSSLContextException;
import org.apache.commons.lang.StringUtils;
import org.apache.http.ssl.SSLContexts;
import org.apache.pinot.common.config.TlsConfig;
@@ -60,6 +61,10 @@ public final class TlsUtils {
private static final String TRUSTSTORE_PASSWORD = "truststore.password";
private static final String SSL_PROVIDER = "ssl.provider";
+ private static final String FILE_SCHEME = "file";
+ private static final String FILE_SCHEME_PREFIX = FILE_SCHEME + "://";
+ private static final String FILE_SCHEME_PREFIX_WITHOUT_SLASH = FILE_SCHEME +
":";
+
private static final AtomicReference<SSLContext> SSL_CONTEXT_REF = new
AtomicReference<>();
private TlsUtils() {
@@ -136,7 +141,7 @@ public final class TlsUtils {
try {
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
- try (InputStream is = makeKeyStoreUrl(keyStorePath).openStream()) {
+ try (InputStream is = makeKeyOrTrustStoreUrl(keyStorePath).openStream())
{
keyStore.load(is, keyStorePassword.toCharArray());
}
@@ -176,7 +181,7 @@ public final class TlsUtils {
try {
KeyStore keyStore = KeyStore.getInstance(trustStoreType);
- try (InputStream is = makeKeyStoreUrl(trustStorePath).openStream()) {
+ try (InputStream is =
makeKeyOrTrustStoreUrl(trustStorePath).openStream()) {
keyStore.load(is, trustStorePassword.toCharArray());
}
@@ -213,25 +218,14 @@ public final class TlsUtils {
*/
public static void installDefaultSSLSocketFactory(String keyStoreType,
String keyStorePath, String keyStorePassword,
String trustStoreType, String trustStorePath, String trustStorePassword)
{
- KeyManager[] keyManagers = null;
- if (keyStorePath != null) {
- keyManagers = createKeyManagerFactory(keyStorePath, keyStorePassword,
keyStoreType).getKeyManagers();
- }
-
- TrustManager[] trustManagers = null;
- if (trustStorePath != null) {
- trustManagers = createTrustManagerFactory(trustStorePath,
trustStorePassword, trustStoreType).getTrustManagers();
- }
-
try {
- SSLContext sc = SSLContext.getInstance("SSL");
- sc.init(keyManagers, trustManagers, new java.security.SecureRandom());
-
+ SSLFactory sslFactory = createSSLFactory(keyStoreType, keyStorePath,
keyStorePassword,
+ trustStoreType, trustStorePath, trustStorePassword,
+ "SSL", new java.security.SecureRandom());
// HttpsURLConnection
- HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
-
- setSslContext(sc);
- } catch (GeneralSecurityException e) {
+
HttpsURLConnection.setDefaultSSLSocketFactory(sslFactory.getSslSocketFactory());
+ setSslContext(sslFactory.getSslContext());
+ } catch (GenericSSLContextException e) {
throw new IllegalStateException("Could not initialize SSL support", e);
}
}
@@ -240,14 +234,14 @@ public final class TlsUtils {
return namespace + "." + suffix;
}
- public static URL makeKeyStoreUrl(String storePath)
+ public static URL makeKeyOrTrustStoreUrl(String storePath)
throws URISyntaxException, MalformedURLException {
URI inputUri = new URI(storePath);
if (StringUtils.isBlank(inputUri.getScheme())) {
if (storePath.startsWith("/")) {
- return new URL("file://" + storePath);
+ return new URL(FILE_SCHEME_PREFIX + storePath);
}
- return new URL("file://./" + storePath);
+ return new URL(FILE_SCHEME_PREFIX + "./" + storePath);
}
return inputUri.toURL();
}
@@ -293,14 +287,11 @@ public final class TlsUtils {
* @param tlsConfig TLS config
*/
public static SslContext buildClientContext(TlsConfig tlsConfig) {
+ SSLFactory sslFactory = createSSLFactory(tlsConfig);
SslContextBuilder sslContextBuilder =
SslContextBuilder.forClient().sslProvider(SslProvider.valueOf(tlsConfig.getSslProvider()));
- if (tlsConfig.getKeyStorePath() != null) {
- sslContextBuilder.keyManager(createKeyManagerFactory(tlsConfig));
- }
- if (tlsConfig.getTrustStorePath() != null) {
- sslContextBuilder.trustManager(createTrustManagerFactory(tlsConfig));
- }
+ sslFactory.getKeyManagerFactory().ifPresent(sslContextBuilder::keyManager);
+
sslFactory.getTrustManagerFactory().ifPresent(sslContextBuilder::trustManager);
try {
return sslContextBuilder.build();
} catch (Exception e) {
@@ -317,11 +308,10 @@ public final class TlsUtils {
if (tlsConfig.getKeyStorePath() == null) {
throw new IllegalArgumentException("Must provide key store path for
secured server");
}
- SslContextBuilder sslContextBuilder =
SslContextBuilder.forServer(createKeyManagerFactory(tlsConfig))
+ SSLFactory sslFactory = createSSLFactory(tlsConfig);
+ SslContextBuilder sslContextBuilder =
SslContextBuilder.forServer(sslFactory.getKeyManagerFactory().get())
.sslProvider(SslProvider.valueOf(tlsConfig.getSslProvider()));
- if (tlsConfig.getTrustStorePath() != null) {
- sslContextBuilder.trustManager(createTrustManagerFactory(tlsConfig));
- }
+
sslFactory.getTrustManagerFactory().ifPresent(sslContextBuilder::trustManager);
if (tlsConfig.isClientAuthEnabled()) {
sslContextBuilder.clientAuth(ClientAuth.REQUIRE);
}
@@ -331,4 +321,58 @@ public final class TlsUtils {
throw new RuntimeException(e);
}
}
+
+ /**
+ * Create a {@link SSLFactory} instance with identity material and trust
material swappable for a given TlsConfig
+ * @param tlsConfig {@link TlsConfig}
+ * @return a {@link SSLFactory} instance with identity material and trust
material swappable
+ */
+ public static SSLFactory createSSLFactory(TlsConfig tlsConfig) {
+ return createSSLFactory(
+ tlsConfig.getKeyStoreType(), tlsConfig.getKeyStorePath(),
tlsConfig.getKeyStorePassword(),
+ tlsConfig.getTrustStoreType(), tlsConfig.getTrustStorePath(),
tlsConfig.getTrustStorePassword(),
+ null, null);
+ }
+
+ @VisibleForTesting
+ static SSLFactory createSSLFactory(
+ String keyStoreType, String keyStorePath, String keyStorePassword,
+ String trustStoreType, String trustStorePath, String trustStorePassword,
+ String sslContextProtocol, SecureRandom secureRandom) {
+ try {
+ SSLFactory.Builder sslFactoryBuilder = SSLFactory.builder();
+ InputStream keyStoreStream = null;
+ InputStream trustStoreStream = null;
+ if (keyStorePath != null) {
+ Preconditions.checkNotNull(keyStorePassword, "key store password must
not be null");
+ keyStoreStream = makeKeyOrTrustStoreUrl(keyStorePath).openStream();
+ sslFactoryBuilder
+ .withSwappableIdentityMaterial()
+ .withIdentityMaterial(keyStoreStream,
keyStorePassword.toCharArray(), keyStoreType);
+ }
+ if (trustStorePath != null) {
+ Preconditions.checkNotNull(trustStorePassword, "trust store password
must not be null");
+ trustStoreStream = makeKeyOrTrustStoreUrl(trustStorePath).openStream();
+ sslFactoryBuilder
+ .withSwappableTrustMaterial()
+ .withTrustMaterial(trustStoreStream,
trustStorePassword.toCharArray(), trustStoreType);
+ }
+ if (sslContextProtocol != null) {
+ sslFactoryBuilder.withSslContextAlgorithm(sslContextProtocol);
+ }
+ if (secureRandom != null) {
+ sslFactoryBuilder.withSecureRandom(secureRandom);
+ }
+ SSLFactory sslFactory = sslFactoryBuilder.build();
+ if (keyStoreStream != null) {
+ keyStoreStream.close();
+ }
+ if (trustStoreStream != null) {
+ trustStoreStream.close();
+ }
+ return sslFactory;
+ } catch (Exception e) {
+ throw new IllegalStateException(e);
+ }
+ }
}
diff --git
a/pinot-common/src/main/java/org/apache/pinot/common/utils/grpc/GrpcQueryClient.java
b/pinot-common/src/main/java/org/apache/pinot/common/utils/grpc/GrpcQueryClient.java
index 88611f427d..7194d454ca 100644
---
a/pinot-common/src/main/java/org/apache/pinot/common/utils/grpc/GrpcQueryClient.java
+++
b/pinot-common/src/main/java/org/apache/pinot/common/utils/grpc/GrpcQueryClient.java
@@ -27,9 +27,8 @@ import io.grpc.netty.shaded.io.netty.handler.ssl.SslProvider;
import java.util.Collections;
import java.util.Iterator;
import java.util.concurrent.TimeUnit;
-import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLException;
-import javax.net.ssl.TrustManagerFactory;
+import nl.altindag.ssl.SSLFactory;
import org.apache.pinot.common.config.GrpcConfig;
import org.apache.pinot.common.proto.PinotQueryServerGrpc;
import org.apache.pinot.common.proto.Server;
@@ -56,15 +55,10 @@ public class GrpcQueryClient {
.usePlaintext().build();
} else {
try {
+ SSLFactory sslFactory =
TlsUtils.createSSLFactory(config.getTlsConfig());
SslContextBuilder sslContextBuilder = SslContextBuilder.forClient();
- if (config.getTlsConfig().getKeyStorePath() != null) {
- KeyManagerFactory keyManagerFactory =
TlsUtils.createKeyManagerFactory(config.getTlsConfig());
- sslContextBuilder.keyManager(keyManagerFactory);
- }
- if (config.getTlsConfig().getTrustStorePath() != null) {
- TrustManagerFactory trustManagerFactory =
TlsUtils.createTrustManagerFactory(config.getTlsConfig());
- sslContextBuilder.trustManager(trustManagerFactory);
- }
+
sslFactory.getKeyManagerFactory().ifPresent(sslContextBuilder::keyManager);
+
sslFactory.getTrustManagerFactory().ifPresent(sslContextBuilder::trustManager);
if (config.getTlsConfig().getSslProvider() != null) {
sslContextBuilder =
GrpcSslContexts.configure(sslContextBuilder,
SslProvider.valueOf(config.getTlsConfig().getSslProvider()));
diff --git
a/pinot-common/src/test/java/org/apache/pinot/common/utils/TlsUtilsTest.java
b/pinot-common/src/test/java/org/apache/pinot/common/utils/TlsUtilsTest.java
new file mode 100644
index 0000000000..b674af0deb
--- /dev/null
+++ b/pinot-common/src/test/java/org/apache/pinot/common/utils/TlsUtilsTest.java
@@ -0,0 +1,143 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.pinot.common.utils;
+
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URISyntaxException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.nio.file.StandardCopyOption;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.security.cert.Certificate;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509KeyManager;
+import javax.net.ssl.X509TrustManager;
+import nl.altindag.ssl.SSLFactory;
+import org.apache.commons.io.FileUtils;
+import org.testng.annotations.AfterClass;
+import org.testng.annotations.BeforeClass;
+import org.testng.annotations.Test;
+
+import static org.testng.Assert.assertEquals;
+
+
+public class TlsUtilsTest {
+ private static final String TLS_RESOURCE_FOLDER = "tls/";
+ private static final String TLS_KEYSTORE_FILE = "keystore.p12";
+ private static final String TLS_TRUSTSTORE_FILE = "truststore.p12";
+ private static final String[] TLS_RESOURCE_FILES = {TLS_KEYSTORE_FILE,
TLS_TRUSTSTORE_FILE};
+ private static final String PASSWORD = "changeit";
+ private static final String KEYSTORE_TYPE = "PKCS12";
+ private static final String TRUSTSTORE_TYPE = "PKCS12";
+ private static final String DEFAULT_TEST_TLS_DIR
+ = new File(FileUtils.getTempDirectoryPath(), "test-tls-dir" +
System.currentTimeMillis()).getAbsolutePath();
+
+ @BeforeClass
+ public void setUp()
+ throws IOException, URISyntaxException {
+ copyResourceFilesToTempFolder();
+ }
+
+ private static void copyResourceFilesToTempFolder()
+ throws URISyntaxException, IOException {
+ // Create the destination folder if it doesn't exist
+ Files.createDirectories(Paths.get(DEFAULT_TEST_TLS_DIR));
+ for (String fileName : TLS_RESOURCE_FILES) {
+ // Use the class loader to get the InputStream of the resource file
+ try (InputStream resourceStream
+ =
TlsUtilsTest.class.getClassLoader().getResourceAsStream(TLS_RESOURCE_FOLDER +
fileName)) {
+ if (resourceStream == null) {
+ throw new IOException("Resource file not found: " + fileName);
+ }
+ // Specify the destination path
+ Path destinationPath = Paths.get(DEFAULT_TEST_TLS_DIR, fileName);
+ // Use Files.copy to copy the file to the destination folder
+ Files.copy(resourceStream, destinationPath,
StandardCopyOption.REPLACE_EXISTING);
+ } catch (IOException e) {
+ e.printStackTrace(); // Handle the exception as needed
+ }
+ }
+ }
+
+ @AfterClass
+ public void tearDown() {
+ FileUtils.deleteQuietly(new File(DEFAULT_TEST_TLS_DIR));
+ }
+
+ @Test
+ public void swappableSSLFactoryHasSameAsStaticOnes()
+ throws NoSuchAlgorithmException, KeyManagementException, IOException,
URISyntaxException {
+ SecureRandom secureRandom = new SecureRandom();
+ KeyManagerFactory keyManagerFactory =
+ TlsUtils.createKeyManagerFactory(DEFAULT_TEST_TLS_DIR + "/" +
TLS_KEYSTORE_FILE, PASSWORD,
+ KEYSTORE_TYPE);
+ TrustManagerFactory trustManagerFactory =
+ TlsUtils.createTrustManagerFactory(DEFAULT_TEST_TLS_DIR + "/" +
TLS_TRUSTSTORE_FILE, PASSWORD,
+ TRUSTSTORE_TYPE);
+ SSLContext sslContext = SSLContext.getInstance("TLS");
+ sslContext.init(keyManagerFactory.getKeyManagers(),
trustManagerFactory.getTrustManagers(), secureRandom);
+ SSLFactory sslFactory =
+ TlsUtils.createSSLFactory(KEYSTORE_TYPE, DEFAULT_TEST_TLS_DIR + "/" +
TLS_KEYSTORE_FILE, PASSWORD,
+ TRUSTSTORE_TYPE, DEFAULT_TEST_TLS_DIR + "/" + TLS_TRUSTSTORE_FILE,
PASSWORD,
+ "TLS", secureRandom);
+ KeyManagerFactory swappableKeyManagerFactory =
sslFactory.getKeyManagerFactory().get();
+ assertEquals(swappableKeyManagerFactory.getKeyManagers().length,
keyManagerFactory.getKeyManagers().length);
+ assertEquals(swappableKeyManagerFactory.getKeyManagers().length, 1);
+ assertSSLKeyManagersEqual(swappableKeyManagerFactory.getKeyManagers()[0],
keyManagerFactory.getKeyManagers()[0]);
+ TrustManagerFactory swappableTrustManagerFactory =
sslFactory.getTrustManagerFactory().get();
+ assertEquals(swappableTrustManagerFactory.getTrustManagers().length,
+ trustManagerFactory.getTrustManagers().length);
+ assertEquals(swappableTrustManagerFactory.getTrustManagers().length, 1);
+
assertSSLTrustManagersEqual(swappableTrustManagerFactory.getTrustManagers()[0],
+ trustManagerFactory.getTrustManagers()[0]);
+ SSLContext swappableSSLContext = sslFactory.getSslContext();
+ assertEquals(swappableSSLContext.getProtocol(), sslContext.getProtocol());
+ assertEquals(swappableSSLContext.getProvider(), sslContext.getProvider());
+ }
+
+ private static void assertSSLKeyManagersEqual(KeyManager km1, KeyManager
km2) {
+ X509KeyManager x509KeyManager1 = (X509KeyManager) km1;
+ X509KeyManager x509KeyManager2 = (X509KeyManager) km2;
+ assertEquals(x509KeyManager1.getPrivateKey("mykey"),
x509KeyManager2.getPrivateKey("mykey"));
+
+ Certificate[] certs1 = x509KeyManager1.getCertificateChain("mykey");
+ Certificate[] certs2 = x509KeyManager2.getCertificateChain("mykey");
+ assertEquals(certs1.length, certs2.length);
+ assertEquals(certs1.length, 1);
+ assertEquals(certs1[0], certs2[0]);
+ }
+
+ private static void assertSSLTrustManagersEqual(TrustManager tm1,
TrustManager tm2) {
+ X509TrustManager x509TrustManager1 = (X509TrustManager) tm1;
+ X509TrustManager x509TrustManager2 = (X509TrustManager) tm2;
+
+ assertEquals(x509TrustManager1.getAcceptedIssuers().length,
x509TrustManager2.getAcceptedIssuers().length);
+ assertEquals(x509TrustManager1.getAcceptedIssuers().length, 1);
+ assertEquals(x509TrustManager1.getAcceptedIssuers()[0],
x509TrustManager2.getAcceptedIssuers()[0]);
+ }
+}
diff --git a/pinot-common/src/test/resources/tls/keystore.p12
b/pinot-common/src/test/resources/tls/keystore.p12
new file mode 100644
index 0000000000..d2a87e5dc6
Binary files /dev/null and b/pinot-common/src/test/resources/tls/keystore.p12
differ
diff --git a/pinot-common/src/test/resources/tls/truststore.p12
b/pinot-common/src/test/resources/tls/truststore.p12
new file mode 100644
index 0000000000..98c97bb079
Binary files /dev/null and b/pinot-common/src/test/resources/tls/truststore.p12
differ
diff --git
a/pinot-core/src/main/java/org/apache/pinot/core/transport/grpc/GrpcQueryServer.java
b/pinot-core/src/main/java/org/apache/pinot/core/transport/grpc/GrpcQueryServer.java
index b238d7de0c..7ac88bb6ba 100644
---
a/pinot-core/src/main/java/org/apache/pinot/core/transport/grpc/GrpcQueryServer.java
+++
b/pinot-core/src/main/java/org/apache/pinot/core/transport/grpc/GrpcQueryServer.java
@@ -31,6 +31,7 @@ import io.grpc.stub.StreamObserver;
import java.io.IOException;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
+import nl.altindag.ssl.SSLFactory;
import org.apache.pinot.common.config.GrpcConfig;
import org.apache.pinot.common.config.TlsConfig;
import org.apache.pinot.common.datatable.DataTable;
@@ -89,11 +90,10 @@ public class GrpcQueryServer extends
PinotQueryServerGrpc.PinotQueryServerImplBa
if (tlsConfig.getKeyStorePath() == null) {
throw new IllegalArgumentException("Must provide key store path for
secured gRpc server");
}
- SslContextBuilder sslContextBuilder =
SslContextBuilder.forServer(TlsUtils.createKeyManagerFactory(tlsConfig))
+ SSLFactory sslFactory = TlsUtils.createSSLFactory(tlsConfig);
+ SslContextBuilder sslContextBuilder =
SslContextBuilder.forServer(sslFactory.getKeyManagerFactory().get())
.sslProvider(SslProvider.valueOf(tlsConfig.getSslProvider()));
- if (tlsConfig.getTrustStorePath() != null) {
-
sslContextBuilder.trustManager(TlsUtils.createTrustManagerFactory(tlsConfig));
- }
+
sslFactory.getTrustManagerFactory().ifPresent(sslContextBuilder::trustManager);
if (tlsConfig.isClientAuthEnabled()) {
sslContextBuilder.clientAuth(ClientAuth.REQUIRE);
}
diff --git
a/pinot-core/src/main/java/org/apache/pinot/core/util/ListenerConfigUtil.java
b/pinot-core/src/main/java/org/apache/pinot/core/util/ListenerConfigUtil.java
index 93b729845a..a75f620600 100644
---
a/pinot-core/src/main/java/org/apache/pinot/core/util/ListenerConfigUtil.java
+++
b/pinot-core/src/main/java/org/apache/pinot/core/util/ListenerConfigUtil.java
@@ -304,7 +304,7 @@ public final class ListenerConfigUtil {
private static File cacheInTempFile(String sourceUrl) {
try {
- URL url = TlsUtils.makeKeyStoreUrl(sourceUrl);
+ URL url = TlsUtils.makeKeyOrTrustStoreUrl(sourceUrl);
if ("file".equals(url.getProtocol())) {
return new File(url.getPath());
}
diff --git a/pom.xml b/pom.xml
index bcee2e06af..99fd00dd94 100644
--- a/pom.xml
+++ b/pom.xml
@@ -163,6 +163,7 @@
<joda-time.version>2.12.5</joda-time.version>
<testng.version>7.8.0</testng.version>
<woodstox.version>6.4.0</woodstox.version>
+ <sslcontext.kickstart.version>8.2.0</sslcontext.kickstart.version>
<!-- Sets the VM argument line used when unit tests are run. -->
<argLine>-Xms4g -Xmx4g</argLine>
@@ -1414,6 +1415,12 @@
</dependency>
<!-- Lucene dependencies end -->
+ <dependency>
+ <groupId>io.github.hakky54</groupId>
+ <artifactId>sslcontext-kickstart-for-netty</artifactId>
+ <version>${sslcontext.kickstart.version}</version>
+ </dependency>
+
</dependencies>
</dependencyManagement>
<build>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
