Add support for mTLS authentication in Arrow Flight client #25179
Conversation
elbinpallimalilibm
requested review from
steveburnett,
elharo and
a team
as code owners
prestodb-ci
requested review from
a team,
bibith4 and
pratyakshsharma
and removed request for
a team
elbinpallimalilibm
force-pushed
the
arrow_mtls
branch
from
38df200 to
f2aff7e
Compare
|
https://github.com/prestodb/presto/actions/runs/15201290385/job/42755765576?pr=25179 @steveburnett I'm not able to figure out why the presto-docs check is failing. Can you help here? Edit : Waiting for fix to be merged here. |
elbinpallimalilibm
force-pushed
the
arrow_mtls
branch
from
f2aff7e to
16c6399
Compare
|
Fix has been merged, and the test is now passing - see #25188 for an example. Rebase your PR to re-run the CI tests and |
elbinpallimalilibm
force-pushed
the
arrow_mtls
branch
2 times, most recently
from
7bdfc96 to
bb2cf1d
Compare
There was a problem hiding this comment.
Thank you for the fix @elbinpallimalilibm. I have added few comments, please check.
| return flightClientSSLCertificate; | ||
| } | ||
|
|
||
| @Config("arrow-flight.client-ssl-certificate") |
There was a problem hiding this comment.
I think it will be good to add a comment here saying this is needed for mTLS auth.
There was a problem hiding this comment.
Added comments.
| Optional<InputStream> clientCertificate = Optional.empty(); | ||
| Optional<InputStream> clientKey = Optional.empty(); | ||
| if (config.getFlightClientSSLCertificate() != null && config.getFlightClientSSLKey() != null) { | ||
| clientCertificate = Optional.of(newInputStream(Paths.get(config.getFlightClientSSLCertificate()))); |
There was a problem hiding this comment.
trying to understand it a bit better, what happens if the certificate and key are invalid? Lets use a try-catch block here? And maybe add a test case covering this scenario?
There was a problem hiding this comment.
If the cert is invalid, executing a query will give the user an error that the cert is invalid. Added a test case that covers this scenario.
| @@ -52,7 +52,9 @@ Property Name Description | |||
| ========================================== ============================================================== | |||
| ``arrow-flight.server`` Endpoint of the Flight server | |||
| ``arrow-flight.server.port`` Flight server port | |||
| ``arrow-flight.server-ssl-certificate`` Pass ssl certificate | |||
| ``arrow-flight.server-ssl-certificate`` Path to SSL certificate of Flight server | |||
| ``arrow-flight.client-ssl-certificate`` Path to SSL certificate that Flight client should use | |||
There was a problem hiding this comment.
nit: lets modify these to include "in case of mTLS authentication" to make it more clear?
There was a problem hiding this comment.
Updated the docs.
| } | ||
|
|
||
| @BeforeClass | ||
| public void setup() |
There was a problem hiding this comment.
The 2 test classes have a lot of duplicate code. Please see if we can use inheritance to avoid this redundant code?
There was a problem hiding this comment.
Refactored the test classes.
elbinpallimalilibm
force-pushed
the
arrow_mtls
branch
from
bb2cf1d to
60eaa3b
Compare
elbinpallimalilibm
force-pushed
the
arrow_mtls
branch
2 times, most recently
from
117c43a to
4a84c3b
Compare
elbinpallimalilibm
force-pushed
the
arrow_mtls
branch
from
4a84c3b to
83a005f
Compare
Description
Add support for mTLS authentication in Arrow Flight client
Motivation and Context
If the Flight server has mTLS authentication enabled, then the Flight client should be able to use client certificate and key.
Impact
Test Plan
Added positive and negative test cases against an mTLS enabled Flight server.
Contributor checklist
Release Notes
Please follow release notes guidelines and fill in the release notes below.