[REST] Add option to configure TLS settings in REST client#13190
Conversation
| import org.apache.hc.client5.http.ssl.HttpsSupport; | ||
| import org.apache.hc.core5.ssl.SSLContexts; | ||
|
|
||
| public interface TLSConfigurer { |
There was a problem hiding this comment.
can we have functions for the constructor DefaultClientTlsStrategy which excepts TLS protocol and cipher suites as well, we are 5.5, this will be really helpful in enforcing TLS 1.3 and only certain cipher suits which a maintainer may want to enforce
There was a problem hiding this comment.
Sure, added. I left HostnameVerificationPolicy and SSLBufferMode at default for now to avoid any Apache HTTP dependencies in the interface.
singhpk234
left a comment
There was a problem hiding this comment.
LGTM, thanks @bryanck !
| } | ||
|
|
||
| @Test | ||
| public void testLoadTLSConfigurer_NoArgConstructorNotFound() { |
There was a problem hiding this comment.
nit: I know we use this naming scheme with _ in the name in TestCatalogUtil but I feel like just omitting it reads better
There was a problem hiding this comment.
Yes, agreed, the underscore convention isn't used in this test class anyway so I removed it.
|
Thanks for the reviews @nastra and @singhpk234 ! |
This PR adds an option to the REST client to configure TLS settings via a pluggable configurer class. Java supports setting some TLS parameters via System properties, but doing so will affect all connections, and causes issues with clients such as the S3 client.
Also, while some basic parameters could be set via catalog properties, using a plugin approach allows the most flexibility when configuring mutual authentication, which can involve custom logic for certificate and host name verification. This aligns with the pluggable model currently used for AuthManagers.
If useful, we could follow this PR up with an implementation that is driven off of catalog properties, for cases that don't need special logic. This would allow setting the keystore and the truststore sepcifically for the REST client, for example.