ADBDEV-6683 TLS options implemented for PXF FDW #146
Conversation
|
bender build |
1 similar comment
|
bender build |
|
I don't like the fact that more or less similar files from external tables and fdw have become more different. |
Yes, it looks not good if you are talking about libchurl. But someone put them there and started to diverge them. IMHO proper solution would be to have a single copy of libchurl and use it from both external tables and fwd. But it is out of scope of this task. |
This comment was marked as resolved.
This comment was marked as resolved.
| if (strcmp("https", pxfsstate->options->pxf_protocol) == 0) { | ||
| ssl_options = churl_make_ssl_options(pxfsstate->options); | ||
| } | ||
|
|
||
| pxfsstate->churl_handle = churl_init_download(pxfsstate->uri.data, pxfsstate->churl_headers, ssl_options); | ||
| if (ssl_options != NULL) { | ||
| free_churl_ssl_options(ssl_options); | ||
| } |
There was a problem hiding this comment.
why not simply
| if (strcmp("https", pxfsstate->options->pxf_protocol) == 0) { | |
| ssl_options = churl_make_ssl_options(pxfsstate->options); | |
| } | |
| pxfsstate->churl_handle = churl_init_download(pxfsstate->uri.data, pxfsstate->churl_headers, ssl_options); | |
| if (ssl_options != NULL) { | |
| free_churl_ssl_options(ssl_options); | |
| } | |
| pxfsstate->churl_handle = churl_init_download(pxfsstate->uri.data, pxfsstate->churl_headers); | |
| if (strcmp("https", pxfsstate->options->pxf_protocol) == 0) { | |
| churl_set_ssl_options(pxfsstate->churl_handle, pxfsstate->options); | |
| } |
and in external table do similar thing
There was a problem hiding this comment.
ssl_options has a type churl_ssl_options which has defined in libchurl, while pxfsstate->options is of type PxfOptions defined in the Pxf. Idea of making churl_ssl_options was to not introduce into libchurl extra dependency of higher level PXF.
There was a problem hiding this comment.
The churl_set_ssl_options function could be called differently and placed outside of libchurl.
There was a problem hiding this comment.
SSL logically looks very like an connection properties and I decided to set them as a part of libchurl.
There was a problem hiding this comment.
Why not do something similar to pxfsstate->churl_headers with a common type for SSL options?
There was a problem hiding this comment.
pxfsstate->churl_headers is a void pointer and does not discover specific type structure. Unlike it, churl_ssl_options is typed. Placing it to the pxfsstate breaks the fact that pxfsstate does not now discover churl-dependent things.
Also, instances of churl_ssl_options are used locally and independently, I don't see any need to put it into pxfsstate.
fdw/pxf_bridge.c
Outdated
| pxfcstate->pxf_host = pstrdup(pxfsstate->options->pxf_host); | ||
| if (ssl_options != 0) { |
There was a problem hiding this comment.
Why we compare not with NULL? And why do we need to allocate the second time? Can't we use the first allocation?
There was a problem hiding this comment.
I had to allocate it second time to have it in the transaction's memory context. It's not related to the first time allocation.
There was a problem hiding this comment.
Why not to make the first allocation already in the transaction's memory context?
There was a problem hiding this comment.
- These instances are independent logically. Second allocation underscores this fact.
- This is more change-proof, it's easier to keep them independent in case of further modifications.
- We won't save much of space and time if reuse memory in other context.
| @@ -242,6 +255,16 @@ pxf_fdw_validator(PG_FUNCTION_ARGS) | |||
| errmsg("the %s option cannot be defined at the foreign-data wrapper level", | |||
| FDW_OPTION_DISABLE_PPD))); | |||
| } | |||
| else if (strcmp(def->defname, FDW_OPTION_SSL_VERIFY_PEER) == 0) | |||
There was a problem hiding this comment.
Can't we move FDW_OPTION_SSL_VERIFY_PEER also to valid_options[] and eliminate this check?
There was a problem hiding this comment.
valid_options and ValidateOption() has a check about option placement, while this check for FDW_OPTION_SSL_VERIFY_PEER also has a type validation which I find rather important.
Of course, it's still possible to add more check types to ValidateOption() but it's rather serious refactoring which is not related to current PR. I'd leave it as is.
TLS options implemented for PXF external tables
The requirement for using TLS is implemented for PXF external tables.
Communication takes place between the segment node and the PXF server and is
pointless without the PXF server. Testing should be done in conjunction with PXF
server changes and is out of scope for this commit.
PXF external tables are controlled by environment variables. The following
options are affected by this commit:
PXF_PROTOCOL: Type string, default http. Defines the protocol for
communication with the PXF server. Possible values are http and https.
PXF_SSL_CACERT: Type string, default
/home/gpadmin/arenadata_configs/cacert.pem. Specifies the absolute path to the
CA certificate that signed the server certificate. Refers to CURLOPT_CAINFO.
PXF_SSL_CERT: Type string, default client.pem. Specifies the path to the
client certificate. Refers to CURLOPT_SSLCERT.
PXF_SSL_CERT_TYPE: Type string, default pem. Defines the type of the client
certificate. Refers to CURLOPT_SSLCERTTYPE.
PXF_SSL_KEY: Type string, default empty. Defines the path to the client's SSL
private key. Refers to CURLOPT_SSLKEY.
PXF_SSL_KEYPASSWD: Type string, default empty. Defines the password for the
client SSL private key. Refers to CURLOPT_KEYPASSWD.
PXF_SSL_VERIFY_PEER: Type long, default 1. Defines whether the client should
verify the server certificate. Refers to CURLOPT_SSL_VERIFYPEER.
---------
Co-authored-by: Denis Kovalev <[email protected]>
|
Please provide how can we test all changed functions inside pxf_bridge.c? Is it enough simple select for testing PxfBridgeImportStart, PxfBridgeCancel, PxfBridgeExportStart? Please specify how these functions are called after query execution. |
dkovalev1
changed the base branch from
feature/ADBDEV-6267
to
feature/ADBDEV-6581
To test changes easier and more stable I introduced test fdw/sql/pxf_fdw_ssl.sql. To run it we need to have support for SSL in PXF, that's why this PR has been rebased to feature/6581. To have a possibility to run both SSL related and non-SSL tests, a new container appeared. This scenario covers both PxfBridgeImportStart and PxfBridgeExportStart. PxfBridgeCancel can not be tested easily, only by interrupting long running query manually. |
TLS options implemented for PXF FDW
The requirement for using TLS is implemented for PXF FDW. The
communication takes place between the segment node and the PXF server and is
pointless without the PXF server. The testing shall be done in conjunction with
PXF server changes and is out of scope for this commit.
To test TLS support there is a new test container Dockerfile_ssl, which adds
PXF_SSL variables and additional SSL-related setup.