gavinchou commented on code in PR #359:
URL: https://github.com/apache/doris-thirdparty/pull/359#discussion_r2381184199
##########
src/main/java/com/sleepycat/je/rep/utilint/net/SSLChannelFactory.java:
##########
@@ -262,6 +312,400 @@ public static boolean isValidHostVerifier(String hvSpec) {
return false;
}
+ /**
+ * Initialize certificate file watcher for automatic reloading.
+ */
+ private void initializeCertificateWatcher() {
+ if (instanceParams == null) {
+ return;
+ }
+
+ try {
+ final ReplicationSSLConfig config =
+ (ReplicationSSLConfig)
instanceParams.getContext().getRepNetConfig();
+
+ // Get the refresh interval from configuration
+ long refreshInterval = config.getSSLCertRefreshIntervalSeconds();
+
+ // If refresh interval is 0, disable certificate monitoring
+ if (refreshInterval == 0) {
+ logger.log(INFO, "Certificate file monitoring disabled
(refresh interval = 0)");
+ return;
+ }
+
+ certificateWatcher = new CertificateFileWatcher(logger,
refreshInterval);
+
+ // Watch keystore file if configured, otherwise track PEM material
+ String keystorePath = config.getSSLKeyStore();
+ if (keystorePath == null || keystorePath.isEmpty()) {
+ keystorePath = System.getProperty("javax.net.ssl.keyStore");
+ }
+ if (keystorePath != null && !keystorePath.isEmpty()) {
+ certificateWatcher.registerFile(keystorePath,
+ this::reloadCertificates);
+ } else {
+ final String pemCert = config.getSSLPemCertFile();
+ final String pemKey = config.getSSLPemKeyFile();
+ if (pemCert != null && !pemCert.isEmpty()) {
+ certificateWatcher.registerFile(pemCert,
+ this::reloadCertificates);
+ }
+ if (pemKey != null && !pemKey.isEmpty()) {
+ certificateWatcher.registerFile(pemKey,
+ this::reloadCertificates);
+ }
+ }
+
+ // Watch truststore file if configured, otherwise track PEM CA cert
+ String truststorePath = config.getSSLTrustStore();
+ if (truststorePath == null || truststorePath.isEmpty()) {
+ truststorePath =
+ System.getProperty("javax.net.ssl.trustStore");
+ }
+ if (truststorePath != null && !truststorePath.isEmpty()) {
+ certificateWatcher.registerFile(truststorePath,
+ this::reloadCertificates);
+ } else {
+ final String pemCa = config.getSSLPemCaCertFile();
+ if (pemCa != null && !pemCa.isEmpty()) {
+ certificateWatcher.registerFile(pemCa,
+ this::reloadCertificates);
+ }
+ }
+
+ logger.log(INFO, "Certificate file monitoring initialized with " +
refreshInterval + " second interval");
+
+ } catch (Exception e) {
+ logger.log(WARNING, "Failed to initialize certificate file
watcher: " + e.getMessage());
+ }
+ }
+
+ /**
+ * Reload certificates when file changes are detected.
+ * This method implements smart certificate transition that handles
multiple file changes efficiently.
+ *
+ * @param changedFilePath the path of the file that changed
+ */
+ private void reloadCertificates(String changedFilePath) {
+ if (instanceParams == null) {
+ logger.log(WARNING, "Cannot reload certificates: instance
parameters not available");
+ return;
+ }
+
+ logger.log(INFO, "Starting smart certificate reload due to file
change: " + changedFilePath);
+
+ // Record this file change with timestamp
+ pendingReloads.put(changedFilePath, System.currentTimeMillis());
+
+ try {
+ // Start or continue the certificate transition process
+ smartCertificateTransition();
+
+ } catch (Exception e) {
+ logger.log(WARNING, "Failed to reload SSL certificates: " +
e.getMessage());
+ // Remove from pending if failed
+ pendingReloads.remove(changedFilePath);
+ }
+ }
+
+ /**
+ * Smart certificate transition that handles multiple file changes
efficiently.
+ * This approach:
+ * 1. Collects multiple certificate changes in a short time window
+ * 2. Performs a single reload operation for all changes
+ * 3. Avoids redundant SSL context reconstruction
+ * 4. Supports independent processing of different certificate files
+ */
+ private void smartCertificateTransition() {
+ synchronized (this) {
+ if (inCertificateTransition) {
+ // Already in progress, the pending changes will be picked up
+ logger.log(INFO, "Certificate transition in progress, queuing
additional changes");
+ return;
+ }
+
+ if (pendingReloads.isEmpty()) {
+ return;
+ }
+
+ inCertificateTransition = true;
+ transitionStartTime = System.currentTimeMillis();
+ }
+
+ // Use a background thread to handle the actual transition
+ Thread transitionThread = new
Thread(this::performCertificateTransition, "SSLCertTransition");
Review Comment:
这个是有必要的嘛?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
