From 3007cd49f2b6f201492ec5c76ca548860efede2a Mon Sep 17 00:00:00 2001 From: Xiaocc <598887962@qq.com> Date: Fri, 21 Apr 2023 14:39:14 +0800 Subject: [PATCH] [enhancement](mysql) enable two-way ssl authentication (#18530) According to the mysql-ssl, enable two-way SSL authentication. --- .licenserc.yaml | 5 ++ conf/mysql_ssl_default_certificate/README.md | 1 + .../ca_certificate.p12 | Bin 0 -> 2613 bytes .../certificate.p12 | Bin 2533 -> 0 bytes .../client_certificate/ca.pem | 24 +++++++++ .../client_certificate/client-cert.pem | 21 ++++++++ .../client_certificate/client-key.pem | 27 ++++++++++ .../server_certificate.p12 | Bin 0 -> 2501 bytes docs/en/docs/admin-manual/certificate.md | 46 +++++++++++----- docs/en/docs/get-starting/get-starting.md | 10 ++-- docs/zh-CN/docs/admin-manual/certificate.md | 51 ++++++++++++------ docs/zh-CN/docs/get-starting/get-starting.md | 11 ++-- .../java/org/apache/doris/common/Config.java | 29 ++++++++-- .../apache/doris/mysql/MysqlSslContext.java | 20 ++++--- regression-test/certificate.p12 | Bin 2533 -> 0 bytes regression-test/conf/regression-conf.groovy | 1 + .../org/apache/doris/regression/Config.groovy | 18 ++++--- .../doris/regression/ConfigOptions.groovy | 12 +++++ .../ssl_default_certificate/ca.pem | 24 +++++++++ .../ssl_default_certificate/client-cert.pem | 21 ++++++++ .../ssl_default_certificate/client-key.pem | 27 ++++++++++ .../mysql_ssl_p0/test_mysql_connection.groovy | 11 ++++ 22 files changed, 303 insertions(+), 56 deletions(-) create mode 100644 conf/mysql_ssl_default_certificate/README.md create mode 100644 conf/mysql_ssl_default_certificate/ca_certificate.p12 delete mode 100644 conf/mysql_ssl_default_certificate/certificate.p12 create mode 100644 conf/mysql_ssl_default_certificate/client_certificate/ca.pem create mode 100644 conf/mysql_ssl_default_certificate/client_certificate/client-cert.pem create mode 100644 conf/mysql_ssl_default_certificate/client_certificate/client-key.pem create mode 100644 conf/mysql_ssl_default_certificate/server_certificate.p12 delete mode 100644 regression-test/certificate.p12 create mode 100644 regression-test/ssl_default_certificate/ca.pem create mode 100644 regression-test/ssl_default_certificate/client-cert.pem create mode 100644 regression-test/ssl_default_certificate/client-key.pem diff --git a/.licenserc.yaml b/.licenserc.yaml index 5852dab25a..b0892047c6 100644 --- a/.licenserc.yaml +++ b/.licenserc.yaml @@ -80,6 +80,11 @@ header: - "docker/thirdparties/docker-compose/hive/scripts/create_tpch1_parquet.hql" - "docker/thirdparties/docker-compose/hive/scripts/preinstalled_data/" - "docker/thirdparties/docker-compose/iceberg/spark-defaults.conf.tpl" + - "conf/mysql_ssl_default_certificate/*" + - "conf/mysql_ssl_default_certificate/client_certificate/ca.pem" + - "conf/mysql_ssl_default_certificate/client_certificate/client-cert.pem" + - "conf/mysql_ssl_default_certificate/client_certificate/client-key.pem" + - "regression-test/ssl_default_certificate/*" - "extension/beats/go.mod" - "extension/beats/go.sum" diff --git a/conf/mysql_ssl_default_certificate/README.md b/conf/mysql_ssl_default_certificate/README.md new file mode 100644 index 0000000000..9b2805751a --- /dev/null +++ b/conf/mysql_ssl_default_certificate/README.md @@ -0,0 +1 @@ +All certificates in this directory are generated by default and cannot be used in a production environment. The certificates in the ```./client_certificate``` are used to verify the identity of the client. For more details, refer to ```docs/en/docs/admin-manual/certificate.md``` diff --git a/conf/mysql_ssl_default_certificate/ca_certificate.p12 b/conf/mysql_ssl_default_certificate/ca_certificate.p12 new file mode 100644 index 0000000000000000000000000000000000000000..3098460e8b3c7b533226f923d47ccbbed003e6a5 GIT binary patch literal 2613 zcmXqL;xc4nWHxBx{LaRy)#lOmotKfFaX}O33zjC%Ck9QN4-A@ErX!@-7BsPR7&Ni8 zFflS1G_lkoWEc%(*tno3@G!C&@Ud`kavaP)F7YmoiHU=up@}6xzN$ouze|6Hyn3+Y zA}f&%rGg#Hw!Y@=;SUqaJ@M+u&DqCNb7aExzFo^ReD6BJ+Ewma)RNx})vJtuZJlyr z;s2=_cN?Fd{8)XYc2BII<#ox^%~MU3>kP8gGq>x_zro@1O#NZnbp3*Kvj;ELy;lXX zAGV*P=CQ(m*YQcYm3|XTmV1?ku!m$#;#$32=8BBH?c$ogmB%)$dcWJyt0sJE?1Fv& zAKEq9&*+fbRlfM;%aUbA?N&ie7pDXq?rmh$dL41r{9=AK{|=46IjSF49G+8k!*GfQpqBQvqnKRzt8Y?{~_btCiA<9(?* zzh>IIJq_zTC@sepQ+EH|?j0dFr@eo%y~R-a$|qK5&zGzA3GholNZ5H_YCXS-##e`V zyO!+nG`#sFH+uU4;VUicI_HaiOjWDi=)Y~TbjnM?iJA{)C0$*_^zHZ@PyaNx^2V0G znOxRG3CUv)KmxCyZR1_HFMvr;Jjz{Wc5i$-}w?LJgcpp z#GW2~+UNfBv(q8mp~n{srDGzuuir=%Z?6^k7Z}qj`9vu7-J6(OMK3hxd#lfr zHhB1tr}dzW=#@arxU}0QKX+z*Vq3L6rQPlFrkeuomuJqN|1)Rd)Om8Olg$*F>}q^G zoYpb*ZsGf0D-rj2=}oasjY%wNn?JKE&ii@X_o(T$jJxnpZ? z>&2JJW!&d^zTbbNvgN!+af|s$(|aL8F&SF(Zkm37DBL+q+NNV|#;-5J)>hXRNF=^r zw(ddLV{z`uZ&iOy>Zy;aEDibhYvId7>yr*#IZ-p8At!ismc#tj+Ozj94`VwYvgl1$ zlSAFXJ%@U`9p0be-nLF6d7t^>tKQ!#ilY;(HHueTubh;*HH72c--D@J)*s5YYUXcK z`}F(H!RyKW^$(&AFK@__J^VfO%(>7j#TQ*HCsdkxJbz$oAy~W8q(r%>|2%u4dg0Ri zZ7EBaJ2Wg0-0E|1ckMpoGNliXYmMzV9<3|0QDx3936-`K$U z!+OH)j|vyd?q1zseD(7NrHyP!Cse|VBqmDB9E)1JyQE*~1#jgWb)99t=FZXibtRcc zz7#x+P?Oki{zLg;i~WwKT~cWUD`va*U)2ASVAIUKJ81gynX^^Top5+}w)XBamukV1 z6U=tzVxMR35i#4o?3?b}y#h^Bo4)McqFQI5{;ToXf~iqU?>mX%95t{?|o( zpXRdyg`=^vrZpNgu{t6ZKnt2!jaZsk^$eO=wG5hA)!4XU#Ss@H(}E_JcLq%?uTV-U zW>6_L-$!Zx)C6@7P$|XI#ByTq%7k04YhN#CT)*-9bLC|d&-Eq;@N-|DCb+-8%wXv~ z?}f_>OJ5c`{?GiJo)+1{v3t2*SwPvki#IELTh?#So6pL4>i#!3!Tn{EZuqbzuAA$@ zc1m(;$%hK{3h8v;#g{mDuyNhAnHqHC)8wN5(i|z@|5`Ge5=h_|2cH)!;wlG1J%E5?@W%*XV~*_+tLKRr-sWyb8L*= z9t)%^Z*niuIQpw~Z>#p&S0NmV1{#O=Oj#OL;4xuZft}+0Nf)Y@EG{WHIpf^EuXk=p zFZNk@sWDV@!#%$5=KXvTVdgrP2hJ?lP&3{c{`_q7ihCLBIZvKnH>>p9zx~b|_ukOH zT=aIm$U6p)i2SJyjx*Ihtlm_!qTZ9+s$_O(Sx=yv-+GTvy)DGW5V&}iGR-f8{ z-S1P+yb^5cW%!6}^)*W8J zY3qK}t^ZR$FCTWo_1z^WT-@Sy#VU ze{=sD(~C_qvz=!NbN5ZTq-=fn@h0z>&8pVg*QU+<5x$gnTjKnEr+qHUO%@SW*mBT5 zaI5JqxBW2@*4M1<*KbXeJXn@@^XK*{>dvQrdi9s_ZT%U~Saaz6i$3`ejQ6IiHM1ry zJ@mW7u{uz=YPrgcYic@n=CA#>A<{d)9q7^GIpHTuIh$Wu?L)}=>2IjzxkKMck4{I ztwNss+=t!yrcX}H>Z#aBM=ovu*ia<=bz$&cEMxA}eITO#!GmaJZR zWXg;I@Rv^5PZ)_bh!uL_bDRvy6pd&56s&2!a9<*pZick#9^POF%r6AU;6WYTdO93m5C%zpUk4Rvq>0)NhVozhmV*_bO@b?_2cW zY{pcs+4Zk4Mk!a#W4GRDwe!K^sk5{>)vlj;_v6HCk0qJ8I_J%lg1me~{o2i&B31sF zNqPG3iI$o-%}~`q8D2VaiW-Wsh#0w^>vcZa`$XaS&)BPhX4X^LtJMt*4HOMH*;uvt tn3<$l8CXPIn-o)7)HY8jaSagS?vD*xaD9>=3rG1sIm<;WJ%T}{Bmf^<(Wd|a literal 0 HcmV?d00001 diff --git a/conf/mysql_ssl_default_certificate/certificate.p12 b/conf/mysql_ssl_default_certificate/certificate.p12 deleted file mode 100644 index d54fde284b85bca1f553fffada35960ef515460e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2533 zcmXqL;(W-&$ZXKWxtxtttIebBJ1-+U^*KBl_YgV*RN^0F#d|+n2+vFX6z6pHk zC(PxKcif#JTY23jcW!h(lh)h|5sg0{r&k}T+4t!4EG12Q}*sXN`hdJB_<`wGwdc00}IzxBXq0>*3ckO3c!kL}jyzB99 z7VkYakM4ZFwUcxE+4`7cZcaNk-s$r>^+)o4c}2%9CxttDwu$QJ|BAZbtUrDKdg`w{ z)t}l{UJrlu&S0O~GRw5FF{m=@zp=>5nB%P_yLO~5UwrL2PqS(5l*!$>R(fael_@Nk zdbl+Bqi?I~O7{h)!apx}KhNB9|L*R!y5_IyOF7KXGdf1btA0uB*|3DI=+ma2GsX2u zf6BKytqbgt-n6ZA@29AP-(?p)U$a>|?Sqi5?|rV9r*~=?uKm}tXDj3P`RZj0;#YJ}S6-TE#I)S= zhNkoDS3xquv(ENkZ*C5Kw)D|>-vxXAu>vgG8@%yZn zOtM_*!S-D6LACIrtKZTl1-zU+Z3~;Nd~WacL+AE1>{95NHFbgYm-SLvv!r|P=t+N= zB9OXTTeITEW%-$$MpipN-gT@l_<5!_lHuOdOYRRQp9tLJ(KjR1c=PXj@A~Gi^?9>L zQuujZo%5Qk?+zK;_`?>ND?SY2+o@yGP3 z`1`%DJCqo=z1DEb^6MS~`_`>+EojQqWf1S?1UAx6}>%&KzKd<<;_1Cq( z&r9dr{lOkA|95F@;JfrS0mWPQ70mk0ZD@GDvGa0;*M!7JU8ytpCBoQiG$YHdGh8oI zw7&3|Yt_at^Y<^iVCH)L_#ern9(}omQw>a6vu8r zl@>*B@cQoanKyF2;mf%U|FU~N+}r-?VDGboGYpzo9gzx*1x>6*EKRI>22HG522HGL zY}~NogNu=AK@-b6gC>?&D5VNBs8s39?RjuZZ+aN0RAFgiIk9kYbdA2j+`d=e^Iit9 zPV(LHVCvTIA^M-{IX`%=Ov_Jxuus|l?#DN~FQ*8dao?ZHezUSfb>Mk`)h_J8<&dBbWg^@eOt&SS5tUL=ZEZ)P*TE~y&cS{|&o zA<1uF(BbASCmN>P|9#f)vhL=sZ$Xb`1UD>Q@!9r3bjPAE{11J%Z|y$wQTuD%$`yaw z51;*?z&uU=&Dq8C>&1eKxj${)GUv@%+X8PF^{{fYnp;_3GJ^UJMgFaO|NWeM+JAHT z44W)@PN5*S7guIX3slLC6yI6-{@aDXlM?!#DemuYElrb-zPDXyQ*nVA|3}+RL9roU zJ{j00G;S5(K62mZMqx6u=+bNY^A3EL;@r+MNr!#jPd~0=1cr7bgAA27Lj zCjYOm1<5Bl6%+fOE|y=q)6gv2r7GsfY6o9l3l@*~yw2?czt>FZsXTsqige^r+keJi zrkjgNsRZ81;f!l*oib5VAzXFUxigv?@2nk+AI2=!otPx<_nybNTCIaI@xF$MF>?GOHM*>L<=j&q=irHVDv z%?EGP7v)}PH@wjjRoQRXDj%g%taqc5b=q?cm)+-h_AfBuPN|WcbWI~qwEOxU0htxI zUVY0i&}N>|+&?9KO<#Ix@YW@=(^8XG2+llGn<9B$ujxRgi?MOUub=$_`adl$$mBX* z|171rhoi^EaEG8=b&*_Wz;k|K-lKb-u}9v~UcGPXnva5iFU0ocL{BSOZ)tOQ`=TXI zj-n5yB-tCNafqK==IJQd{_Nvp#*Bq$6R$OGpVPg_Q8Q<&Bio*a^DkO*mELP~aaQc^ zX*=py-E&@2arTtAi&*OxpX{IHv{`=b$-`C4Po^{^vVJ%;weHrdnM(WiT=_Nq%i|T? zp;h)zUrl~?{Y+Fs=$$=<&h~rm%$EKB{%YcLv5=qZg3{xAWrY2LY=Vu?``Twjv7}zi zd3%*_yJ_Y>D+^zCBWBM4ueT;kPfzk;xp@05b6=M9(Z>>fERPr21jw9EUC*EQ;PKDg zKmU?09^UNLD{CTN^>o6SxWHSEs#l#W&x-Bry?Q3FCR|EJIQ=R6>}AZClFgIfy-Tm` zyK?63^NS^$pDfqDV%-*V;rY~sS5uPG#MBS}mFfM#D&(%Xfp4aU=H594yY25knwxpv zK*28k9A|-;^aP&EK2uL#;?wb*?Kt1Q|FZV9jLXZm+ANEECF3bl;rb>vEi^DRP&D9VW7XzkW|CrMU=h(>CO6?&L)wDr<;5}bA6`~`y|8r`3&&}p NISSD)9y^0dNdRaYw-o>Y diff --git a/conf/mysql_ssl_default_certificate/client_certificate/ca.pem b/conf/mysql_ssl_default_certificate/client_certificate/ca.pem new file mode 100644 index 0000000000..dae8361629 --- /dev/null +++ b/conf/mysql_ssl_default_certificate/client_certificate/ca.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIID7zCCAtegAwIBAgIUFFyovmu0XNcivWB0qsOVztoITk8wDQYJKoZIhvcNAQEL +BQAwgYYxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlqaW5nMRAwDgYDVQQHDAdC +ZWlqaW5nMQ4wDAYDVQQKDAVEb3JpczEOMAwGA1UECwwFRG9yaXMxDjAMBgNVBAMM +BURvcmlzMSMwIQYJKoZIhvcNAQkBFhRkZXZAZG9yaXMuYXBhY2hlLm9yZzAeFw0y +MzA0MTAxMDQyMjRaFw0zMzAyMTYxMDQyMjRaMIGGMQswCQYDVQQGEwJDTjEQMA4G +A1UECAwHQmVpamluZzEQMA4GA1UEBwwHQmVpamluZzEOMAwGA1UECgwFRG9yaXMx +DjAMBgNVBAsMBURvcmlzMQ4wDAYDVQQDDAVEb3JpczEjMCEGCSqGSIb3DQEJARYU +ZGV2QGRvcmlzLmFwYWNoZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQCmL5CmsOWZGGOY4QJ+KoLFvqC4sjSrMtxQjZA3QtYz0E3hc/1vukmTU2MU +EskY4B9gklp4LvoTTbjCdHb1ZzxSqYbkfZL2N55s1j5g5Gphy8fAU4LxlcAX+D2g +k2lsfGn/BnM4jefv1rNAXITF5gpFJtz43hZX39v/ciQEbovtn8jxaaSZJE1pY4NO +LxH0+8OU3pLeVPDoV5Ij0Irm4FKrUVYbbwhitruzU3qhUzCX3fyPtTMoxEaHsxSo +IuR/3LSuRJnRvO8/3HFI4nBCurQZe7W/rNCiADMD7ECDUAbAmzZs8oH/teMRQIIF +S17xQDVhy+fMEiIb5vrJpsSnkxdjAgMBAAGjUzBRMB0GA1UdDgQWBBSb2l0QFsBP +Uf4rpqjnx4hqhh3IyzAfBgNVHSMEGDAWgBSb2l0QFsBPUf4rpqjnx4hqhh3IyzAP +BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBxXsKx45fVAnxUxN57 +ULJQnwPwqzzhk7LXpn0HhqmVasF1JFnp970ZqW048B7V25NEY828BXuzDj5Oe1Ap +V0yzqh87sVXkRnP1zQi3B6xlyC2w8R2FLzk4NgkZZOSd6es6XV9GDCSaHaMWnwCz +QD/lv1rultohtyeMYk3erc8aLDkEFfjGmeFb9HNpeyas/KQQuAS1XnxsTdhJm+F9 +MVDqMRVZWudFQWt1Tu7OC+5D8nZzDblMuKDptM6ZdUAvy5DpospOLnWK0c04QGKk +RMYp5sxrNeBzyNJIpyEh3V94y1mH/QzQUIGQmNKL1tAKtyIsDcaXPMSW5ojdvxHJ +iN+q +-----END CERTIFICATE----- diff --git a/conf/mysql_ssl_default_certificate/client_certificate/client-cert.pem b/conf/mysql_ssl_default_certificate/client_certificate/client-cert.pem new file mode 100644 index 0000000000..f2996bc605 --- /dev/null +++ b/conf/mysql_ssl_default_certificate/client_certificate/client-cert.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDgzCCAmsCAQEwDQYJKoZIhvcNAQELBQAwgYYxCzAJBgNVBAYTAkNOMRAwDgYD +VQQIDAdCZWlqaW5nMRAwDgYDVQQHDAdCZWlqaW5nMQ4wDAYDVQQKDAVEb3JpczEO +MAwGA1UECwwFRG9yaXMxDjAMBgNVBAMMBURvcmlzMSMwIQYJKoZIhvcNAQkBFhRk +ZXZAZG9yaXMuYXBhY2hlLm9yZzAeFw0yMzA0MTAxMDQ1MjBaFw0zMzAyMTYxMDQ1 +MjBaMIGHMQswCQYDVQQGEwJDTjEQMA4GA1UECAwHQmVpamluZzEQMA4GA1UEBwwH +QmVpamluZzEOMAwGA1UECgwFRG9yaXMxDjAMBgNVBAsMBURvcmlzMQ8wDQYDVQQD +DAZDbGllbnQxIzAhBgkqhkiG9w0BCQEWFGRldkBkb3Jpcy5hcGFjaGUub3JnMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArWZoLynFbkTTXry3rRoOT0yI ++VWE8Qs/cdKshT8ecNrWgkoMbBtGEoPahtC+BuMfyHsdNSx6Iyyxgee2f41Mqhfv +c9ssZFbq93NPE7rbb8v+LoZkibp5ErM4vtDmKcBp4ZEsWMRxauXYipyvdyGCbswD +M/Hd0PPFubpEoqg/8qjIz/TbQIXbJ2FYkKFv8Z3RYvy0GP5ZVpTm4zcYB6RAzr6z ++qbA3Li/0UjUVSdhzsoDWn5lOfX6Dp7yAuiocSMpMk65A/pwwRPSJ9u/gPP2LVsJ +L5uBogk29Hj5QBwRGePz0hJnDR3C4Lb786zHWk0QmHvVxQJq+DIbY8vlMhv6DwID +AQABMA0GCSqGSIb3DQEBCwUAA4IBAQCgi2pRKqWiZv6Xlpn4Viv/N+G9J+0/IUnd +YWvhmF4yzBb4R4FjyxiKG9d79o6JhhJ1ts5fmNk/idS0sBoj8FOkj53KAbw6pHBQ +bO3f+UYWLvx8I8F5iycAseA5GTid2cOU8s/gY34rhvey2PGzR+hxfDDGbpRxXFKw +X4zOKCYK8qAR9dDc8MOJyAs30NXn6vxiQSNijJe7+0J91NbAOHw/NeaIS673exqs +K7nPiAe7tPwZOY5LsZxzrosTIsUryheM8S+S0Sqess+zkKMV1xbCbyk2eMbhdfyL +5xLGv7HxnIEoJyRKQ4q0wk9GteLdvlSAKJ1cTe/n8NOf36cXZj/s +-----END CERTIFICATE----- diff --git a/conf/mysql_ssl_default_certificate/client_certificate/client-key.pem b/conf/mysql_ssl_default_certificate/client_certificate/client-key.pem new file mode 100644 index 0000000000..350f34da24 --- /dev/null +++ b/conf/mysql_ssl_default_certificate/client_certificate/client-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEArWZoLynFbkTTXry3rRoOT0yI+VWE8Qs/cdKshT8ecNrWgkoM +bBtGEoPahtC+BuMfyHsdNSx6Iyyxgee2f41Mqhfvc9ssZFbq93NPE7rbb8v+LoZk +ibp5ErM4vtDmKcBp4ZEsWMRxauXYipyvdyGCbswDM/Hd0PPFubpEoqg/8qjIz/Tb +QIXbJ2FYkKFv8Z3RYvy0GP5ZVpTm4zcYB6RAzr6z+qbA3Li/0UjUVSdhzsoDWn5l +OfX6Dp7yAuiocSMpMk65A/pwwRPSJ9u/gPP2LVsJL5uBogk29Hj5QBwRGePz0hJn +DR3C4Lb786zHWk0QmHvVxQJq+DIbY8vlMhv6DwIDAQABAoIBAQCgQ3IvhQ/w5rPl +b87jsp1fNYGz0RLaJmcxMGI7lSbxb5GrQf1RPbP6ENu8ltnLS8hoZ0GLj9wi/n/h +bOQD5/jfjNfH4N6arqrkojKILb/7CDOZlKT/ltWoLvVXh4PzOt+hl6fBM28QOfd1 +xXN3TAVdmjmrnPRC18v76Oje3VqdT1TyZT9oWFCj906AtiTW+77h6XccWFRC3A99 +lNUM3nCmwgik+MOZ6vNkkNbCb4KlLJXebX+hY6XPqszjEYbp5mdvPczSniAV//V+ +BJINHs4XV3JfdY5BfzRzARt1fkQRDwae0FkVjPVROQQ5TkU3XDPtnXxVaXoQm3QB +HNYT7LbhAoGBANp7Ys4zSphFXodip4AkGfRlyCVgzPWyvCWMZy9UQcw1Mh2ab/6x +CYiW9RSSbmNd1cC6zh4lwLrfTQHNvmWLxnUPt+Uu6DLZFJnDqhFPj6CHYoB3t8AX +iwozAIqE/qSlXYAAN26hyoNPxO8+mtQk4Noupmp8vpaVbuB9BfElS0FFAoGBAMst +MDYTGU+T5BKNl1IE3HlXT2YsJm6QfREXoopYC9vr0R/0/kZX6lQnuujGxTZG9tEo +geoAf82vKCmYDVPfGf0o8L9f+KcB2GP3JRXmqn7n1ALMLTQDG4GPsa5aK+ey+lue +xXM6zDqWNcz/YEvfAz/SdLHIavwn1y0Nr6iMACFDAoGBAK6p34areKIdKwIe+3u0 +4M8Co6xGI/T0q/d0tHUg7e08RdFmyswZal65GDsXCYsE1ELc1LVDRz3eEOk1O1Zh +FQo2w7RD+LvV0eNPimGGcnNKaJP9oXe/GpfPyEn1IsIrtYEEK0yVqZmqpu0A5rRc +uymSC9ar3Y3y7w4mxR5Qy0XlAoGAMYp3Mvg9N7Yr6ooz13/v8nZjmdoyFMuOc1h7 +/ZeybJF3kH9AcQ6GyLZXUOMGu1FaZW2nH9O3VgPbmyjENyszPxN4gHF6Q96jUNy2 +Yjy4XfFRNM1sSD5pupG7FXRPOFPfz+9K3en8Wly+CZpLdLSQKkO6yI7B53IfeZDY +wBRDA9kCgYAnzeIm+c8ahQ6HNWdRtuMdPeP/2sHyJV9tv/ZTsi2QAgfd4rqmGEhM +20eJp4RQzB68wIDMZcoSP8xpACZQYwH5RZvQ8zo53SXrgWgb6XYno8lRc0cxh5oL +ILtgCAxt/20PcpFx5Igh04TIOsYY2Ksp56cbJL6u7uyBnKwwa4XpCg== +-----END RSA PRIVATE KEY----- diff --git a/conf/mysql_ssl_default_certificate/server_certificate.p12 b/conf/mysql_ssl_default_certificate/server_certificate.p12 new file mode 100644 index 0000000000000000000000000000000000000000..a0956a6396441b155caa661ad076d4fc45408126 GIT binary patch literal 2501 zcmXqL;ylR2$ZXKW+0MqP)#lOmotKfFaX}Mj1xpiWi9r)*fk6|CIzozVK@*FFK@*Dz z6C;B`6ALdwhS5NVjSFf54j={|P6y-n}7r~Iz!2a&fuzc_HM4mZ)NzW>g^WYOD2T}HPa z)U~bu@G&fXci4o5Vqpv#vn3ZF(QU7u^BKlS-3wmXx0rM@(Ce5_Mfk6bU; zbdfc#@#mAdTND}dJu4^ARAyiC=%`ttdET2>=RM|3*|Kgz&jX#^w#O#rdI!by{^I7D zn{+Uc=~%(adrr+9Isael6=)QEVu}cRU3=8VEr(6;*0Oe%-BVFhP~53|OL=4Bm%sA4 zpYs*f&QDA6ovi8lFzM*T%CJKX%vv_A8Fkj7vwr6;&ArXtT=8R#)b-v&f_wcq=g4Hb zaIH&T%%OU^@k6oF)SlyvS`+pKy3Bud|N7M5%#&7eCRH`Iew%e^`yT<`7VS&?A(}tG zuY7QO{nAaA{|=W#%hvktKQy<-`a^ffq<>#NL`0o&Zl8HN&vWhB?HtS>YC{dv7e6`F zdr&9g^{wUKl-Aajwaj=koAoqr+`403bH0k}UR<`;_tMV8O-o#5W(e^z?o0gnQCxO* z#ZRM%CVlme)I^!YUXufp+?M#A6<0oSyyohbLyYo5n@$}K-S&L5BbPaoUvA~(->N~& z?f(>7Xqiqa#fXo zIDcDRy(Kv1{IB#4FK0)nUH+JI;nbtZ4~ED3KbFe}9D8{n`gE7U)HIXxmVO(hck6up z?05XR$BeR_d6M~$3|DTuv+ZqAy5@}ZV;ssZ)|po`ti37XXOh|A5!^p=|cFNUCkAn^R{|)#_T%l zepI?+<*_tnmK~dp)ue3V__n)c@%ulwo0MMG30qfR@UZ!pdf=bx^S>SkR<^hsG_g7& z6$lHOSdCbkSoI8=ShWnASk>6LVZ{R%Bh!K=mUjkCEU!>X4Q5cOp_I6L&((vUmw-wQ zmL`@HVlO_XzF*B9-6{C~{)V~XuPd16a^HNq{I^5+1(AOa6`%Dk-oDX#^U&8MN$$C; z@0FDkncevyvbg!$mb3O(@`YAeM}5nhXEa~hc!hh`letqhpU&^K zGn%$(>$(mf_b|I(G3rhg#b-)<&wt&n@M_yrQG*Yj|Jje8jDrpOo!b+5 zwAV>*uGkdA*(zbLB5*!QcEf~~FABFm@lyJ^^{!iJV1b#~#9VUJzTR zbf%`O-eG2^QsJ^6)7g?lFQwQ=OyYZWC|-ZJW@y@Nvn1aLHJ8n;ekCmRG7mP0b7o|B zT`sDMo_cn5f1{p24<#bC8)?U2O`o8}kkJ#6AiM{+n&26pkTnb)FvIz=2 zs#~z~rYUnY!xWoaJSTKMAG>%wD=BwxtAAkp6sBLB*EAi>(AL@-TDbMcXW|N2 z|H>}>oSDFAbu=y6a%-q`o5345$7GFFDHC_5yX-#4H*2{^hVHHU9mf(qo?b0@_VVQQ z3D;B5bNUhlUd)wZvt+{W_A_8tb zs4la7$g@$|XhK$R)sxF{YqJ55s`aO-y_^`{rY10}frP~E}yANG(sxdmhJC^g* zwh5-G6P*tph;KV_{g?E_Bw_J03+?RewDUi%$@Sf7!>#dTW?6vb9(R{byEjRjTR+)v z^jYoee#Je>k!_(4%~eu0UzRt@H2H7bw3Me=Us zak{gJA@z&$%ZVlX0!E9*qhnq%w5#D zn(O30bt9L9ztU!HIkMn^a=?rUpYr2G91dMc*zdpmg5lgvKQ7%o_%JbCZL7E9r{uw0$)q!z4NNDlJ#TU^*VsvrkNr|q zaVlSaoAi#)lX6dVzx$FK|42_Lc|+a~CfCA-j7tiim)ie79N3-N8KQe9LYp&Y&7lR# zyYGD4rJ4KJuupPdisnbT37e*_JM ca-key.pem +openssl req -new -x509 -nodes -days 3600 \ + -key ca-key.pem -out ca.pem + +# Generate the server certificate and sign it with the above CA +# server-cert.pem = public key, server-key.pem = private key +openssl req -newkey rsa:2048 -days 3600 \ + -nodes -keyout server-key.pem -out server-req.pem +openssl rsa -in server-key.pem -out server-key.pem +openssl x509 -req -in server-req.pem -days 3600 \ + -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem + +# Generate the client certificate and sign it with the above CA +# client-cert.pem = public key, client-key.pem = private key +openssl req -newkey rsa:2048 -days 3600 \ + -nodes -keyout client-key.pem -out client-req.pem +openssl rsa -in client-key.pem -out client-key.pem +openssl x509 -req -in client-req.pem -days 3600 \ + -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem ``` -2. Review the created certificate. +2. Verify the created certificates: ```bash -openssl x509 -text -noout -in certificate.pem +openssl verify -CAfile ca.pem server-cert.pem client-cert.pem ``` 3. Combine your key and certificate in a PKCS#12 (P12) bundle. ```bash -openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12 -``` +# Package the CA key and certificate +openssl pkcs12 -inkey ca-key.pem -in ca.pem -export -out ca_certificate.p12 -4. Validate your P2 file. -```bash -openssl pkcs12 -in certificate.p12 -noout -info +# Package the server-side key and certificate +openssl pkcs12 -inkey server-key.pem -in server.pem -export -out server_certificate.p12 ``` -After completing these operations, you can get the certificate.p12 file. - >[reference documents](https://www.ibm.com/docs/en/api-connect/2018.x?topic=overview-generating-self-signed-certificate-using-openssl) diff --git a/docs/en/docs/get-starting/get-starting.md b/docs/en/docs/get-starting/get-starting.md index 69be69525d..03020547fb 100644 --- a/docs/en/docs/get-starting/get-starting.md +++ b/docs/en/docs/get-starting/get-starting.md @@ -164,7 +164,7 @@ ReplayedJournalId: 49292 Doris supports SSL-based encrypted connections. It currently supports TLS1.2 and TLS1.3 protocols. Doris' SSL mode can be enabled through the following configuration: Modify the FE configuration file `conf/fe.conf` and add `enable_ssl = true`. -Next, connect to Doris through `mysql` client, mysql supports three SSL modes: +Next, connect to Doris through `mysql` client, mysql supports five SSL modes: 1. `mysql -uroot -P9030 -h127.0.0.1` is the same as `mysql --ssl-mode=PREFERRED -uroot -P9030 -h127.0.0.1`, both try to establish an SSL encrypted connection at the beginning, if it fails , a normal connection is attempted. @@ -172,12 +172,14 @@ Next, connect to Doris through `mysql` client, mysql supports three SSL modes: 3. `mysql --ssl-mode=REQUIRED -uroot -P9030 -h127.0.0.1`, force the use of SSL encrypted connections. +4.`mysql --ssl-mode=VERIFY_CA --ssl-ca=ca.pem -uroot -P9030 -h127.0.0.1`, force the use of SSL encrypted connection and verify the validity of the server's identity by specifying the CA certificate。 + +5.`mysql --ssl-mode=VERIFY_CA --ssl-ca=ca.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem -uroot -P9030 -h127.0.0.1`, force the use of SSL encrypted connection, two-way ssl。 + >Note: >`--ssl-mode` parameter is introduced by mysql5.7.11 version, please refer to [here](https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-connp-props-security.html) for mysql client version lower than this version。 -Doris needs a key certificate file to verify the SSL encrypted connection. The default key certificate file is located at `Doris/fe/mysql_ssl_default_certificate/certificate.p12`, and the default password is `doris`. You can modify the FE configuration file `conf/fe. conf`, add `mysql_ssl_default_certificate = /path/to/your/certificate` to modify the key certificate file, and you can also add the password corresponding to your custom key book file through `mysql_ssl_default_certificate_password = your_password`. - -For the generation of the key certificate file, please refer to [Key Certificate Configuration](../admin-manual/certificate.md)。 +Doris needs a key certificate file to verify the SSL encrypted connection. The default key certificate file is located at `Doris/fe/mysql_ssl_default_certificate/`. For the generation of the key certificate file, please refer to [Key Certificate Configuration](../admin-manual/certificate.md)。 #### Stop FE diff --git a/docs/zh-CN/docs/admin-manual/certificate.md b/docs/zh-CN/docs/admin-manual/certificate.md index c00d324156..5f9186c9d3 100644 --- a/docs/zh-CN/docs/admin-manual/certificate.md +++ b/docs/zh-CN/docs/admin-manual/certificate.md @@ -26,36 +26,53 @@ under the License. # SSL密钥证书配置 -Doris开启SSL功能需要配置密钥证书,默认的密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/certificate.p12`,默认密码为`doris`,您可以通过修改FE配置文件`conf/fe.conf`,添加`mysql_ssl_default_certificate = /path/to/your/certificate`修改密钥证书文件,同时也可以通过`mysql_ssl_default_certificate_password = your_password`添加对应您自定义密钥证书文件的密码。 +Doris开启SSL功能需要配置CA密钥证书和Server端密钥证书,如需开启双向认证,还需生成Client端密钥证书: +* 默认的CA密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/ca_certificate.p12`,默认密码为`doris`,您可以通过修改FE配置文件`conf/fe.conf`,添加`mysql_ssl_default_ca_certificate = /path/to/your/certificate`修改CA密钥证书文件,同时也可以通过`mysql_ssl_default_ca_certificate_password = your_password`添加对应您自定义密钥证书文件的密码。 +* 默认的Server端密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/server_certificate.p12`,默认密码为`doris`,您可以通过修改FE配置文件`conf/fe.conf`,添加`mysql_ssl_default_server_certificate = /path/to/your/certificate`修改Server端密钥证书文件,同时也可以通过`mysql_ssl_default_server_certificate_password = your_password`添加对应您自定义密钥证书文件的密码。 +* 默认生成了一份Client端的密钥证书,分别存放在`Doris/fe/mysql_ssl_default_certificate/client-key.pem`和`Doris/fe/mysql_ssl_default_certificate/client_certificate/`。 ## 自定义密钥证书文件 -除了Doris默认的证书文件,您也可以通过`openssl`生成自定义的证书文件。步骤如下: +除了Doris默认的证书文件,您也可以通过`openssl`生成自定义的证书文件。步骤参考[mysql生成ssl证书](https://dev.mysql.com/doc/refman/8.0/en/creating-ssl-files-using-openssl.html) +具体如下: +1. 生成CA、Server端和Client端的密钥和证书 +``` +# 生成CA certificate +openssl genrsa 2048 > ca-key.pem +openssl req -new -x509 -nodes -days 3600 \ + -key ca-key.pem -out ca.pem -1.运行以下OpenSSL命令以生成您的私钥和公共证书,回答问题并在出现提示时输入答案。 +# 生成server certificate, 并用上述CA签名 +# server-cert.pem = public key, server-key.pem = private key +openssl req -newkey rsa:2048 -days 3600 \ + -nodes -keyout server-key.pem -out server-req.pem +openssl rsa -in server-key.pem -out server-key.pem +openssl x509 -req -in server-req.pem -days 3600 \ + -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem -```bash -openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem +# 生成client certificate, 并用上述CA签名 +# client-cert.pem = public key, client-key.pem = private key +openssl req -newkey rsa:2048 -days 3600 \ + -nodes -keyout client-key.pem -out client-req.pem +openssl rsa -in client-key.pem -out client-key.pem +openssl x509 -req -in client-req.pem -days 3600 \ + -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem ``` -2.查看创建的证书。 +2.验证创建的证书。 ```bash -openssl x509 -text -noout -in certificate.pem +openssl verify -CAfile ca.pem server-cert.pem client-cert.pem ``` -3.将您的密钥和证书合并到 PKCS#12 (P12) 包中。 +3.将您的CA密钥和证书和Sever端密钥和证书分别合并到 PKCS#12 (P12) 包中。 ```bash - openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12 +# 打包CA密钥和证书 +openssl pkcs12 -inkey ca-key.pem -in ca.pem -export -out ca_certificate.p12 + +# 打包Server端密钥和证书 +openssl pkcs12 -inkey server-key.pem -in server.pem -export -out server_certificate.p12 ``` -4.验证您的P12文件。 - -```bash -openssl pkcs12 -in certificate.p12 -noout -info -``` - -完成这些操作后即可得到certificate.p12文件。 - >[参考文档](https://www.ibm.com/docs/en/api-connect/2018.x?topic=overview-generating-self-signed-certificate-using-openssl) diff --git a/docs/zh-CN/docs/get-starting/get-starting.md b/docs/zh-CN/docs/get-starting/get-starting.md index 5ce1bbe006..ad4de7f5c5 100644 --- a/docs/zh-CN/docs/get-starting/get-starting.md +++ b/docs/zh-CN/docs/get-starting/get-starting.md @@ -168,7 +168,7 @@ ReplayedJournalId: 49292 Doris支持基于SSL的加密连接,当前支持TLS1.2,TLS1.3协议,可以通过以下配置开启Doris的SSL模式: 修改FE配置文件`conf/fe.conf`,添加`enable_ssl = true`即可。 -接下来通过`mysql`客户端连接Doris,mysql支持三种SSL模式: +接下来通过`mysql`客户端连接Doris,mysql支持五种SSL模式: 1.`mysql -uroot -P9030 -h127.0.0.1`与`mysql --ssl-mode=PREFERRED -uroot -P9030 -h127.0.0.1`一样,都是一开始试图建立SSL加密连接,如果失败,则尝试使用普通连接。 @@ -176,12 +176,15 @@ Doris支持基于SSL的加密连接,当前支持TLS1.2,TLS1.3协议,可以 3.`mysql --ssl-mode=REQUIRED -uroot -P9030 -h127.0.0.1`,强制使用SSL加密连接。 +4.`mysql --ssl-mode=VERIFY_CA --ssl-ca=ca.pem -uroot -P9030 -h127.0.0.1`,强制使用SSL加密连接,并且通过指定CA证书验证服务端身份是否有效。 + +5.`mysql --ssl-mode=VERIFY_CA --ssl-ca=ca.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem -uroot -P9030 -h127.0.0.1`,强制使用SSL加密连接,双向验证。 + + >注意: >`--ssl-mode`参数是mysql5.7.11版本引入的,低于此版本的mysql客户端请参考[这里](https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-connp-props-security.html)。 -Doris开启SSL加密连接需要密钥证书文件验证,默认的密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/certificate.p12`,默认密码为`doris`,您可以通过修改FE配置文件`conf/fe.conf`,添加`mysql_ssl_default_certificate = /path/to/your/certificate`修改密钥证书文件,同时也可以通过`mysql_ssl_default_certificate_password = your_password`添加对应您自定义密钥书文件的密码。 - -密钥证书文件的生成请参考[密钥证书配置](../admin-manual/certificate.md)。 +Doris开启SSL加密连接需要密钥证书文件验证,默认的密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/`下。密钥证书文件的生成请参考[密钥证书配置](../admin-manual/certificate.md)。 #### 停止 FE 节点 diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/Config.java b/fe/fe-common/src/main/java/org/apache/doris/common/Config.java index d7eb93d78f..7ecab22d8f 100644 --- a/fe/fe-common/src/main/java/org/apache/doris/common/Config.java +++ b/fe/fe-common/src/main/java/org/apache/doris/common/Config.java @@ -2043,17 +2043,36 @@ public class Config extends ConfigBase { public static boolean enable_ssl = true; /** - * Default certificate file location for mysql ssl connection. + * If set to ture, ssl connection needs to authenticate client's certificate. */ @ConfField(mutable = false, masterOnly = false) - public static String mysql_ssl_default_certificate = System.getenv("DORIS_HOME") - + "/mysql_ssl_default_certificate/certificate.p12"; + public static boolean ssl_force_client_auth = false; /** - * Password for default certificate file. + * Default CA certificate file location for mysql ssl connection. */ @ConfField(mutable = false, masterOnly = false) - public static String mysql_ssl_default_certificate_password = "doris"; + public static String mysql_ssl_default_ca_certificate = System.getenv("DORIS_HOME") + + "/mysql_ssl_default_certificate/ca_certificate.p12"; + + /** + * Default server certificate file location for mysql ssl connection. + */ + @ConfField(mutable = false, masterOnly = false) + public static String mysql_ssl_default_server_certificate = System.getenv("DORIS_HOME") + + "/mysql_ssl_default_certificate/server_certificate.p12"; + + /** + * Password for default CA certificate file. + */ + @ConfField(mutable = false, masterOnly = false) + public static String mysql_ssl_default_ca_certificate_password = "doris"; + + /** + * Password for default CA certificate file. + */ + @ConfField(mutable = false, masterOnly = false) + public static String mysql_ssl_default_server_certificate_password = "doris"; /** * Used to set session variables randomly to check more issues in github workflow diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlSslContext.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlSslContext.java index 3aa7dd45a7..cda57d6b4f 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlSslContext.java +++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlSslContext.java @@ -47,9 +47,10 @@ public class MysqlSslContext { private SSLContext sslContext; private String protocol; private ByteBuffer serverAppData; - private static final String keyStoreFile = Config.mysql_ssl_default_certificate; - private static final String trustStoreFile = Config.mysql_ssl_default_certificate; - private static final String certificatePassword = Config.mysql_ssl_default_certificate_password; + private static final String keyStoreFile = Config.mysql_ssl_default_server_certificate; + private static final String trustStoreFile = Config.mysql_ssl_default_ca_certificate; + private static final String caCertificatePassword = Config.mysql_ssl_default_ca_certificate_password; + private static final String serverCertificatePassword = Config.mysql_ssl_default_server_certificate_password; private ByteBuffer serverNetData; private ByteBuffer clientAppData; private ByteBuffer clientNetData; @@ -68,13 +69,14 @@ public class MysqlSslContext { KeyStore ks = KeyStore.getInstance("PKCS12"); KeyStore ts = KeyStore.getInstance("PKCS12"); - char[] password = certificatePassword.toCharArray(); + char[] serverPassword = serverCertificatePassword.toCharArray(); + char[] caPassword = caCertificatePassword.toCharArray(); - ks.load(Files.newInputStream(Paths.get(keyStoreFile)), password); - ts.load(Files.newInputStream(Paths.get(trustStoreFile)), password); + ks.load(Files.newInputStream(Paths.get(keyStoreFile)), serverPassword); + ts.load(Files.newInputStream(Paths.get(trustStoreFile)), caPassword); KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); - kmf.init(ks, password); + kmf.init(ks, serverPassword); TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init(ts); @@ -91,6 +93,10 @@ public class MysqlSslContext { // set to server mode sslEngine.setUseClientMode(false); sslEngine.setEnabledCipherSuites(sslEngine.getSupportedCipherSuites()); + sslEngine.setWantClientAuth(true); + if (Config.ssl_force_client_auth) { + sslEngine.setNeedClientAuth(true); + } } public SSLEngine getSslEngine() { diff --git a/regression-test/certificate.p12 b/regression-test/certificate.p12 deleted file mode 100644 index d54fde284b85bca1f553fffada35960ef515460e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2533 zcmXqL;(W-&$ZXKWxtxtttIebBJ1-+U^*KBl_YgV*RN^0F#d|+n2+vFX6z6pHk zC(PxKcif#JTY23jcW!h(lh)h|5sg0{r&k}T+4t!4EG12Q}*sXN`hdJB_<`wGwdc00}IzxBXq0>*3ckO3c!kL}jyzB99 z7VkYakM4ZFwUcxE+4`7cZcaNk-s$r>^+)o4c}2%9CxttDwu$QJ|BAZbtUrDKdg`w{ z)t}l{UJrlu&S0O~GRw5FF{m=@zp=>5nB%P_yLO~5UwrL2PqS(5l*!$>R(fael_@Nk zdbl+Bqi?I~O7{h)!apx}KhNB9|L*R!y5_IyOF7KXGdf1btA0uB*|3DI=+ma2GsX2u zf6BKytqbgt-n6ZA@29AP-(?p)U$a>|?Sqi5?|rV9r*~=?uKm}tXDj3P`RZj0;#YJ}S6-TE#I)S= zhNkoDS3xquv(ENkZ*C5Kw)D|>-vxXAu>vgG8@%yZn zOtM_*!S-D6LACIrtKZTl1-zU+Z3~;Nd~WacL+AE1>{95NHFbgYm-SLvv!r|P=t+N= zB9OXTTeITEW%-$$MpipN-gT@l_<5!_lHuOdOYRRQp9tLJ(KjR1c=PXj@A~Gi^?9>L zQuujZo%5Qk?+zK;_`?>ND?SY2+o@yGP3 z`1`%DJCqo=z1DEb^6MS~`_`>+EojQqWf1S?1UAx6}>%&KzKd<<;_1Cq( z&r9dr{lOkA|95F@;JfrS0mWPQ70mk0ZD@GDvGa0;*M!7JU8ytpCBoQiG$YHdGh8oI zw7&3|Yt_at^Y<^iVCH)L_#ern9(}omQw>a6vu8r zl@>*B@cQoanKyF2;mf%U|FU~N+}r-?VDGboGYpzo9gzx*1x>6*EKRI>22HG522HGL zY}~NogNu=AK@-b6gC>?&D5VNBs8s39?RjuZZ+aN0RAFgiIk9kYbdA2j+`d=e^Iit9 zPV(LHVCvTIA^M-{IX`%=Ov_Jxuus|l?#DN~FQ*8dao?ZHezUSfb>Mk`)h_J8<&dBbWg^@eOt&SS5tUL=ZEZ)P*TE~y&cS{|&o zA<1uF(BbASCmN>P|9#f)vhL=sZ$Xb`1UD>Q@!9r3bjPAE{11J%Z|y$wQTuD%$`yaw z51;*?z&uU=&Dq8C>&1eKxj${)GUv@%+X8PF^{{fYnp;_3GJ^UJMgFaO|NWeM+JAHT z44W)@PN5*S7guIX3slLC6yI6-{@aDXlM?!#DemuYElrb-zPDXyQ*nVA|3}+RL9roU zJ{j00G;S5(K62mZMqx6u=+bNY^A3EL;@r+MNr!#jPd~0=1cr7bgAA27Lj zCjYOm1<5Bl6%+fOE|y=q)6gv2r7GsfY6o9l3l@*~yw2?czt>FZsXTsqige^r+keJi zrkjgNsRZ81;f!l*oib5VAzXFUxigv?@2nk+AI2=!otPx<_nybNTCIaI@xF$MF>?GOHM*>L<=j&q=irHVDv z%?EGP7v)}PH@wjjRoQRXDj%g%taqc5b=q?cm)+-h_AfBuPN|WcbWI~qwEOxU0htxI zUVY0i&}N>|+&?9KO<#Ix@YW@=(^8XG2+llGn<9B$ujxRgi?MOUub=$_`adl$$mBX* z|171rhoi^EaEG8=b&*_Wz;k|K-lKb-u}9v~UcGPXnva5iFU0ocL{BSOZ)tOQ`=TXI zj-n5yB-tCNafqK==IJQd{_Nvp#*Bq$6R$OGpVPg_Q8Q<&Bio*a^DkO*mELP~aaQc^ zX*=py-E&@2arTtAi&*OxpX{IHv{`=b$-`C4Po^{^vVJ%;weHrdnM(WiT=_Nq%i|T? zp;h)zUrl~?{Y+Fs=$$=<&h~rm%$EKB{%YcLv5=qZg3{xAWrY2LY=Vu?``Twjv7}zi zd3%*_yJ_Y>D+^zCBWBM4ueT;kPfzk;xp@05b6=M9(Z>>fERPr21jw9EUC*EQ;PKDg zKmU?09^UNLD{CTN^>o6SxWHSEs#l#W&x-Bry?Q3FCR|EJIQ=R6>}AZClFgIfy-Tm` zyK?63^NS^$pDfqDV%-*V;rY~sS5uPG#MBS}mFfM#D&(%Xfp4aU=H594yY25knwxpv zK*28k9A|-;^aP&EK2uL#;?wb*?Kt1Q|FZV9jLXZm+ANEECF3bl;rb>vEi^DRP&D9VW7XzkW|CrMU=h(>CO6?&L)wDr<;5}bA6`~`y|8r`3&&}p NISSD)9y^0dNdRaYw-o>Y diff --git a/regression-test/conf/regression-conf.groovy b/regression-test/conf/regression-conf.groovy index fa2a4e3cc2..ed1f393a33 100644 --- a/regression-test/conf/regression-conf.groovy +++ b/regression-test/conf/regression-conf.groovy @@ -38,6 +38,7 @@ suitePath = "${DORIS_HOME}/regression-test/suites" dataPath = "${DORIS_HOME}/regression-test/data" pluginPath = "${DORIS_HOME}/regression-test/plugins" realDataPath = "${DORIS_HOME}/regression-test/realdata" +sslCertificatePath = "${DORIS_HOME}/regression-test/ssl_default_certificate" // will test /.groovy // empty group will test all group diff --git a/regression-test/framework/src/main/groovy/org/apache/doris/regression/Config.groovy b/regression-test/framework/src/main/groovy/org/apache/doris/regression/Config.groovy index 027de85c7d..c0062e9eac 100644 --- a/regression-test/framework/src/main/groovy/org/apache/doris/regression/Config.groovy +++ b/regression-test/framework/src/main/groovy/org/apache/doris/regression/Config.groovy @@ -53,6 +53,7 @@ class Config { public String realDataPath public String cacheDataPath public String pluginPath + public String sslCertificatePath public String testGroups public String excludeGroups @@ -90,7 +91,7 @@ class Config { String feHttpAddress, String feHttpUser, String feHttpPassword, String metaServiceHttpAddress, String suitePath, String dataPath, String realDataPath, String cacheDataPath, String testGroups, String excludeGroups, String testSuites, String excludeSuites, - String testDirectories, String excludeDirectories, String pluginPath) { + String testDirectories, String excludeDirectories, String pluginPath, String sslCertificatePath) { this.defaultDb = defaultDb this.jdbcUrl = jdbcUrl this.jdbcUser = jdbcUser @@ -110,6 +111,7 @@ class Config { this.testDirectories = testDirectories this.excludeDirectories = excludeDirectories this.pluginPath = pluginPath + this.sslCertificatePath = sslCertificatePath } static Config fromCommandLine(CommandLine cmd) { @@ -137,6 +139,7 @@ class Config { config.realDataPath = FileUtils.getCanonicalPath(cmd.getOptionValue(realDataOpt, config.realDataPath)) config.cacheDataPath = cmd.getOptionValue(cacheDataOpt, config.cacheDataPath) config.pluginPath = FileUtils.getCanonicalPath(cmd.getOptionValue(pluginOpt, config.pluginPath)) + config.sslCertificatePath = FileUtils.getCanonicalPath(cmd.getOptionValue(sslCertificateOpt, config.sslCertificatePath)) config.suiteWildcard = cmd.getOptionValue(suiteOpt, config.testSuites) .split(",") .collect({s -> s.trim()}) @@ -244,7 +247,8 @@ class Config { configToString(obj.excludeSuites), configToString(obj.testDirectories), configToString(obj.excludeDirectories), - configToString(obj.pluginPath) + configToString(obj.pluginPath), + configToString(obj.sslCertificatePath) ) def declareFileNames = config.getClass() @@ -327,6 +331,11 @@ class Config { log.info("Set dataPath to '${config.pluginPath}' because not specify.".toString()) } + if (config.sslCertificatePath == null) { + config.sslCertificatePath = "regression-test/ssl_default_certificate" + log.info("Set sslCertificatePath to '${config.sslCertificatePath}' because not specify.".toString()) + } + if (config.testGroups == null) { config.testGroups = "default" log.info("Set testGroups to '${config.testGroups}' because not specify.".toString()) @@ -491,10 +500,7 @@ class Config { String useSslConfig = "verifyServerCertificate=false&useSSL=" + useSsl + "&requireSSL=false" String tlsVersion = "TLSv1.2" String tlsVersionConfig = "&enabledTLSProtocols=" + tlsVersion - String keyStoreFile = "file:regression-test/certificate.p12" - String keyStoreFileConfig = "&trustCertificateKeyStoreUrl=" + keyStoreFile + "&clientCertificateKeyStoreUrl=" + keyStoreFile - String password = "&trustCertificateKeyStorePassword=doris&clientCertificateKeyStorePassword=doris" - String sslUrl = useSslConfig + tlsVersionConfig + keyStoreFileConfig + password + String sslUrl = useSslConfig + tlsVersionConfig // e.g: jdbc:mysql://locahost:8080/dbname? if (url.charAt(url.length() - 1) == '?') { return url + sslUrl diff --git a/regression-test/framework/src/main/groovy/org/apache/doris/regression/ConfigOptions.groovy b/regression-test/framework/src/main/groovy/org/apache/doris/regression/ConfigOptions.groovy index 574ab0a131..5355f8a14c 100644 --- a/regression-test/framework/src/main/groovy/org/apache/doris/regression/ConfigOptions.groovy +++ b/regression-test/framework/src/main/groovy/org/apache/doris/regression/ConfigOptions.groovy @@ -41,6 +41,7 @@ class ConfigOptions { static Option realDataOpt static Option cacheDataOpt static Option pluginOpt + static Option sslCertificateOpt static Option suiteOpt static Option excludeSuiteOpt static Option groupsOpt @@ -148,6 +149,16 @@ class ConfigOptions { .longOpt("plugin") .desc("the plugin path") .build() + + sslCertificateOpt = Option.builder("ssl") + .argName("sslCertificatePath") + .required(false) + .hasArg(true) + .type(String.class) + .longOpt("sslCertificatePath") + .desc("the sslCertificate path") + .build() + suiteOpt = Option.builder("s") .argName("suiteName") .required(false) @@ -316,6 +327,7 @@ class ConfigOptions { .addOption(pathOpt) .addOption(dataOpt) .addOption(pluginOpt) + .addOption(sslCertificateOpt) .addOption(confOpt) .addOption(suiteOpt) .addOption(excludeSuiteOpt) diff --git a/regression-test/ssl_default_certificate/ca.pem b/regression-test/ssl_default_certificate/ca.pem new file mode 100644 index 0000000000..dae8361629 --- /dev/null +++ b/regression-test/ssl_default_certificate/ca.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIID7zCCAtegAwIBAgIUFFyovmu0XNcivWB0qsOVztoITk8wDQYJKoZIhvcNAQEL +BQAwgYYxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlqaW5nMRAwDgYDVQQHDAdC +ZWlqaW5nMQ4wDAYDVQQKDAVEb3JpczEOMAwGA1UECwwFRG9yaXMxDjAMBgNVBAMM +BURvcmlzMSMwIQYJKoZIhvcNAQkBFhRkZXZAZG9yaXMuYXBhY2hlLm9yZzAeFw0y +MzA0MTAxMDQyMjRaFw0zMzAyMTYxMDQyMjRaMIGGMQswCQYDVQQGEwJDTjEQMA4G +A1UECAwHQmVpamluZzEQMA4GA1UEBwwHQmVpamluZzEOMAwGA1UECgwFRG9yaXMx +DjAMBgNVBAsMBURvcmlzMQ4wDAYDVQQDDAVEb3JpczEjMCEGCSqGSIb3DQEJARYU +ZGV2QGRvcmlzLmFwYWNoZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQCmL5CmsOWZGGOY4QJ+KoLFvqC4sjSrMtxQjZA3QtYz0E3hc/1vukmTU2MU +EskY4B9gklp4LvoTTbjCdHb1ZzxSqYbkfZL2N55s1j5g5Gphy8fAU4LxlcAX+D2g +k2lsfGn/BnM4jefv1rNAXITF5gpFJtz43hZX39v/ciQEbovtn8jxaaSZJE1pY4NO +LxH0+8OU3pLeVPDoV5Ij0Irm4FKrUVYbbwhitruzU3qhUzCX3fyPtTMoxEaHsxSo +IuR/3LSuRJnRvO8/3HFI4nBCurQZe7W/rNCiADMD7ECDUAbAmzZs8oH/teMRQIIF +S17xQDVhy+fMEiIb5vrJpsSnkxdjAgMBAAGjUzBRMB0GA1UdDgQWBBSb2l0QFsBP +Uf4rpqjnx4hqhh3IyzAfBgNVHSMEGDAWgBSb2l0QFsBPUf4rpqjnx4hqhh3IyzAP +BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBxXsKx45fVAnxUxN57 +ULJQnwPwqzzhk7LXpn0HhqmVasF1JFnp970ZqW048B7V25NEY828BXuzDj5Oe1Ap +V0yzqh87sVXkRnP1zQi3B6xlyC2w8R2FLzk4NgkZZOSd6es6XV9GDCSaHaMWnwCz +QD/lv1rultohtyeMYk3erc8aLDkEFfjGmeFb9HNpeyas/KQQuAS1XnxsTdhJm+F9 +MVDqMRVZWudFQWt1Tu7OC+5D8nZzDblMuKDptM6ZdUAvy5DpospOLnWK0c04QGKk +RMYp5sxrNeBzyNJIpyEh3V94y1mH/QzQUIGQmNKL1tAKtyIsDcaXPMSW5ojdvxHJ +iN+q +-----END CERTIFICATE----- diff --git a/regression-test/ssl_default_certificate/client-cert.pem b/regression-test/ssl_default_certificate/client-cert.pem new file mode 100644 index 0000000000..f2996bc605 --- /dev/null +++ b/regression-test/ssl_default_certificate/client-cert.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDgzCCAmsCAQEwDQYJKoZIhvcNAQELBQAwgYYxCzAJBgNVBAYTAkNOMRAwDgYD +VQQIDAdCZWlqaW5nMRAwDgYDVQQHDAdCZWlqaW5nMQ4wDAYDVQQKDAVEb3JpczEO +MAwGA1UECwwFRG9yaXMxDjAMBgNVBAMMBURvcmlzMSMwIQYJKoZIhvcNAQkBFhRk +ZXZAZG9yaXMuYXBhY2hlLm9yZzAeFw0yMzA0MTAxMDQ1MjBaFw0zMzAyMTYxMDQ1 +MjBaMIGHMQswCQYDVQQGEwJDTjEQMA4GA1UECAwHQmVpamluZzEQMA4GA1UEBwwH +QmVpamluZzEOMAwGA1UECgwFRG9yaXMxDjAMBgNVBAsMBURvcmlzMQ8wDQYDVQQD +DAZDbGllbnQxIzAhBgkqhkiG9w0BCQEWFGRldkBkb3Jpcy5hcGFjaGUub3JnMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArWZoLynFbkTTXry3rRoOT0yI ++VWE8Qs/cdKshT8ecNrWgkoMbBtGEoPahtC+BuMfyHsdNSx6Iyyxgee2f41Mqhfv +c9ssZFbq93NPE7rbb8v+LoZkibp5ErM4vtDmKcBp4ZEsWMRxauXYipyvdyGCbswD +M/Hd0PPFubpEoqg/8qjIz/TbQIXbJ2FYkKFv8Z3RYvy0GP5ZVpTm4zcYB6RAzr6z ++qbA3Li/0UjUVSdhzsoDWn5lOfX6Dp7yAuiocSMpMk65A/pwwRPSJ9u/gPP2LVsJ +L5uBogk29Hj5QBwRGePz0hJnDR3C4Lb786zHWk0QmHvVxQJq+DIbY8vlMhv6DwID +AQABMA0GCSqGSIb3DQEBCwUAA4IBAQCgi2pRKqWiZv6Xlpn4Viv/N+G9J+0/IUnd +YWvhmF4yzBb4R4FjyxiKG9d79o6JhhJ1ts5fmNk/idS0sBoj8FOkj53KAbw6pHBQ +bO3f+UYWLvx8I8F5iycAseA5GTid2cOU8s/gY34rhvey2PGzR+hxfDDGbpRxXFKw +X4zOKCYK8qAR9dDc8MOJyAs30NXn6vxiQSNijJe7+0J91NbAOHw/NeaIS673exqs +K7nPiAe7tPwZOY5LsZxzrosTIsUryheM8S+S0Sqess+zkKMV1xbCbyk2eMbhdfyL +5xLGv7HxnIEoJyRKQ4q0wk9GteLdvlSAKJ1cTe/n8NOf36cXZj/s +-----END CERTIFICATE----- diff --git a/regression-test/ssl_default_certificate/client-key.pem b/regression-test/ssl_default_certificate/client-key.pem new file mode 100644 index 0000000000..350f34da24 --- /dev/null +++ b/regression-test/ssl_default_certificate/client-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEArWZoLynFbkTTXry3rRoOT0yI+VWE8Qs/cdKshT8ecNrWgkoM +bBtGEoPahtC+BuMfyHsdNSx6Iyyxgee2f41Mqhfvc9ssZFbq93NPE7rbb8v+LoZk +ibp5ErM4vtDmKcBp4ZEsWMRxauXYipyvdyGCbswDM/Hd0PPFubpEoqg/8qjIz/Tb +QIXbJ2FYkKFv8Z3RYvy0GP5ZVpTm4zcYB6RAzr6z+qbA3Li/0UjUVSdhzsoDWn5l +OfX6Dp7yAuiocSMpMk65A/pwwRPSJ9u/gPP2LVsJL5uBogk29Hj5QBwRGePz0hJn +DR3C4Lb786zHWk0QmHvVxQJq+DIbY8vlMhv6DwIDAQABAoIBAQCgQ3IvhQ/w5rPl +b87jsp1fNYGz0RLaJmcxMGI7lSbxb5GrQf1RPbP6ENu8ltnLS8hoZ0GLj9wi/n/h +bOQD5/jfjNfH4N6arqrkojKILb/7CDOZlKT/ltWoLvVXh4PzOt+hl6fBM28QOfd1 +xXN3TAVdmjmrnPRC18v76Oje3VqdT1TyZT9oWFCj906AtiTW+77h6XccWFRC3A99 +lNUM3nCmwgik+MOZ6vNkkNbCb4KlLJXebX+hY6XPqszjEYbp5mdvPczSniAV//V+ +BJINHs4XV3JfdY5BfzRzARt1fkQRDwae0FkVjPVROQQ5TkU3XDPtnXxVaXoQm3QB +HNYT7LbhAoGBANp7Ys4zSphFXodip4AkGfRlyCVgzPWyvCWMZy9UQcw1Mh2ab/6x +CYiW9RSSbmNd1cC6zh4lwLrfTQHNvmWLxnUPt+Uu6DLZFJnDqhFPj6CHYoB3t8AX +iwozAIqE/qSlXYAAN26hyoNPxO8+mtQk4Noupmp8vpaVbuB9BfElS0FFAoGBAMst +MDYTGU+T5BKNl1IE3HlXT2YsJm6QfREXoopYC9vr0R/0/kZX6lQnuujGxTZG9tEo +geoAf82vKCmYDVPfGf0o8L9f+KcB2GP3JRXmqn7n1ALMLTQDG4GPsa5aK+ey+lue +xXM6zDqWNcz/YEvfAz/SdLHIavwn1y0Nr6iMACFDAoGBAK6p34areKIdKwIe+3u0 +4M8Co6xGI/T0q/d0tHUg7e08RdFmyswZal65GDsXCYsE1ELc1LVDRz3eEOk1O1Zh +FQo2w7RD+LvV0eNPimGGcnNKaJP9oXe/GpfPyEn1IsIrtYEEK0yVqZmqpu0A5rRc +uymSC9ar3Y3y7w4mxR5Qy0XlAoGAMYp3Mvg9N7Yr6ooz13/v8nZjmdoyFMuOc1h7 +/ZeybJF3kH9AcQ6GyLZXUOMGu1FaZW2nH9O3VgPbmyjENyszPxN4gHF6Q96jUNy2 +Yjy4XfFRNM1sSD5pupG7FXRPOFPfz+9K3en8Wly+CZpLdLSQKkO6yI7B53IfeZDY +wBRDA9kCgYAnzeIm+c8ahQ6HNWdRtuMdPeP/2sHyJV9tv/ZTsi2QAgfd4rqmGEhM +20eJp4RQzB68wIDMZcoSP8xpACZQYwH5RZvQ8zo53SXrgWgb6XYno8lRc0cxh5oL +ILtgCAxt/20PcpFx5Igh04TIOsYY2Ksp56cbJL6u7uyBnKwwa4XpCg== +-----END RSA PRIVATE KEY----- diff --git a/regression-test/suites/mysql_ssl_p0/test_mysql_connection.groovy b/regression-test/suites/mysql_ssl_p0/test_mysql_connection.groovy index f95ef88058..68fbe46dfe 100644 --- a/regression-test/suites/mysql_ssl_p0/test_mysql_connection.groovy +++ b/regression-test/suites/mysql_ssl_p0/test_mysql_connection.groovy @@ -14,6 +14,7 @@ // KIND, either express or implied. See the License for the // specific language governing permissions and limitations // under the License. +import org.apache.doris.regression.Config suite("test_mysql_connection") { suite -> // NOTE: this suite need you install mysql client 5.7 + to support --ssl-mode parameter @@ -39,10 +40,20 @@ suite("test_mysql_connection") { suite -> String cmdDefault = "mysql -uroot -h" + mysqlHost + " -P" + mysqlPort + " -e \"show variables\""; String cmdDisabledSsl = "mysql --ssl-mode=DISABLE -uroot -h" + mysqlHost + " -P" + mysqlPort + " -e \"show variables\""; String cmdSsl12 = "mysql --ssl-mode=REQUIRED -uroot -h" + mysqlHost + " -P" + mysqlPort + " --tls-version=TLSv1.2 -e \"show variables\""; + // client verifies server certificate + String cmdv1 = "mysql --ssl-mode=VERIFY_CA --ssl-ca=" + context.config.sslCertificatePath + "/ca.pem -uroot -h" + mysqlHost + " -P" + mysqlPort + " --tls-version=TLSv1.2 -e \"show variables\""; + + // two-way ssl auth (client and server both verify their respective certificates) + String cmdv2 = "mysql --ssl-mode=VERIFY_CA --ssl-ca=" + context.config.sslCertificatePath + "/ca.pem \ + --ssl-cert=" + context.config.sslCertificatePath + "/client-cert.pem \ + --ssl-key=" + context.config.sslCertificatePath + "/client-key.pem -uroot -h" + mysqlHost + " -P" + mysqlPort + " --tls-version=TLSv1.2 -e \"show variables\""; + // The current mysql-client version of the test environment is 5.7.32, which does not support TLSv1.3, so comment this part. // String cmdSsl13 = "mysql --ssl-mode=REQUIRED -uroot -h" + mysqlHost + " -P" + mysqlPort + " --tls-version=TLSv1.3 -e \"show variables\""; executeMySQLCommand(cmdDefault); executeMySQLCommand(cmdDisabledSsl); executeMySQLCommand(cmdSsl12); // executeMySQLCommand(cmdSsl13); + executeMySQLCommand(cmdv1); + executeMySQLCommand(cmdv2); }