Separate Client and Internal SSL configurations

integration-test/src/test/java/org/apache/iotdb/relational/it/insertquery/IoTDBInsertQueryWithInternalSSLIT.java

@@ -64,10 +64,12 @@ public void setUp() throws SQLException {
         .setTrustStorePath(keyDir + "test-truststore")
         .setTrustStorePwd("thrift");
     CommonDescriptor.getInstance().getConfig().setEnableInternalSSL(true);
-    CommonDescriptor.getInstance().getConfig().setKeyStorePath(keyDir + "test-keystore");
-    CommonDescriptor.getInstance().getConfig().setKeyStorePwd("thrift");
-    CommonDescriptor.getInstance().getConfig().setTrustStorePath(keyDir + "test-truststore");
-    CommonDescriptor.getInstance().getConfig().setTrustStorePwd("thrift");
+    CommonDescriptor.getInstance().getConfig().setInternalKeyStorePath(keyDir + "test-keystore");
+    CommonDescriptor.getInstance().getConfig().setInternalKeyStorePwd("thrift");
+    CommonDescriptor.getInstance()
+        .getConfig()
+        .setInternalTrustStorePath(keyDir + "test-truststore");
+    CommonDescriptor.getInstance().getConfig().setInternalTrustStorePwd("thrift");
     EnvFactory.getEnv().initClusterEnvironment();
     prepareDatabase();
     prepareData();
@@ -82,9 +84,9 @@ public void tearDown() {
       fail(e.getMessage());
     }
     CommonDescriptor.getInstance().getConfig().setEnableInternalSSL(false);
-    CommonDescriptor.getInstance().getConfig().setKeyStorePath("");
-    CommonDescriptor.getInstance().getConfig().setKeyStorePwd("");
-    CommonDescriptor.getInstance().getConfig().setTrustStorePath("");
-    CommonDescriptor.getInstance().getConfig().setTrustStorePwd("");
+    CommonDescriptor.getInstance().getConfig().setInternalKeyStorePath("");
+    CommonDescriptor.getInstance().getConfig().setInternalKeyStorePwd("");
+    CommonDescriptor.getInstance().getConfig().setInternalTrustStorePath("");
+    CommonDescriptor.getInstance().getConfig().setInternalTrustStorePwd("");
   }
 }

iotdb-core/ainode/iotdb/ainode/core/config.py

@@ -104,9 +104,10 @@ def __init__(self):
 
         # use for ssl
         self._ain_cluster_ingress_ssl_enabled = False
+        self._ain_cluster_ingress_ssl_cert_file = None
         self._ain_internal_ssl_enabled = False
-        self._ain_thrift_ssl_cert_file = None
-        self._ain_thrift_ssl_key_file = None
+        self._ain_internal_ssl_cert_file = None
+        self._ain_internal_ssl_key_file = None
 
         # Cache number of model storage to avoid repeated loading
         self._ain_model_storage_cache_size = 30
@@ -233,23 +234,31 @@ def set_ain_cluster_ingress_ssl_enabled(
     ) -> None:
         self._ain_cluster_ingress_ssl_enabled = ain_cluster_ingress_ssl_enabled
 
+    def get_ain_cluster_ingress_ssl_cert_file(self) -> str:
+        return self._ain_cluster_ingress_ssl_cert_file
+
+    def set_ain_cluster_ingress_ssl_cert_file(
+        self, ain_cluster_ingress_ssl_cert_file: str
+    ) -> None:
+        self._ain_cluster_ingress_ssl_cert_file = ain_cluster_ingress_ssl_cert_file
+
     def get_ain_internal_ssl_enabled(self) -> bool:
         return self._ain_internal_ssl_enabled
 
     def set_ain_internal_ssl_enabled(self, ain_internal_ssl_enabled: int) -> None:
         self._ain_internal_ssl_enabled = ain_internal_ssl_enabled
 
-    def get_ain_thrift_ssl_cert_file(self) -> str:
-        return self._ain_thrift_ssl_cert_file
+    def get_ain_internal_ssl_cert_file(self) -> str:
+        return self._ain_internal_ssl_cert_file
 
-    def set_ain_thrift_ssl_cert_file(self, ain_thrift_ssl_cert_file: str) -> None:
-        self._ain_thrift_ssl_cert_file = ain_thrift_ssl_cert_file
+    def set_ain_internal_ssl_cert_file(self, ain_internal_ssl_cert_file: str) -> None:
+        self._ain_internal_ssl_cert_file = ain_internal_ssl_cert_file
 
-    def get_ain_thrift_ssl_key_file(self) -> str:
-        return self._ain_thrift_ssl_key_file
+    def get_ain_internal_ssl_key_file(self) -> str:
+        return self._ain_internal_ssl_key_file
 
-    def set_ain_thrift_ssl_key_file(self, ain_thrift_ssl_key_file: str) -> None:
-        self._ain_thrift_ssl_key_file = ain_thrift_ssl_key_file
+    def set_ain_internal_ssl_key_file(self, ain_internal_ssl_key_file: str) -> None:
+        self._ain_internal_ssl_key_file = ain_internal_ssl_key_file
 
     def get_ain_model_storage_cache_size(self) -> int:
         return self._ain_model_storage_cache_size
@@ -400,14 +409,9 @@ def _load_config_from_file(self) -> None:
                     int(file_configs["ain_cluster_ingress_ssl_enabled"])
                 )
 
-            if "ain_thrift_ssl_cert_file" in config_keys:
-                self._config.set_ain_thrift_ssl_cert_file(
-                    file_configs["ain_thrift_ssl_cert_file"]
-                )
-
-            if "ain_thrift_ssl_key_file" in config_keys:
-                self._config.set_ain_thrift_ssl_key_file(
-                    file_configs["ain_thrift_ssl_key_file"]
+            if "ain_cluster_ingress_ssl_cert_file" in config_keys:
+                self._config.set_ain_cluster_ingress_ssl_cert_file(
+                    file_configs["ain_cluster_ingress_ssl_cert_file"]
                 )
 
             if "ain_logs_dir" in config_keys:

iotdb-core/ainode/iotdb/ainode/core/ingress/iotdb.py

@@ -94,7 +94,9 @@ def __init__(
             use_ssl=AINodeDescriptor()
             .get_config()
             .get_ain_cluster_ingress_ssl_enabled(),
-            ca_certs=AINodeDescriptor().get_config().get_ain_thrift_ssl_cert_file(),
+            ca_certs=AINodeDescriptor()
+            .get_config()
+            .get_ain_cluster_ingress_ssl_cert_file(),
         )
         self.session.open(False)
         self.use_rate = use_rate
@@ -276,7 +278,9 @@ def __init__(
             use_ssl=AINodeDescriptor()
             .get_config()
             .get_ain_cluster_ingress_ssl_enabled(),
-            ca_certs=AINodeDescriptor().get_config().get_ain_thrift_ssl_cert_file(),
+            ca_certs=AINodeDescriptor()
+            .get_config()
+            .get_ain_cluster_ingress_ssl_cert_file(),
         )
         self.session = TableSession(table_session_config)
         self.use_rate = use_rate

iotdb-core/ainode/iotdb/ainode/core/rpc/client.py

@@ -120,11 +120,13 @@ def _connect(self, target_config_node: TEndPoint) -> None:
                 context.verify_mode = ssl.CERT_REQUIRED
             context.check_hostname = False
             context.load_verify_locations(
-                cafile=AINodeDescriptor().get_config().get_ain_thrift_ssl_cert_file()
+                cafile=AINodeDescriptor().get_config().get_ain_internal_ssl_cert_file()
             )
             context.load_cert_chain(
-                certfile=AINodeDescriptor().get_config().get_ain_thrift_ssl_cert_file(),
-                keyfile=AINodeDescriptor().get_config().get_ain_thrift_ssl_key_file(),
+                certfile=AINodeDescriptor()
+                .get_config()
+                .get_ain_internal_ssl_cert_file(),
+                keyfile=AINodeDescriptor().get_config().get_ain_internal_ssl_key_file(),
             )
             socket = TSSLSocket.TSSLSocket(
                 host=target_config_node.ip,

iotdb-core/ainode/iotdb/ainode/core/rpc/service.py

@@ -84,11 +84,13 @@ def __init__(self, handler: AINodeRPCServiceHandler):
                 context.verify_mode = ssl.CERT_REQUIRED
             context.check_hostname = False
             context.load_verify_locations(
-                cafile=AINodeDescriptor().get_config().get_ain_thrift_ssl_cert_file()
+                cafile=AINodeDescriptor().get_config().get_ain_internal_ssl_cert_file()
             )
             context.load_cert_chain(
-                certfile=AINodeDescriptor().get_config().get_ain_thrift_ssl_cert_file(),
-                keyfile=AINodeDescriptor().get_config().get_ain_thrift_ssl_key_file(),
+                certfile=AINodeDescriptor()
+                .get_config()
+                .get_ain_internal_ssl_cert_file(),
+                keyfile=AINodeDescriptor().get_config().get_ain_internal_ssl_key_file(),
             )
             transport = TSSLSocket.TSSLServerSocket(
                 host=AINodeDescriptor().get_config().get_ain_rpc_address(),

iotdb-core/ainode/resources/conf/iotdb-ainode.properties

@@ -98,9 +98,3 @@ ain_inference_extra_memory_ratio=1.2
 # It is recommended to use an absolute path.
 # Datatype: String
 # ain_thrift_ssl_cert_file=
-
-# The AINode SSL private key file path.
-# The starting directory of the relative path is related to the operating system.
-# It is recommended to use an absolute path.
-# Datatype: String
-# ain_thrift_ssl_key_file=

iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/manager/consensus/ConsensusManager.java

@@ -175,10 +175,11 @@ private void setConsensusLayer(ConfigRegionStateMachine stateMachine) {
                                       .setLeaderOutstandingAppendsMax(
                                           CONF.getConfigNodeRatisGrpcLeaderOutstandingAppendsMax())
                                       .setEnableSSL(COMMON_CONF.isEnableInternalSSL())
-                                      .setSslKeyStorePath(COMMON_CONF.getKeyStorePath())
-                                      .setSslKeyStorePassword(COMMON_CONF.getKeyStorePwd())
-                                      .setSslTrustStorePath(COMMON_CONF.getTrustStorePath())
-                                      .setSslTrustStorePassword(COMMON_CONF.getTrustStorePwd())
+                                      .setSslKeyStorePath(COMMON_CONF.getInternalKeyStorePath())
+                                      .setSslKeyStorePassword(COMMON_CONF.getInternalKeyStorePwd())
+                                      .setSslTrustStorePath(COMMON_CONF.getInternalTrustStorePath())
+                                      .setSslTrustStorePassword(
+                                          COMMON_CONF.getInternalTrustStorePwd())
                                       .build())
                               .setRpc(
                                   RatisConfig.Rpc.newBuilder()

iotdb-core/confignode/src/main/java/org/apache/iotdb/confignode/service/thrift/ConfigNodeRPCService.java

@@ -72,10 +72,10 @@ public void initThriftServiceThread() throws IllegalAccessException {
                   configConf.getThriftServerAwaitTimeForStopService(),
                   new ConfigNodeRPCServiceHandler(),
                   commonConfig.isRpcThriftCompressionEnabled(),
-                  commonConfig.getKeyStorePath(),
-                  commonConfig.getKeyStorePwd(),
-                  commonConfig.getTrustStorePath(),
-                  commonConfig.getTrustStorePwd(),
+                  commonConfig.getInternalKeyStorePath(),
+                  commonConfig.getInternalKeyStorePwd(),
+                  commonConfig.getInternalTrustStorePath(),
+                  commonConfig.getInternalTrustStorePwd(),
                   DeepCopyRpcTransportFactory.INSTANCE)
               : new ThriftServiceThread(
                   processor,

iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/iot/client/AsyncIoTConsensusServiceClient.java

@@ -63,10 +63,10 @@ public AsyncIoTConsensusServiceClient(
                 endpoint.getIp(),
                 endpoint.getPort(),
                 property.getConnectionTimeoutMs(),
-                commonConfig.getKeyStorePath(),
-                commonConfig.getKeyStorePwd(),
-                commonConfig.getTrustStorePath(),
-                commonConfig.getTrustStorePwd())
+                commonConfig.getInternalKeyStorePath(),
+                commonConfig.getInternalKeyStorePwd(),
+                commonConfig.getInternalTrustStorePath(),
+                commonConfig.getInternalTrustStorePwd())
             : TNonblockingTransportWrapper.wrap(
                 endpoint.getIp(), endpoint.getPort(), property.getConnectionTimeoutMs()));
     setTimeout(property.getConnectionTimeoutMs());

iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/iot/client/SyncIoTConsensusServiceClient.java

@@ -58,10 +58,10 @@ public SyncIoTConsensusServiceClient(
                         endpoint.getIp(),
                         endpoint.getPort(),
                         property.getConnectionTimeoutMs(),
-                        commonConfig.getTrustStorePath(),
-                        commonConfig.getTrustStorePwd(),
-                        commonConfig.getKeyStorePath(),
-                        commonConfig.getKeyStorePwd())
+                        commonConfig.getInternalTrustStorePath(),
+                        commonConfig.getInternalTrustStorePwd(),
+                        commonConfig.getInternalKeyStorePath(),
+                        commonConfig.getInternalKeyStorePwd())
                     : DeepCopyRpcTransportFactory.INSTANCE.getTransport(
                         new TSocket(
                             TConfigurationConst.defaultTConfiguration,

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/consensus/DataRegionConsensusImpl.java

@@ -139,10 +139,10 @@ private static ConsensusConfig buildConsensusConfig() {
                           .setThriftMaxFrameSize(CONF.getThriftMaxFrameSize())
                           .setMaxClientNumForEachNode(CONF.getMaxClientNumForEachNode())
                           .setEnableSSL(COMMON_CONF.isEnableInternalSSL())
-                          .setSslKeyStorePath(COMMON_CONF.getKeyStorePath())
-                          .setSslKeyStorePassword(COMMON_CONF.getKeyStorePwd())
-                          .setSslTrustStorePath(COMMON_CONF.getTrustStorePath())
-                          .setSslTrustStorePassword(COMMON_CONF.getTrustStorePwd())
+                          .setSslKeyStorePath(COMMON_CONF.getInternalKeyStorePath())
+                          .setSslKeyStorePassword(COMMON_CONF.getInternalKeyStorePwd())
+                          .setSslTrustStorePath(COMMON_CONF.getInternalTrustStorePath())
+                          .setSslTrustStorePassword(COMMON_CONF.getInternalTrustStorePwd())
                           .build())
                   .setReplication(
                       IoTConsensusConfig.Replication.newBuilder()
@@ -168,10 +168,10 @@ private static ConsensusConfig buildConsensusConfig() {
                               CONF.getThriftServerAwaitTimeForStopService())
                           .setThriftMaxFrameSize(CONF.getThriftMaxFrameSize())
                           .setEnableSSL(COMMON_CONF.isEnableInternalSSL())
-                          .setSslKeyStorePath(COMMON_CONF.getKeyStorePath())
-                          .setSslKeyStorePassword(COMMON_CONF.getKeyStorePwd())
-                          .setSslTrustStorePath(COMMON_CONF.getTrustStorePath())
-                          .setSslTrustStorePassword(COMMON_CONF.getTrustStorePwd())
+                          .setSslKeyStorePath(COMMON_CONF.getInternalKeyStorePath())
+                          .setSslKeyStorePassword(COMMON_CONF.getInternalKeyStorePwd())
+                          .setSslTrustStorePath(COMMON_CONF.getInternalTrustStorePath())
+                          .setSslTrustStorePassword(COMMON_CONF.getInternalTrustStorePwd())
                           .build())
                   .setPipe(
                       PipeConsensusConfig.Pipe.newBuilder()
@@ -223,10 +223,10 @@ private static ConsensusConfig buildConsensusConfig() {
                           .setLeaderOutstandingAppendsMax(
                               CONF.getDataRatisConsensusGrpcLeaderOutstandingAppendsMax())
                           .setEnableSSL(COMMON_CONF.isEnableInternalSSL())
-                          .setSslKeyStorePath(COMMON_CONF.getKeyStorePath())
-                          .setSslKeyStorePassword(COMMON_CONF.getKeyStorePwd())
-                          .setSslTrustStorePath(COMMON_CONF.getTrustStorePath())
-                          .setSslTrustStorePassword(COMMON_CONF.getTrustStorePwd())
+                          .setSslKeyStorePath(COMMON_CONF.getInternalKeyStorePath())
+                          .setSslKeyStorePassword(COMMON_CONF.getInternalKeyStorePwd())
+                          .setSslTrustStorePath(COMMON_CONF.getInternalTrustStorePath())
+                          .setSslTrustStorePassword(COMMON_CONF.getInternalTrustStorePwd())
                           .build())
                   .setRpc(
                       RatisConfig.Rpc.newBuilder()

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/consensus/SchemaRegionConsensusImpl.java

@@ -110,10 +110,11 @@ private static void reinitializeStatics() {
                                           CONF
                                               .getSchemaRatisConsensusGrpcLeaderOutstandingAppendsMax())
                                       .setEnableSSL(COMMON_CONF.isEnableInternalSSL())
-                                      .setSslKeyStorePath(COMMON_CONF.getKeyStorePath())
-                                      .setSslKeyStorePassword(COMMON_CONF.getKeyStorePwd())
-                                      .setSslTrustStorePath(COMMON_CONF.getTrustStorePath())
-                                      .setSslTrustStorePassword(COMMON_CONF.getTrustStorePwd())
+                                      .setSslKeyStorePath(COMMON_CONF.getInternalKeyStorePath())
+                                      .setSslKeyStorePassword(COMMON_CONF.getInternalKeyStorePwd())
+                                      .setSslTrustStorePath(COMMON_CONF.getInternalTrustStorePath())
+                                      .setSslTrustStorePassword(
+                                          COMMON_CONF.getInternalTrustStorePwd())
                                       .build())
                               .setRpc(
                                   RatisConfig.Rpc.newBuilder()

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/client/ConfigNodeClient.java

@@ -277,10 +277,10 @@ public void connect(TEndPoint endpoint, int timeoutMs) throws TException {
                 endpoint.getIp(),
                 endpoint.getPort(),
                 timeoutMs,
-                commonConfig.getTrustStorePath(),
-                commonConfig.getTrustStorePwd(),
-                commonConfig.getKeyStorePath(),
-                commonConfig.getKeyStorePwd())
+                commonConfig.getInternalTrustStorePath(),
+                commonConfig.getInternalTrustStorePwd(),
+                commonConfig.getInternalKeyStorePath(),
+                commonConfig.getInternalKeyStorePwd())
             : DeepCopyRpcTransportFactory.INSTANCE.getTransport(
                 // As there is a try-catch already, we do not need to use TSocket.wrap
                 endpoint.getIp(), endpoint.getPort(), timeoutMs);

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/queryengine/execution/exchange/MPPDataExchangeService.java

@@ -104,10 +104,10 @@ public void initThriftServiceThread() throws IllegalAccessException {
                   config.getThriftServerAwaitTimeForStopService(),
                   new MPPDataExchangeServiceThriftHandler(),
                   config.isRpcThriftCompressionEnable(),
-                  commonConfig.getKeyStorePath(),
-                  commonConfig.getKeyStorePwd(),
-                  commonConfig.getTrustStorePath(),
-                  commonConfig.getTrustStorePwd(),
+                  commonConfig.getInternalKeyStorePath(),
+                  commonConfig.getInternalKeyStorePwd(),
+                  commonConfig.getInternalTrustStorePath(),
+                  commonConfig.getInternalTrustStorePwd(),
                   DeepCopyRpcTransportFactory.INSTANCE)
               : new ThriftServiceThread(
                   processor,

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/service/DataNodeInternalRPCService.java

@@ -74,10 +74,10 @@ public void initThriftServiceThread() throws IllegalAccessException {
                   config.getThriftServerAwaitTimeForStopService(),
                   new InternalServiceThriftHandler(),
                   config.isRpcThriftCompressionEnable(),
-                  commonConfig.getKeyStorePath(),
-                  commonConfig.getKeyStorePwd(),
-                  commonConfig.getTrustStorePath(),
-                  commonConfig.getTrustStorePwd(),
+                  commonConfig.getInternalKeyStorePath(),
+                  commonConfig.getInternalKeyStorePwd(),
+                  commonConfig.getInternalTrustStorePath(),
+                  commonConfig.getInternalTrustStorePwd(),
                   DeepCopyRpcTransportFactory.INSTANCE)
               : new ThriftServiceThread(
                   processor,

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/service/RestService.java

@@ -67,7 +67,7 @@ private void startSSL(
     if (clientAuth) {
       sslContextFactory.setTrustStorePath(trustStorePath);
       sslContextFactory.setTrustStorePassword(trustStorePwd);
-      sslContextFactory.setNeedClientAuth(clientAuth);
+      sslContextFactory.setNeedClientAuth(true);
     }
 
     ServerConnector httpsConnector =

iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/ainode/AINodeClient.java

@@ -107,8 +107,10 @@ private void init() throws TException {
       if (commonConfig.isEnableInternalSSL()) {
         TSSLTransportFactory.TSSLTransportParameters params =
             new TSSLTransportFactory.TSSLTransportParameters();
-        params.setTrustStore(commonConfig.getTrustStorePath(), commonConfig.getTrustStorePwd());
-        params.setKeyStore(commonConfig.getKeyStorePath(), commonConfig.getKeyStorePwd());
+        params.setTrustStore(
+            commonConfig.getInternalTrustStorePath(), commonConfig.getInternalTrustStorePwd());
+        params.setKeyStore(
+            commonConfig.getInternalKeyStorePath(), commonConfig.getInternalKeyStorePwd());
         transport =
             new TFramedTransport.Factory()
                 .getTransport(