From b3217ba43988e0ed202c5ad750ba9034618987f2 Mon Sep 17 00:00:00 2001 From: HTHou Date: Mon, 29 Sep 2025 19:06:46 +0800 Subject: [PATCH 1/5] dev --- .../manager/consensus/ConsensusManager.java | 9 +-- .../service/thrift/ConfigNodeRPCService.java | 8 +-- .../AsyncIoTConsensusServiceClient.java | 8 +-- .../client/SyncIoTConsensusServiceClient.java | 8 +-- .../db/consensus/DataRegionConsensusImpl.java | 24 +++---- .../consensus/SchemaRegionConsensusImpl.java | 9 +-- .../db/protocol/client/ConfigNodeClient.java | 8 +-- .../exchange/MPPDataExchangeService.java | 8 +-- .../service/DataNodeInternalRPCService.java | 8 +-- .../apache/iotdb/db/service/RestService.java | 2 +- .../commons/client/ainode/AINodeClient.java | 6 +- .../ainode/AsyncAINodeServiceClient.java | 8 +-- .../AsyncConfigNodeInternalServiceClient.java | 8 +-- .../AsyncDataNodeExternalServiceClient.java | 8 +-- .../AsyncDataNodeInternalServiceClient.java | 8 +-- ...cDataNodeMPPDataExchangeServiceClient.java | 8 +-- .../AsyncPipeConsensusServiceClient.java | 8 +-- .../sync/SyncConfigNodeIServiceClient.java | 8 +-- .../SyncDataNodeInternalServiceClient.java | 8 +-- ...cDataNodeMPPDataExchangeServiceClient.java | 8 +-- .../sync/SyncPipeConsensusServiceClient.java | 8 +-- .../iotdb/commons/conf/CommonConfig.java | 66 +++++++++++++++---- .../service/AbstractThriftServiceThread.java | 2 +- 23 files changed, 147 insertions(+), 99 deletions(-) diff --git a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/consensus/ConsensusManager.java b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/consensus/ConsensusManager.java index a4436a94fa28..580c1ded0467 100644 --- a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/consensus/ConsensusManager.java +++ b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/consensus/ConsensusManager.java @@ -175,10 +175,11 @@ private void setConsensusLayer(ConfigRegionStateMachine stateMachine) { .setLeaderOutstandingAppendsMax( CONF.getConfigNodeRatisGrpcLeaderOutstandingAppendsMax()) .setEnableSSL(COMMON_CONF.isEnableInternalSSL()) - .setSslKeyStorePath(COMMON_CONF.getKeyStorePath()) - .setSslKeyStorePassword(COMMON_CONF.getKeyStorePwd()) - .setSslTrustStorePath(COMMON_CONF.getTrustStorePath()) - .setSslTrustStorePassword(COMMON_CONF.getTrustStorePwd()) + .setSslKeyStorePath(COMMON_CONF.getInternalKeyStorePath()) + .setSslKeyStorePassword(COMMON_CONF.getInternalKeyStorePwd()) + .setSslTrustStorePath(COMMON_CONF.getInternalTrustStorePath()) + .setSslTrustStorePassword( + COMMON_CONF.getInternalTrustStorePwd()) .build()) .setRpc( RatisConfig.Rpc.newBuilder() diff --git a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/service/thrift/ConfigNodeRPCService.java b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/service/thrift/ConfigNodeRPCService.java index 15be2e90d43f..cff2464c5a9f 100644 --- a/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/service/thrift/ConfigNodeRPCService.java +++ b/iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/service/thrift/ConfigNodeRPCService.java @@ -72,10 +72,10 @@ public void initThriftServiceThread() throws IllegalAccessException { configConf.getThriftServerAwaitTimeForStopService(), new ConfigNodeRPCServiceHandler(), commonConfig.isRpcThriftCompressionEnabled(), - commonConfig.getKeyStorePath(), - commonConfig.getKeyStorePwd(), - commonConfig.getTrustStorePath(), - commonConfig.getTrustStorePwd(), + commonConfig.getInternalKeyStorePath(), + commonConfig.getInternalKeyStorePwd(), + commonConfig.getInternalTrustStorePath(), + commonConfig.getInternalTrustStorePwd(), DeepCopyRpcTransportFactory.INSTANCE) : new ThriftServiceThread( processor, diff --git a/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/iot/client/AsyncIoTConsensusServiceClient.java b/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/iot/client/AsyncIoTConsensusServiceClient.java index 4a7090627470..f4c7f1b9b2fa 100644 --- a/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/iot/client/AsyncIoTConsensusServiceClient.java +++ b/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/iot/client/AsyncIoTConsensusServiceClient.java @@ -63,10 +63,10 @@ public AsyncIoTConsensusServiceClient( endpoint.getIp(), endpoint.getPort(), property.getConnectionTimeoutMs(), - commonConfig.getKeyStorePath(), - commonConfig.getKeyStorePwd(), - commonConfig.getTrustStorePath(), - commonConfig.getTrustStorePwd()) + commonConfig.getInternalKeyStorePath(), + commonConfig.getInternalKeyStorePwd(), + commonConfig.getInternalTrustStorePath(), + commonConfig.getInternalTrustStorePwd()) : TNonblockingTransportWrapper.wrap( endpoint.getIp(), endpoint.getPort(), property.getConnectionTimeoutMs())); setTimeout(property.getConnectionTimeoutMs()); diff --git a/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/iot/client/SyncIoTConsensusServiceClient.java b/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/iot/client/SyncIoTConsensusServiceClient.java index 43b2f60d89f4..9ba9eb330898 100644 --- a/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/iot/client/SyncIoTConsensusServiceClient.java +++ b/iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/iot/client/SyncIoTConsensusServiceClient.java @@ -58,10 +58,10 @@ public SyncIoTConsensusServiceClient( endpoint.getIp(), endpoint.getPort(), property.getConnectionTimeoutMs(), - commonConfig.getTrustStorePath(), - commonConfig.getTrustStorePwd(), - commonConfig.getKeyStorePath(), - commonConfig.getKeyStorePwd()) + commonConfig.getInternalTrustStorePath(), + commonConfig.getInternalTrustStorePwd(), + commonConfig.getInternalKeyStorePath(), + commonConfig.getInternalKeyStorePwd()) : DeepCopyRpcTransportFactory.INSTANCE.getTransport( new TSocket( TConfigurationConst.defaultTConfiguration, diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/consensus/DataRegionConsensusImpl.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/consensus/DataRegionConsensusImpl.java index 2649f8de7af4..2782b8a7ff7b 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/consensus/DataRegionConsensusImpl.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/consensus/DataRegionConsensusImpl.java @@ -139,10 +139,10 @@ private static ConsensusConfig buildConsensusConfig() { .setThriftMaxFrameSize(CONF.getThriftMaxFrameSize()) .setMaxClientNumForEachNode(CONF.getMaxClientNumForEachNode()) .setEnableSSL(COMMON_CONF.isEnableInternalSSL()) - .setSslKeyStorePath(COMMON_CONF.getKeyStorePath()) - .setSslKeyStorePassword(COMMON_CONF.getKeyStorePwd()) - .setSslTrustStorePath(COMMON_CONF.getTrustStorePath()) - .setSslTrustStorePassword(COMMON_CONF.getTrustStorePwd()) + .setSslKeyStorePath(COMMON_CONF.getInternalKeyStorePath()) + .setSslKeyStorePassword(COMMON_CONF.getInternalKeyStorePwd()) + .setSslTrustStorePath(COMMON_CONF.getInternalTrustStorePath()) + .setSslTrustStorePassword(COMMON_CONF.getInternalTrustStorePwd()) .build()) .setReplication( IoTConsensusConfig.Replication.newBuilder() @@ -168,10 +168,10 @@ private static ConsensusConfig buildConsensusConfig() { CONF.getThriftServerAwaitTimeForStopService()) .setThriftMaxFrameSize(CONF.getThriftMaxFrameSize()) .setEnableSSL(COMMON_CONF.isEnableInternalSSL()) - .setSslKeyStorePath(COMMON_CONF.getKeyStorePath()) - .setSslKeyStorePassword(COMMON_CONF.getKeyStorePwd()) - .setSslTrustStorePath(COMMON_CONF.getTrustStorePath()) - .setSslTrustStorePassword(COMMON_CONF.getTrustStorePwd()) + .setSslKeyStorePath(COMMON_CONF.getInternalKeyStorePath()) + .setSslKeyStorePassword(COMMON_CONF.getInternalKeyStorePwd()) + .setSslTrustStorePath(COMMON_CONF.getInternalTrustStorePath()) + .setSslTrustStorePassword(COMMON_CONF.getInternalTrustStorePwd()) .build()) .setPipe( PipeConsensusConfig.Pipe.newBuilder() @@ -223,10 +223,10 @@ private static ConsensusConfig buildConsensusConfig() { .setLeaderOutstandingAppendsMax( CONF.getDataRatisConsensusGrpcLeaderOutstandingAppendsMax()) .setEnableSSL(COMMON_CONF.isEnableInternalSSL()) - .setSslKeyStorePath(COMMON_CONF.getKeyStorePath()) - .setSslKeyStorePassword(COMMON_CONF.getKeyStorePwd()) - .setSslTrustStorePath(COMMON_CONF.getTrustStorePath()) - .setSslTrustStorePassword(COMMON_CONF.getTrustStorePwd()) + .setSslKeyStorePath(COMMON_CONF.getInternalKeyStorePath()) + .setSslKeyStorePassword(COMMON_CONF.getInternalKeyStorePwd()) + .setSslTrustStorePath(COMMON_CONF.getInternalTrustStorePath()) + .setSslTrustStorePassword(COMMON_CONF.getInternalTrustStorePwd()) .build()) .setRpc( RatisConfig.Rpc.newBuilder() diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/consensus/SchemaRegionConsensusImpl.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/consensus/SchemaRegionConsensusImpl.java index e5b9fbe15d00..fd5f200678e7 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/consensus/SchemaRegionConsensusImpl.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/consensus/SchemaRegionConsensusImpl.java @@ -110,10 +110,11 @@ private static void reinitializeStatics() { CONF .getSchemaRatisConsensusGrpcLeaderOutstandingAppendsMax()) .setEnableSSL(COMMON_CONF.isEnableInternalSSL()) - .setSslKeyStorePath(COMMON_CONF.getKeyStorePath()) - .setSslKeyStorePassword(COMMON_CONF.getKeyStorePwd()) - .setSslTrustStorePath(COMMON_CONF.getTrustStorePath()) - .setSslTrustStorePassword(COMMON_CONF.getTrustStorePwd()) + .setSslKeyStorePath(COMMON_CONF.getInternalKeyStorePath()) + .setSslKeyStorePassword(COMMON_CONF.getInternalKeyStorePwd()) + .setSslTrustStorePath(COMMON_CONF.getInternalTrustStorePath()) + .setSslTrustStorePassword( + COMMON_CONF.getInternalTrustStorePwd()) .build()) .setRpc( RatisConfig.Rpc.newBuilder() diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/client/ConfigNodeClient.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/client/ConfigNodeClient.java index 6ce425143f2d..2497ca398112 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/client/ConfigNodeClient.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/client/ConfigNodeClient.java @@ -277,10 +277,10 @@ public void connect(TEndPoint endpoint, int timeoutMs) throws TException { endpoint.getIp(), endpoint.getPort(), timeoutMs, - commonConfig.getTrustStorePath(), - commonConfig.getTrustStorePwd(), - commonConfig.getKeyStorePath(), - commonConfig.getKeyStorePwd()) + commonConfig.getInternalTrustStorePath(), + commonConfig.getInternalTrustStorePwd(), + commonConfig.getInternalKeyStorePath(), + commonConfig.getInternalKeyStorePwd()) : DeepCopyRpcTransportFactory.INSTANCE.getTransport( // As there is a try-catch already, we do not need to use TSocket.wrap endpoint.getIp(), endpoint.getPort(), timeoutMs); diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/execution/exchange/MPPDataExchangeService.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/execution/exchange/MPPDataExchangeService.java index 52ab689f3042..1af11d6d20eb 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/execution/exchange/MPPDataExchangeService.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/execution/exchange/MPPDataExchangeService.java @@ -104,10 +104,10 @@ public void initThriftServiceThread() throws IllegalAccessException { config.getThriftServerAwaitTimeForStopService(), new MPPDataExchangeServiceThriftHandler(), config.isRpcThriftCompressionEnable(), - commonConfig.getKeyStorePath(), - commonConfig.getKeyStorePwd(), - commonConfig.getTrustStorePath(), - commonConfig.getTrustStorePwd(), + commonConfig.getInternalKeyStorePath(), + commonConfig.getInternalKeyStorePwd(), + commonConfig.getInternalTrustStorePath(), + commonConfig.getInternalTrustStorePwd(), DeepCopyRpcTransportFactory.INSTANCE) : new ThriftServiceThread( processor, diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/service/DataNodeInternalRPCService.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/service/DataNodeInternalRPCService.java index 5de1041a9a00..0d473360f8b2 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/service/DataNodeInternalRPCService.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/service/DataNodeInternalRPCService.java @@ -74,10 +74,10 @@ public void initThriftServiceThread() throws IllegalAccessException { config.getThriftServerAwaitTimeForStopService(), new InternalServiceThriftHandler(), config.isRpcThriftCompressionEnable(), - commonConfig.getKeyStorePath(), - commonConfig.getKeyStorePwd(), - commonConfig.getTrustStorePath(), - commonConfig.getTrustStorePwd(), + commonConfig.getInternalKeyStorePath(), + commonConfig.getInternalKeyStorePwd(), + commonConfig.getInternalTrustStorePath(), + commonConfig.getInternalTrustStorePwd(), DeepCopyRpcTransportFactory.INSTANCE) : new ThriftServiceThread( processor, diff --git a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/service/RestService.java b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/service/RestService.java index fa8df0c9a692..7fc4d788380e 100644 --- a/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/service/RestService.java +++ b/iotdb-core/datanode/src/main/java/org/apache/iotdb/db/service/RestService.java @@ -67,7 +67,7 @@ private void startSSL( if (clientAuth) { sslContextFactory.setTrustStorePath(trustStorePath); sslContextFactory.setTrustStorePassword(trustStorePwd); - sslContextFactory.setNeedClientAuth(clientAuth); + sslContextFactory.setNeedClientAuth(true); } ServerConnector httpsConnector = diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/ainode/AINodeClient.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/ainode/AINodeClient.java index 0058bc7a2fc6..d75df7a07f3e 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/ainode/AINodeClient.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/ainode/AINodeClient.java @@ -107,8 +107,10 @@ private void init() throws TException { if (commonConfig.isEnableInternalSSL()) { TSSLTransportFactory.TSSLTransportParameters params = new TSSLTransportFactory.TSSLTransportParameters(); - params.setTrustStore(commonConfig.getTrustStorePath(), commonConfig.getTrustStorePwd()); - params.setKeyStore(commonConfig.getKeyStorePath(), commonConfig.getKeyStorePwd()); + params.setTrustStore( + commonConfig.getInternalTrustStorePath(), commonConfig.getInternalTrustStorePwd()); + params.setKeyStore( + commonConfig.getInternalKeyStorePath(), commonConfig.getInternalKeyStorePwd()); transport = new TFramedTransport.Factory() .getTransport( diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/ainode/AsyncAINodeServiceClient.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/ainode/AsyncAINodeServiceClient.java index ba0b1d11e70c..cea906e765c9 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/ainode/AsyncAINodeServiceClient.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/ainode/AsyncAINodeServiceClient.java @@ -58,10 +58,10 @@ public AsyncAINodeServiceClient( endPoint.getIp(), endPoint.getPort(), property.getConnectionTimeoutMs(), - commonConfig.getKeyStorePath(), - commonConfig.getKeyStorePwd(), - commonConfig.getTrustStorePath(), - commonConfig.getTrustStorePwd()) + commonConfig.getInternalKeyStorePath(), + commonConfig.getInternalKeyStorePwd(), + commonConfig.getInternalTrustStorePath(), + commonConfig.getInternalTrustStorePwd()) : TNonblockingTransportWrapper.wrap( endPoint.getIp(), endPoint.getPort(), property.getConnectionTimeoutMs())); setTimeout(property.getConnectionTimeoutMs()); diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncConfigNodeInternalServiceClient.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncConfigNodeInternalServiceClient.java index 70786f400963..147ed6743fcf 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncConfigNodeInternalServiceClient.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncConfigNodeInternalServiceClient.java @@ -65,10 +65,10 @@ public AsyncConfigNodeInternalServiceClient( endpoint.getIp(), endpoint.getPort(), property.getConnectionTimeoutMs(), - commonConfig.getKeyStorePath(), - commonConfig.getKeyStorePwd(), - commonConfig.getTrustStorePath(), - commonConfig.getTrustStorePwd()) + commonConfig.getInternalKeyStorePath(), + commonConfig.getInternalKeyStorePwd(), + commonConfig.getInternalTrustStorePath(), + commonConfig.getInternalTrustStorePwd()) : TNonblockingTransportWrapper.wrap( endpoint.getIp(), endpoint.getPort(), property.getConnectionTimeoutMs())); setTimeout(property.getConnectionTimeoutMs()); diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncDataNodeExternalServiceClient.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncDataNodeExternalServiceClient.java index 3751104e853d..2a6417a1594a 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncDataNodeExternalServiceClient.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncDataNodeExternalServiceClient.java @@ -65,10 +65,10 @@ public AsyncDataNodeExternalServiceClient( endpoint.getIp(), endpoint.getPort(), property.getConnectionTimeoutMs(), - commonConfig.getKeyStorePath(), - commonConfig.getKeyStorePwd(), - commonConfig.getTrustStorePath(), - commonConfig.getTrustStorePwd()) + commonConfig.getInternalKeyStorePath(), + commonConfig.getInternalKeyStorePwd(), + commonConfig.getInternalTrustStorePath(), + commonConfig.getInternalTrustStorePwd()) : TNonblockingTransportWrapper.wrap( endpoint.getIp(), endpoint.getPort(), property.getConnectionTimeoutMs())); setTimeout(property.getConnectionTimeoutMs()); diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncDataNodeInternalServiceClient.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncDataNodeInternalServiceClient.java index 9edfdb3d8e50..0b8b66ca3105 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncDataNodeInternalServiceClient.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncDataNodeInternalServiceClient.java @@ -67,10 +67,10 @@ public AsyncDataNodeInternalServiceClient( endpoint.getIp(), endpoint.getPort(), property.getConnectionTimeoutMs(), - commonConfig.getKeyStorePath(), - commonConfig.getKeyStorePwd(), - commonConfig.getTrustStorePath(), - commonConfig.getTrustStorePwd()) + commonConfig.getInternalKeyStorePath(), + commonConfig.getInternalKeyStorePwd(), + commonConfig.getInternalTrustStorePath(), + commonConfig.getInternalTrustStorePwd()) : TNonblockingTransportWrapper.wrap( endpoint.getIp(), endpoint.getPort(), property.getConnectionTimeoutMs())); setTimeout(property.getConnectionTimeoutMs()); diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncDataNodeMPPDataExchangeServiceClient.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncDataNodeMPPDataExchangeServiceClient.java index d3d81401ff05..d59c28c9ffa7 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncDataNodeMPPDataExchangeServiceClient.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncDataNodeMPPDataExchangeServiceClient.java @@ -63,10 +63,10 @@ public AsyncDataNodeMPPDataExchangeServiceClient( endpoint.getIp(), endpoint.getPort(), property.getConnectionTimeoutMs(), - commonConfig.getKeyStorePath(), - commonConfig.getKeyStorePwd(), - commonConfig.getTrustStorePath(), - commonConfig.getTrustStorePwd()) + commonConfig.getInternalKeyStorePath(), + commonConfig.getInternalKeyStorePwd(), + commonConfig.getInternalTrustStorePath(), + commonConfig.getInternalTrustStorePwd()) : TNonblockingTransportWrapper.wrap( endpoint.getIp(), endpoint.getPort(), property.getConnectionTimeoutMs())); setTimeout(property.getConnectionTimeoutMs()); diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncPipeConsensusServiceClient.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncPipeConsensusServiceClient.java index fb59d2147d1b..a5164634d77b 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncPipeConsensusServiceClient.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/async/AsyncPipeConsensusServiceClient.java @@ -68,10 +68,10 @@ public AsyncPipeConsensusServiceClient( endpoint.getIp(), endpoint.getPort(), property.getConnectionTimeoutMs(), - commonConfig.getKeyStorePath(), - commonConfig.getKeyStorePwd(), - commonConfig.getTrustStorePath(), - commonConfig.getTrustStorePwd()) + commonConfig.getInternalKeyStorePath(), + commonConfig.getInternalKeyStorePwd(), + commonConfig.getInternalTrustStorePath(), + commonConfig.getInternalTrustStorePwd()) : TNonblockingTransportWrapper.wrap( endpoint.getIp(), endpoint.getPort(), property.getConnectionTimeoutMs())); setTimeout(property.getConnectionTimeoutMs()); diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncConfigNodeIServiceClient.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncConfigNodeIServiceClient.java index ced2c92b4a0e..53616f4c421c 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncConfigNodeIServiceClient.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncConfigNodeIServiceClient.java @@ -60,10 +60,10 @@ public SyncConfigNodeIServiceClient( endPoint.getIp(), endPoint.getPort(), property.getConnectionTimeoutMs(), - commonConfig.getTrustStorePath(), - commonConfig.getTrustStorePwd(), - commonConfig.getKeyStorePath(), - commonConfig.getKeyStorePwd()) + commonConfig.getInternalTrustStorePath(), + commonConfig.getInternalTrustStorePwd(), + commonConfig.getInternalKeyStorePath(), + commonConfig.getInternalKeyStorePwd()) : DeepCopyRpcTransportFactory.INSTANCE.getTransport( new TSocket( TConfigurationConst.defaultTConfiguration, diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncDataNodeInternalServiceClient.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncDataNodeInternalServiceClient.java index 854b4a4aa18b..8df5538677f3 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncDataNodeInternalServiceClient.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncDataNodeInternalServiceClient.java @@ -61,10 +61,10 @@ public SyncDataNodeInternalServiceClient( endpoint.getIp(), endpoint.getPort(), property.getConnectionTimeoutMs(), - commonConfig.getTrustStorePath(), - commonConfig.getTrustStorePwd(), - commonConfig.getKeyStorePath(), - commonConfig.getKeyStorePwd()) + commonConfig.getInternalTrustStorePath(), + commonConfig.getInternalTrustStorePwd(), + commonConfig.getInternalKeyStorePath(), + commonConfig.getInternalKeyStorePwd()) : DeepCopyRpcTransportFactory.INSTANCE.getTransport( new TSocket( TConfigurationConst.defaultTConfiguration, diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncDataNodeMPPDataExchangeServiceClient.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncDataNodeMPPDataExchangeServiceClient.java index 4dcde11bfac6..ea1500f2ecf6 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncDataNodeMPPDataExchangeServiceClient.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncDataNodeMPPDataExchangeServiceClient.java @@ -60,10 +60,10 @@ public SyncDataNodeMPPDataExchangeServiceClient( endpoint.getIp(), endpoint.getPort(), property.getConnectionTimeoutMs(), - commonConfig.getTrustStorePath(), - commonConfig.getTrustStorePwd(), - commonConfig.getKeyStorePath(), - commonConfig.getKeyStorePwd()) + commonConfig.getInternalTrustStorePath(), + commonConfig.getInternalTrustStorePwd(), + commonConfig.getInternalKeyStorePath(), + commonConfig.getInternalKeyStorePwd()) : DeepCopyRpcTransportFactory.INSTANCE.getTransport( new TSocket( TConfigurationConst.defaultTConfiguration, diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncPipeConsensusServiceClient.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncPipeConsensusServiceClient.java index 334d3cf43fc3..abf1da46370b 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncPipeConsensusServiceClient.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncPipeConsensusServiceClient.java @@ -60,10 +60,10 @@ public SyncPipeConsensusServiceClient( endpoint.getIp(), endpoint.getPort(), property.getConnectionTimeoutMs(), - commonConfig.getTrustStorePath(), - commonConfig.getTrustStorePwd(), - commonConfig.getKeyStorePath(), - commonConfig.getKeyStorePwd()) + commonConfig.getInternalTrustStorePath(), + commonConfig.getInternalTrustStorePwd(), + commonConfig.getInternalKeyStorePath(), + commonConfig.getInternalKeyStorePwd()) : DeepCopyRpcTransportFactory.INSTANCE.getTransport( new TSocket( TConfigurationConst.defaultTConfiguration, diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java index a960584c66c0..1ad7065f523f 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java @@ -431,9 +431,6 @@ public class CommonConfig { /** Enable the Thrift Client ssl. */ private boolean enableThriftClientSSL = false; - /** Enable the cluster internal connection ssl. */ - private boolean enableInternalSSL = false; - /** ssl key Store Path. */ private String keyStorePath = ""; @@ -446,6 +443,21 @@ public class CommonConfig { /** ssl trust Store password. */ private String trustStorePwd = ""; + /** Enable the cluster internal connection ssl. */ + private boolean enableInternalSSL = false; + + /** ssl key Store Path for internal connection */ + private String internalKeyStorePath = ""; + + /** ssl key Store password for internal connection */ + private String internalKeyStorePwd = ""; + + /** ssl trust Store Path for internal connection */ + private String internalTrustStorePath = ""; + + /** ssl trust Store password for internal connection */ + private String internalTrustStorePwd = ""; + private String userEncryptTokenHint = "not set yet"; private boolean enforceStrongPassword = false; @@ -2569,14 +2581,6 @@ public void setEnableThriftClientSSL(boolean enableThriftClientSSL) { this.enableThriftClientSSL = enableThriftClientSSL; } - public boolean isEnableInternalSSL() { - return enableInternalSSL; - } - - public void setEnableInternalSSL(boolean enableInternalSSL) { - this.enableInternalSSL = enableInternalSSL; - } - public String getKeyStorePath() { return keyStorePath; } @@ -2609,6 +2613,46 @@ public void setTrustStorePwd(String trustStorePwd) { this.trustStorePwd = trustStorePwd; } + public boolean isEnableInternalSSL() { + return enableInternalSSL; + } + + public void setEnableInternalSSL(boolean enableInternalSSL) { + this.enableInternalSSL = enableInternalSSL; + } + + public String getInternalKeyStorePath() { + return internalKeyStorePath; + } + + public void setInternalKeyStorePath(String internalKeyStorePath) { + this.internalKeyStorePath = internalKeyStorePath; + } + + public String getInternalKeyStorePwd() { + return internalKeyStorePwd; + } + + public void setInternalKeyStorePwd(String internalKeyStorePwd) { + this.internalKeyStorePwd = internalKeyStorePwd; + } + + public String getInternalTrustStorePath() { + return internalTrustStorePath; + } + + public void setInternalTrustStorePath(String internalTrustStorePath) { + this.internalTrustStorePath = internalTrustStorePath; + } + + public String getInternalTrustStorePwd() { + return internalTrustStorePwd; + } + + public void setInternalTrustStorePwd(String internalTrustStorePwd) { + this.internalTrustStorePwd = internalTrustStorePwd; + } + public boolean isEnforceStrongPassword() { return enforceStrongPassword; } diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/service/AbstractThriftServiceThread.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/service/AbstractThriftServiceThread.java index 7537308d6cdf..796ae9119576 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/service/AbstractThriftServiceThread.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/service/AbstractThriftServiceThread.java @@ -182,8 +182,8 @@ protected AbstractThriftServiceThread( params.setKeyStore(keyStorePath, keyStorePwd); if (trustStorePath != null && !trustStorePath.isEmpty()) { params.setTrustStore(trustStorePath, trustStorePwd); + params.requireClientAuth(true); } - params.requireClientAuth(false); InetSocketAddress socketAddress = new InetSocketAddress(bindAddress, port); serverTransport = TSSLTransportFactory.getServerSocket( From 43430cea2c11b8c75b515af32f56b3b1d2e89301 Mon Sep 17 00:00:00 2001 From: HTHou Date: Mon, 29 Sep 2025 19:28:00 +0800 Subject: [PATCH 2/5] Seprate client and internal SSL configurations --- .../IoTDBInsertQueryWithInternalSSLIT.java | 16 ++++---- iotdb-core/ainode/iotdb/ainode/core/config.py | 38 ++++++++++--------- .../ainode/iotdb/ainode/core/ingress/iotdb.py | 4 +- .../ainode/iotdb/ainode/core/rpc/client.py | 6 +-- .../ainode/iotdb/ainode/core/rpc/service.py | 6 +-- .../resources/conf/iotdb-ainode.properties | 6 --- .../iotdb/commons/conf/CommonConfig.java | 10 ++--- 7 files changed, 41 insertions(+), 45 deletions(-) diff --git a/integration-test/src/test/java/org/apache/iotdb/relational/it/insertquery/IoTDBInsertQueryWithInternalSSLIT.java b/integration-test/src/test/java/org/apache/iotdb/relational/it/insertquery/IoTDBInsertQueryWithInternalSSLIT.java index e880f68eb7da..f0c343f5ecbb 100644 --- a/integration-test/src/test/java/org/apache/iotdb/relational/it/insertquery/IoTDBInsertQueryWithInternalSSLIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/relational/it/insertquery/IoTDBInsertQueryWithInternalSSLIT.java @@ -64,10 +64,10 @@ public void setUp() throws SQLException { .setTrustStorePath(keyDir + "test-truststore") .setTrustStorePwd("thrift"); CommonDescriptor.getInstance().getConfig().setEnableInternalSSL(true); - CommonDescriptor.getInstance().getConfig().setKeyStorePath(keyDir + "test-keystore"); - CommonDescriptor.getInstance().getConfig().setKeyStorePwd("thrift"); - CommonDescriptor.getInstance().getConfig().setTrustStorePath(keyDir + "test-truststore"); - CommonDescriptor.getInstance().getConfig().setTrustStorePwd("thrift"); + CommonDescriptor.getInstance().getConfig().setInternalKeyStorePath(keyDir + "test-keystore"); + CommonDescriptor.getInstance().getConfig().setInternalKeyStorePwd("thrift"); + CommonDescriptor.getInstance().getConfig().setInternalTrustStorePath(keyDir + "test-truststore"); + CommonDescriptor.getInstance().getConfig().setInternalTrustStorePwd("thrift"); EnvFactory.getEnv().initClusterEnvironment(); prepareDatabase(); prepareData(); @@ -82,9 +82,9 @@ public void tearDown() { fail(e.getMessage()); } CommonDescriptor.getInstance().getConfig().setEnableInternalSSL(false); - CommonDescriptor.getInstance().getConfig().setKeyStorePath(""); - CommonDescriptor.getInstance().getConfig().setKeyStorePwd(""); - CommonDescriptor.getInstance().getConfig().setTrustStorePath(""); - CommonDescriptor.getInstance().getConfig().setTrustStorePwd(""); + CommonDescriptor.getInstance().getConfig().setInternalKeyStorePath(""); + CommonDescriptor.getInstance().getConfig().setInternalKeyStorePwd(""); + CommonDescriptor.getInstance().getConfig().setInternalTrustStorePath(""); + CommonDescriptor.getInstance().getConfig().setInternalTrustStorePwd(""); } } diff --git a/iotdb-core/ainode/iotdb/ainode/core/config.py b/iotdb-core/ainode/iotdb/ainode/core/config.py index 328f4a5faa61..650d6ee53955 100644 --- a/iotdb-core/ainode/iotdb/ainode/core/config.py +++ b/iotdb-core/ainode/iotdb/ainode/core/config.py @@ -104,9 +104,10 @@ def __init__(self): # use for ssl self._ain_cluster_ingress_ssl_enabled = False + self._ain_cluster_ingress_ssl_cert_file = None self._ain_internal_ssl_enabled = False - self._ain_thrift_ssl_cert_file = None - self._ain_thrift_ssl_key_file = None + self._ain_internal_ssl_cert_file = None + self._ain_internal_ssl_key_file = None # Cache number of model storage to avoid repeated loading self._ain_model_storage_cache_size = 30 @@ -233,23 +234,29 @@ def set_ain_cluster_ingress_ssl_enabled( ) -> None: self._ain_cluster_ingress_ssl_enabled = ain_cluster_ingress_ssl_enabled + def get_ain_cluster_ingress_ssl_cert_file(self) -> str: + return self._ain_cluster_ingress_ssl_cert_file + + def set_ain_cluster_ingress_ssl_cert_file(self, ain_cluster_ingress_ssl_cert_file: str) -> None: + self._ain_cluster_ingress_ssl_cert_file = ain_cluster_ingress_ssl_cert_file + def get_ain_internal_ssl_enabled(self) -> bool: return self._ain_internal_ssl_enabled def set_ain_internal_ssl_enabled(self, ain_internal_ssl_enabled: int) -> None: self._ain_internal_ssl_enabled = ain_internal_ssl_enabled - def get_ain_thrift_ssl_cert_file(self) -> str: - return self._ain_thrift_ssl_cert_file + def get_ain_internal_ssl_cert_file(self) -> str: + return self._ain_internal_ssl_cert_file - def set_ain_thrift_ssl_cert_file(self, ain_thrift_ssl_cert_file: str) -> None: - self._ain_thrift_ssl_cert_file = ain_thrift_ssl_cert_file + def set_ain_internal_ssl_cert_file(self, ain_internal_ssl_cert_file: str) -> None: + self._ain_internal_ssl_cert_file = ain_internal_ssl_cert_file - def get_ain_thrift_ssl_key_file(self) -> str: - return self._ain_thrift_ssl_key_file + def get_ain_internal_ssl_key_file(self) -> str: + return self._ain_internal_ssl_key_file - def set_ain_thrift_ssl_key_file(self, ain_thrift_ssl_key_file: str) -> None: - self._ain_thrift_ssl_key_file = ain_thrift_ssl_key_file + def set_ain_internal_ssl_key_file(self, ain_internal_ssl_key_file: str) -> None: + self._ain_internal_ssl_key_file = ain_internal_ssl_key_file def get_ain_model_storage_cache_size(self) -> int: return self._ain_model_storage_cache_size @@ -400,14 +407,9 @@ def _load_config_from_file(self) -> None: int(file_configs["ain_cluster_ingress_ssl_enabled"]) ) - if "ain_thrift_ssl_cert_file" in config_keys: - self._config.set_ain_thrift_ssl_cert_file( - file_configs["ain_thrift_ssl_cert_file"] - ) - - if "ain_thrift_ssl_key_file" in config_keys: - self._config.set_ain_thrift_ssl_key_file( - file_configs["ain_thrift_ssl_key_file"] + if "ain_cluster_ingress_ssl_cert_file" in config_keys: + self._config.set_ain_cluster_ingress_ssl_cert_file( + file_configs["ain_cluster_ingress_ssl_cert_file"] ) if "ain_logs_dir" in config_keys: diff --git a/iotdb-core/ainode/iotdb/ainode/core/ingress/iotdb.py b/iotdb-core/ainode/iotdb/ainode/core/ingress/iotdb.py index 13c56ca9d2d5..87d9a594f45f 100644 --- a/iotdb-core/ainode/iotdb/ainode/core/ingress/iotdb.py +++ b/iotdb-core/ainode/iotdb/ainode/core/ingress/iotdb.py @@ -94,7 +94,7 @@ def __init__( use_ssl=AINodeDescriptor() .get_config() .get_ain_cluster_ingress_ssl_enabled(), - ca_certs=AINodeDescriptor().get_config().get_ain_thrift_ssl_cert_file(), + ca_certs=AINodeDescriptor().get_config().get_ain_cluster_ingress_ssl_cert_file(), ) self.session.open(False) self.use_rate = use_rate @@ -276,7 +276,7 @@ def __init__( use_ssl=AINodeDescriptor() .get_config() .get_ain_cluster_ingress_ssl_enabled(), - ca_certs=AINodeDescriptor().get_config().get_ain_thrift_ssl_cert_file(), + ca_certs=AINodeDescriptor().get_config().get_ain_cluster_ingress_ssl_cert_file(), ) self.session = TableSession(table_session_config) self.use_rate = use_rate diff --git a/iotdb-core/ainode/iotdb/ainode/core/rpc/client.py b/iotdb-core/ainode/iotdb/ainode/core/rpc/client.py index e2be6459508b..bfd1ec09b777 100644 --- a/iotdb-core/ainode/iotdb/ainode/core/rpc/client.py +++ b/iotdb-core/ainode/iotdb/ainode/core/rpc/client.py @@ -120,11 +120,11 @@ def _connect(self, target_config_node: TEndPoint) -> None: context.verify_mode = ssl.CERT_REQUIRED context.check_hostname = False context.load_verify_locations( - cafile=AINodeDescriptor().get_config().get_ain_thrift_ssl_cert_file() + cafile=AINodeDescriptor().get_config().get_ain_internal_ssl_cert_file() ) context.load_cert_chain( - certfile=AINodeDescriptor().get_config().get_ain_thrift_ssl_cert_file(), - keyfile=AINodeDescriptor().get_config().get_ain_thrift_ssl_key_file(), + certfile=AINodeDescriptor().get_config().get_ain_internal_ssl_cert_file(), + keyfile=AINodeDescriptor().get_config().get_ain_internal_ssl_key_file(), ) socket = TSSLSocket.TSSLSocket( host=target_config_node.ip, diff --git a/iotdb-core/ainode/iotdb/ainode/core/rpc/service.py b/iotdb-core/ainode/iotdb/ainode/core/rpc/service.py index c556ffd4ba0d..3e2c085b6fc3 100644 --- a/iotdb-core/ainode/iotdb/ainode/core/rpc/service.py +++ b/iotdb-core/ainode/iotdb/ainode/core/rpc/service.py @@ -84,11 +84,11 @@ def __init__(self, handler: AINodeRPCServiceHandler): context.verify_mode = ssl.CERT_REQUIRED context.check_hostname = False context.load_verify_locations( - cafile=AINodeDescriptor().get_config().get_ain_thrift_ssl_cert_file() + cafile=AINodeDescriptor().get_config().get_ain_internal_ssl_cert_file() ) context.load_cert_chain( - certfile=AINodeDescriptor().get_config().get_ain_thrift_ssl_cert_file(), - keyfile=AINodeDescriptor().get_config().get_ain_thrift_ssl_key_file(), + certfile=AINodeDescriptor().get_config().get_ain_internal_ssl_cert_file(), + keyfile=AINodeDescriptor().get_config().get_ain_internal_ssl_key_file(), ) transport = TSSLSocket.TSSLServerSocket( host=AINodeDescriptor().get_config().get_ain_rpc_address(), diff --git a/iotdb-core/ainode/resources/conf/iotdb-ainode.properties b/iotdb-core/ainode/resources/conf/iotdb-ainode.properties index 889481383408..633580111fd6 100644 --- a/iotdb-core/ainode/resources/conf/iotdb-ainode.properties +++ b/iotdb-core/ainode/resources/conf/iotdb-ainode.properties @@ -98,9 +98,3 @@ ain_inference_extra_memory_ratio=1.2 # It is recommended to use an absolute path. # Datatype: String # ain_thrift_ssl_cert_file= - -# The AINode SSL private key file path. -# The starting directory of the relative path is related to the operating system. -# It is recommended to use an absolute path. -# Datatype: String -# ain_thrift_ssl_key_file= diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java index 1ad7065f523f..61fb4874e635 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java @@ -444,19 +444,19 @@ public class CommonConfig { private String trustStorePwd = ""; /** Enable the cluster internal connection ssl. */ - private boolean enableInternalSSL = false; + private boolean enableInternalSSL = true; /** ssl key Store Path for internal connection */ - private String internalKeyStorePath = ""; + private String internalKeyStorePath = "/Users/ht/.keystore"; /** ssl key Store password for internal connection */ - private String internalKeyStorePwd = ""; + private String internalKeyStorePwd = "123456"; /** ssl trust Store Path for internal connection */ - private String internalTrustStorePath = ""; + private String internalTrustStorePath = "/Users/ht/.truststore"; /** ssl trust Store password for internal connection */ - private String internalTrustStorePwd = ""; + private String internalTrustStorePwd = "123456"; private String userEncryptTokenHint = "not set yet"; From 005d6612a4af44995de8715291e106ffac3aa0a7 Mon Sep 17 00:00:00 2001 From: HTHou Date: Mon, 29 Sep 2025 19:31:41 +0800 Subject: [PATCH 3/5] Seprate client and internal SSL configurations --- .../org/apache/iotdb/commons/conf/CommonConfig.java | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java index 61fb4874e635..1ad7065f523f 100644 --- a/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java +++ b/iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java @@ -444,19 +444,19 @@ public class CommonConfig { private String trustStorePwd = ""; /** Enable the cluster internal connection ssl. */ - private boolean enableInternalSSL = true; + private boolean enableInternalSSL = false; /** ssl key Store Path for internal connection */ - private String internalKeyStorePath = "/Users/ht/.keystore"; + private String internalKeyStorePath = ""; /** ssl key Store password for internal connection */ - private String internalKeyStorePwd = "123456"; + private String internalKeyStorePwd = ""; /** ssl trust Store Path for internal connection */ - private String internalTrustStorePath = "/Users/ht/.truststore"; + private String internalTrustStorePath = ""; /** ssl trust Store password for internal connection */ - private String internalTrustStorePwd = "123456"; + private String internalTrustStorePwd = ""; private String userEncryptTokenHint = "not set yet"; From ba1ca5c3ea21861cf45ae37e01d6866a3a702da2 Mon Sep 17 00:00:00 2001 From: HTHou Date: Mon, 29 Sep 2025 19:40:42 +0800 Subject: [PATCH 4/5] Seprate client and internal SSL configurations --- .../it/insertquery/IoTDBInsertQueryWithInternalSSLIT.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/integration-test/src/test/java/org/apache/iotdb/relational/it/insertquery/IoTDBInsertQueryWithInternalSSLIT.java b/integration-test/src/test/java/org/apache/iotdb/relational/it/insertquery/IoTDBInsertQueryWithInternalSSLIT.java index f0c343f5ecbb..dee56bf60903 100644 --- a/integration-test/src/test/java/org/apache/iotdb/relational/it/insertquery/IoTDBInsertQueryWithInternalSSLIT.java +++ b/integration-test/src/test/java/org/apache/iotdb/relational/it/insertquery/IoTDBInsertQueryWithInternalSSLIT.java @@ -66,7 +66,9 @@ public void setUp() throws SQLException { CommonDescriptor.getInstance().getConfig().setEnableInternalSSL(true); CommonDescriptor.getInstance().getConfig().setInternalKeyStorePath(keyDir + "test-keystore"); CommonDescriptor.getInstance().getConfig().setInternalKeyStorePwd("thrift"); - CommonDescriptor.getInstance().getConfig().setInternalTrustStorePath(keyDir + "test-truststore"); + CommonDescriptor.getInstance() + .getConfig() + .setInternalTrustStorePath(keyDir + "test-truststore"); CommonDescriptor.getInstance().getConfig().setInternalTrustStorePwd("thrift"); EnvFactory.getEnv().initClusterEnvironment(); prepareDatabase(); From 2485a135a4d8cd4ce8a37081f6f9d142af0db6d8 Mon Sep 17 00:00:00 2001 From: HTHou Date: Mon, 29 Sep 2025 19:45:46 +0800 Subject: [PATCH 5/5] Seprate client and internal SSL configurations --- iotdb-core/ainode/iotdb/ainode/core/config.py | 4 +++- iotdb-core/ainode/iotdb/ainode/core/ingress/iotdb.py | 8 ++++++-- iotdb-core/ainode/iotdb/ainode/core/rpc/client.py | 4 +++- iotdb-core/ainode/iotdb/ainode/core/rpc/service.py | 4 +++- 4 files changed, 15 insertions(+), 5 deletions(-) diff --git a/iotdb-core/ainode/iotdb/ainode/core/config.py b/iotdb-core/ainode/iotdb/ainode/core/config.py index 650d6ee53955..2768e697bcf0 100644 --- a/iotdb-core/ainode/iotdb/ainode/core/config.py +++ b/iotdb-core/ainode/iotdb/ainode/core/config.py @@ -237,7 +237,9 @@ def set_ain_cluster_ingress_ssl_enabled( def get_ain_cluster_ingress_ssl_cert_file(self) -> str: return self._ain_cluster_ingress_ssl_cert_file - def set_ain_cluster_ingress_ssl_cert_file(self, ain_cluster_ingress_ssl_cert_file: str) -> None: + def set_ain_cluster_ingress_ssl_cert_file( + self, ain_cluster_ingress_ssl_cert_file: str + ) -> None: self._ain_cluster_ingress_ssl_cert_file = ain_cluster_ingress_ssl_cert_file def get_ain_internal_ssl_enabled(self) -> bool: diff --git a/iotdb-core/ainode/iotdb/ainode/core/ingress/iotdb.py b/iotdb-core/ainode/iotdb/ainode/core/ingress/iotdb.py index 87d9a594f45f..cf3fb6c9bbc6 100644 --- a/iotdb-core/ainode/iotdb/ainode/core/ingress/iotdb.py +++ b/iotdb-core/ainode/iotdb/ainode/core/ingress/iotdb.py @@ -94,7 +94,9 @@ def __init__( use_ssl=AINodeDescriptor() .get_config() .get_ain_cluster_ingress_ssl_enabled(), - ca_certs=AINodeDescriptor().get_config().get_ain_cluster_ingress_ssl_cert_file(), + ca_certs=AINodeDescriptor() + .get_config() + .get_ain_cluster_ingress_ssl_cert_file(), ) self.session.open(False) self.use_rate = use_rate @@ -276,7 +278,9 @@ def __init__( use_ssl=AINodeDescriptor() .get_config() .get_ain_cluster_ingress_ssl_enabled(), - ca_certs=AINodeDescriptor().get_config().get_ain_cluster_ingress_ssl_cert_file(), + ca_certs=AINodeDescriptor() + .get_config() + .get_ain_cluster_ingress_ssl_cert_file(), ) self.session = TableSession(table_session_config) self.use_rate = use_rate diff --git a/iotdb-core/ainode/iotdb/ainode/core/rpc/client.py b/iotdb-core/ainode/iotdb/ainode/core/rpc/client.py index bfd1ec09b777..4ba355e7526e 100644 --- a/iotdb-core/ainode/iotdb/ainode/core/rpc/client.py +++ b/iotdb-core/ainode/iotdb/ainode/core/rpc/client.py @@ -123,7 +123,9 @@ def _connect(self, target_config_node: TEndPoint) -> None: cafile=AINodeDescriptor().get_config().get_ain_internal_ssl_cert_file() ) context.load_cert_chain( - certfile=AINodeDescriptor().get_config().get_ain_internal_ssl_cert_file(), + certfile=AINodeDescriptor() + .get_config() + .get_ain_internal_ssl_cert_file(), keyfile=AINodeDescriptor().get_config().get_ain_internal_ssl_key_file(), ) socket = TSSLSocket.TSSLSocket( diff --git a/iotdb-core/ainode/iotdb/ainode/core/rpc/service.py b/iotdb-core/ainode/iotdb/ainode/core/rpc/service.py index 3e2c085b6fc3..4577c514f1f0 100644 --- a/iotdb-core/ainode/iotdb/ainode/core/rpc/service.py +++ b/iotdb-core/ainode/iotdb/ainode/core/rpc/service.py @@ -87,7 +87,9 @@ def __init__(self, handler: AINodeRPCServiceHandler): cafile=AINodeDescriptor().get_config().get_ain_internal_ssl_cert_file() ) context.load_cert_chain( - certfile=AINodeDescriptor().get_config().get_ain_internal_ssl_cert_file(), + certfile=AINodeDescriptor() + .get_config() + .get_ain_internal_ssl_cert_file(), keyfile=AINodeDescriptor().get_config().get_ain_internal_ssl_key_file(), ) transport = TSSLSocket.TSSLServerSocket(