Make TLS a cluster configuration option, not configurable per executor

phillipleblanc · phillipleblanc · commit 82ebc10d0df6 · 2025-12-14T22:45:18.000+09:00
diff --git a/ballista/core/proto/ballista.proto b/ballista/core/proto/ballista.proto
@@ -305,8 +305,7 @@ message ExecutorMetadata {
   string host = 2;
   uint32 port = 3;
   uint32 grpc_port = 4;
-  bool   use_tls = 5;
-  ExecutorSpecification specification = 6;
+  ExecutorSpecification specification = 5;
 }
 
 
@@ -317,8 +316,7 @@ message ExecutorRegistration {
   optional string host = 2;
   uint32 port = 3;
   uint32 grpc_port = 4;
-  bool   use_tls = 5;
-  ExecutorSpecification specification = 6;
+  ExecutorSpecification specification = 5;
 }
 
 message ExecutorHeartbeat {
diff --git a/ballista/core/src/execution_plans/distributed_query.rs b/ballista/core/src/execution_plans/distributed_query.rs
@@ -242,6 +242,8 @@ impl<T: 'static + AsLogicalPlan> ExecutionPlan for DistributedQueryExec<T> {
             .session_config()
             .ballista_override_create_grpc_client_endpoint();
 
+        let use_tls = context.session_config().ballista_use_tls();
+
         let stream = futures::stream::once(
             execute_query(
                 self.scheduler_url.clone(),
@@ -250,6 +252,7 @@ impl<T: 'static + AsLogicalPlan> ExecutionPlan for DistributedQueryExec<T> {
                 self.config.clone(),
                 interceptor,
                 customize_endpoint,
+                use_tls,
             )
             .map_err(|e| ArrowError::ExternalError(Box::new(e))),
         )
@@ -288,6 +291,7 @@ async fn execute_query(
     config: BallistaConfig,
     grpc_interceptor: Arc<BallistaGrpcMetadataInterceptor>,
     customize_endpoint: Option<Arc<BallistaConfigGrpcEndpoint>>,
+    use_tls: bool,
 ) -> Result<impl Stream<Item = Result<RecordBatch>> + Send> {
     info!("Connecting to Ballista scheduler at {scheduler_url}");
     // TODO reuse the scheduler to avoid connecting to the Ballista scheduler again and again
@@ -391,6 +395,7 @@ async fn execute_query(
                         max_message_size,
                         true,
                         customize_endpoint.clone(),
+                        use_tls,
                     )
                     .map_err(|e| ArrowError::ExternalError(Box::new(e)));
 
@@ -408,6 +413,7 @@ async fn fetch_partition(
     max_message_size: usize,
     flight_transport: bool,
     customize_endpoint: Option<Arc<BallistaConfigGrpcEndpoint>>,
+    use_tls: bool,
 ) -> Result<SendableRecordBatchStream> {
     let metadata = location.executor_meta.ok_or_else(|| {
         DataFusionError::Internal("Received empty executor metadata".to_owned())
@@ -421,7 +427,7 @@ async fn fetch_partition(
         host,
         port,
         max_message_size,
-        metadata.use_tls,
+        use_tls,
         customize_endpoint,
     )
     .await
diff --git a/ballista/core/src/execution_plans/shuffle_reader.rs b/ballista/core/src/execution_plans/shuffle_reader.rs
@@ -163,6 +163,7 @@ impl ExecutionPlan for ShuffleReaderExec {
         let force_remote_read = config.ballista_shuffle_reader_force_remote_read();
         let prefer_flight = config.ballista_shuffle_reader_remote_prefer_flight();
         let customize_endpoint = config.ballista_override_create_grpc_client_endpoint();
+        let use_tls = config.ballista_use_tls();
 
         if force_remote_read {
             debug!(
@@ -197,6 +198,7 @@ impl ExecutionPlan for ShuffleReaderExec {
             force_remote_read,
             prefer_flight,
             customize_endpoint,
+            use_tls,
         );
 
         let result = RecordBatchStreamAdapter::new(
@@ -392,6 +394,7 @@ fn send_fetch_partitions(
     force_remote_read: bool,
     flight_transport: bool,
     customize_endpoint: Option<Arc<BallistaConfigGrpcEndpoint>>,
+    use_tls: bool,
 ) -> AbortableReceiverStream {
     let (response_sender, response_receiver) = mpsc::channel(max_request_num);
     let semaphore = Arc::new(Semaphore::new(max_request_num));
@@ -417,6 +420,7 @@ fn send_fetch_partitions(
                     max_message_size,
                     flight_transport,
                     customize_endpoint_c.clone(),
+                    use_tls,
                 )
                 .await;
             if let Err(e) = response_sender_c.send(r).await {
@@ -438,6 +442,7 @@ fn send_fetch_partitions(
                     max_message_size,
                     flight_transport,
                     customize_endpoint_c,
+                    use_tls,
                 )
                 .await;
             // Block if the channel buffer is full.
@@ -466,6 +471,7 @@ trait PartitionReader: Send + Sync + Clone {
         max_message_size: usize,
         flight_transport: bool,
         customize_endpoint: Option<Arc<BallistaConfigGrpcEndpoint>>,
+        use_tls: bool,
     ) -> result::Result<SendableRecordBatchStream, BallistaError>;
 }
 
@@ -486,6 +492,7 @@ impl PartitionReader for PartitionReaderEnum {
         max_message_size: usize,
         flight_transport: bool,
         customize_endpoint: Option<Arc<BallistaConfigGrpcEndpoint>>,
+        use_tls: bool,
     ) -> result::Result<SendableRecordBatchStream, BallistaError> {
         match self {
             PartitionReaderEnum::FlightRemote => {
@@ -494,6 +501,7 @@ impl PartitionReader for PartitionReaderEnum {
                     max_message_size,
                     flight_transport,
                     customize_endpoint,
+                    use_tls,
                 )
                 .await
             }
@@ -510,6 +518,7 @@ async fn fetch_partition_remote(
     max_message_size: usize,
     flight_transport: bool,
     customize_endpoint: Option<Arc<BallistaConfigGrpcEndpoint>>,
+    use_tls: bool,
 ) -> result::Result<SendableRecordBatchStream, BallistaError> {
     let metadata = &location.executor_meta;
     let partition_id = &location.partition_id;
@@ -521,7 +530,7 @@ async fn fetch_partition_remote(
         host,
         port,
         max_message_size,
-        metadata.use_tls,
+        use_tls,
         customize_endpoint,
     )
     .await
@@ -696,7 +705,6 @@ mod tests {
                     port: 7070,
                     grpc_port: 8080,
                     specification: ExecutorSpecification { task_slots: 1 },
-                    use_tls: false,
                 },
                 partition_stats: PartitionStats {
                     num_rows: Some(1),
@@ -746,7 +754,6 @@ mod tests {
                     port: 7070,
                     grpc_port: 8080,
                     specification: ExecutorSpecification { task_slots: 1 },
-                    use_tls: false,
                 },
                 partition_stats: PartitionStats {
                     num_rows: Some(1),
@@ -797,7 +804,6 @@ mod tests {
                     port: 7070,
                     grpc_port: 8080,
                     specification: ExecutorSpecification { task_slots: 1 },
-                    use_tls: false,
                 },
                 partition_stats: PartitionStats {
                     num_rows: Some(1),
@@ -848,7 +854,6 @@ mod tests {
                     port: 7070,
                     grpc_port: 8080,
                     specification: ExecutorSpecification { task_slots: 1 },
-                    use_tls: false,
                 },
                 partition_stats: Default::default(),
                 path: "test_path".to_string(),
@@ -985,6 +990,7 @@ mod tests {
             false,
             true,
             None,
+            false,
         );
 
         let stream = RecordBatchStreamAdapter::new(
@@ -1011,7 +1017,6 @@ mod tests {
                     port: 50051,
                     grpc_port: 50052,
                     specification: ExecutorSpecification { task_slots: 12 },
-                    use_tls: false,
                 },
                 partition_stats: Default::default(),
                 path: path.clone(),
diff --git a/ballista/core/src/extension.rs b/ballista/core/src/extension.rs
@@ -166,6 +166,12 @@ pub trait SessionConfigExt {
     fn ballista_override_create_grpc_client_endpoint(
         &self,
     ) -> Option<Arc<BallistaConfigGrpcEndpoint>>;
+
+    /// Set whether to use TLS for executor connections (cluster-wide setting)
+    fn with_ballista_use_tls(self, use_tls: bool) -> Self;
+
+    /// Get whether to use TLS for executor connections
+    fn ballista_use_tls(&self) -> bool;
 }
 
 /// [SessionConfigHelperExt] is set of [SessionConfig] extension methods
@@ -440,6 +446,16 @@ impl SessionConfigExt for SessionConfig {
     ) -> Option<Arc<BallistaConfigGrpcEndpoint>> {
         self.get_extension::<BallistaConfigGrpcEndpoint>()
     }
+
+    fn with_ballista_use_tls(self, use_tls: bool) -> Self {
+        self.with_extension(Arc::new(BallistaUseTls(use_tls)))
+    }
+
+    fn ballista_use_tls(&self) -> bool {
+        self.get_extension::<BallistaUseTls>()
+            .map(|ext| ext.0)
+            .unwrap_or(false)
+    }
 }
 
 impl SessionConfigHelperExt for SessionConfig {
@@ -643,6 +659,10 @@ impl BallistaConfigGrpcEndpoint {
     }
 }
 
+/// Wrapper for cluster-wide TLS configuration
+#[derive(Clone, Copy)]
+pub struct BallistaUseTls(pub bool);
+
 #[cfg(test)]
 mod test {
     use datafusion::{
diff --git a/ballista/core/src/serde/generated/ballista.rs b/ballista/core/src/serde/generated/ballista.rs
@@ -470,9 +470,7 @@ pub struct ExecutorMetadata {
     pub port: u32,
     #[prost(uint32, tag = "4")]
     pub grpc_port: u32,
-    #[prost(bool, tag = "5")]
-    pub use_tls: bool,
-    #[prost(message, optional, tag = "6")]
+    #[prost(message, optional, tag = "5")]
     pub specification: ::core::option::Option<ExecutorSpecification>,
 }
 /// Used for scheduler-executor
@@ -487,9 +485,7 @@ pub struct ExecutorRegistration {
     pub port: u32,
     #[prost(uint32, tag = "4")]
     pub grpc_port: u32,
-    #[prost(bool, tag = "5")]
-    pub use_tls: bool,
-    #[prost(message, optional, tag = "6")]
+    #[prost(message, optional, tag = "5")]
     pub specification: ::core::option::Option<ExecutorSpecification>,
 }
 #[derive(Clone, PartialEq, ::prost::Message)]
diff --git a/ballista/core/src/serde/scheduler/from_proto.rs b/ballista/core/src/serde/scheduler/from_proto.rs
@@ -236,7 +236,6 @@ impl Into<ExecutorMetadata> for protobuf::ExecutorMetadata {
             port: self.port as u16,
             grpc_port: self.grpc_port as u16,
             specification: self.specification.unwrap().into(),
-            use_tls: self.use_tls,
         }
     }
 }
diff --git a/ballista/core/src/serde/scheduler/mod.rs b/ballista/core/src/serde/scheduler/mod.rs
@@ -80,7 +80,6 @@ pub struct ExecutorMetadata {
     pub port: u16,
     pub grpc_port: u16,
     pub specification: ExecutorSpecification,
-    pub use_tls: bool,
 }
 
 /// Specification of an executor, indicting executor resources, like total task slots
diff --git a/ballista/core/src/serde/scheduler/to_proto.rs b/ballista/core/src/serde/scheduler/to_proto.rs
@@ -207,7 +207,6 @@ impl Into<protobuf::ExecutorMetadata> for ExecutorMetadata {
             port: self.port as u32,
             grpc_port: self.grpc_port as u32,
             specification: Some(self.specification.into()),
-            use_tls: self.use_tls,
         }
     }
 }
diff --git a/ballista/executor/src/executor.rs b/ballista/executor/src/executor.rs
@@ -357,7 +357,6 @@ mod test {
             grpc_port: 0,
             specification: None,
             host: None,
-            use_tls: false,
         };
         let config_producer = Arc::new(default_config_producer);
         let ctx = SessionContext::new();
diff --git a/ballista/executor/src/executor_process.rs b/ballista/executor/src/executor_process.rs
@@ -204,8 +204,6 @@ pub async fn start_executor_process(
                 resource: Some(Resource::TaskSlots(concurrent_tasks as u32)),
             }],
         }),
-        // TODO: tls is only supported when manually starting a scheduler and its flight service
-        use_tls: false,
     };
 
     // put them to session config
@@ -471,8 +469,6 @@ pub async fn start_executor_process(
                             resource: Some(Resource::TaskSlots(concurrent_tasks as u32)),
                         }],
                     }),
-                    // TODO: tls is only supported when manually starting an executor poll loop and its flight service
-                    use_tls: false,
                 }),
             })
             .await
diff --git a/ballista/executor/src/standalone.rs b/ballista/executor/src/standalone.rs
@@ -98,7 +98,6 @@ pub async fn new_standalone_executor_from_builder(
             }
             .into(),
         ),
-        use_tls: false,
     };
 
     let config = config_producer();
diff --git a/ballista/scheduler/src/cluster/memory.rs b/ballista/scheduler/src/cluster/memory.rs
@@ -677,7 +677,6 @@ mod test {
             port: 50055,
             grpc_port: 50050,
             specification: ExecutorSpecification { task_slots: 2 },
-            use_tls: false,
         };
 
         cluster_state
diff --git a/ballista/scheduler/src/cluster/mod.rs b/ballista/scheduler/src/cluster/mod.rs
@@ -965,7 +965,6 @@ mod test {
             port: 50051,
             grpc_port: 50052,
             specification: ExecutorSpecification { task_slots: 32 },
-            use_tls: false,
         };
 
         // complete first stage
diff --git a/ballista/scheduler/src/scheduler_server/grpc.rs b/ballista/scheduler/src/scheduler_server/grpc.rs
@@ -83,7 +83,6 @@ impl<T: 'static + AsLogicalPlan, U: 'static + AsExecutionPlan> SchedulerGrpc
                     port: metadata.port as u16,
                     grpc_port: metadata.grpc_port as u16,
                     specification: metadata.specification.unwrap().into(),
-                    use_tls: metadata.use_tls,
                 };
                 if let Err(e) = self
                     .state
@@ -179,7 +178,6 @@ impl<T: 'static + AsLogicalPlan, U: 'static + AsExecutionPlan> SchedulerGrpc
                 port: metadata.port as u16,
                 grpc_port: metadata.grpc_port as u16,
                 specification: metadata.specification.unwrap().into(),
-                use_tls: false,
             };
 
             self.do_register_executor(metadata).await.map_err(|e| {
@@ -225,7 +223,6 @@ impl<T: 'static + AsLogicalPlan, U: 'static + AsExecutionPlan> SchedulerGrpc
                     port: metadata.port as u16,
                     grpc_port: metadata.grpc_port as u16,
                     specification: metadata.specification.unwrap().into(),
-                    use_tls: false,
                 };
 
                 self.do_register_executor(metadata).await.map_err(|e| {
@@ -625,7 +622,6 @@ mod test {
             port: 0,
             grpc_port: 0,
             specification: Some(ExecutorSpecification { task_slots: 2 }.into()),
-            use_tls: false,
         };
         let request: Request<PollWorkParams> = Request::new(PollWorkParams {
             metadata: Some(exec_meta.clone()),
@@ -714,7 +710,6 @@ mod test {
             port: 0,
             grpc_port: 0,
             specification: Some(ExecutorSpecification { task_slots: 2 }.into()),
-            use_tls: false,
         };
 
         let request: Request<RegisterExecutorParams> =
@@ -800,7 +795,6 @@ mod test {
             port: 0,
             grpc_port: 0,
             specification: Some(ExecutorSpecification { task_slots: 2 }.into()),
-            use_tls: false,
         };
 
         let request: Request<HeartBeatParams> = Request::new(HeartBeatParams {
@@ -854,7 +848,6 @@ mod test {
             port: 0,
             grpc_port: 0,
             specification: Some(ExecutorSpecification { task_slots: 2 }.into()),
-            use_tls: false,
         };
 
         let request: Request<RegisterExecutorParams> =
diff --git a/ballista/scheduler/src/scheduler_server/mod.rs b/ballista/scheduler/src/scheduler_server/mod.rs
diff --git a/ballista/scheduler/src/test_utils.rs b/ballista/scheduler/src/test_utils.rs

Original file line number	Diff line number	Diff line change
`@@ -236,7 +236,6 @@ impl Into<ExecutorMetadata> for protobuf::ExecutorMetadata {`
`236`	`236`	`port: self.port as u16,`
`237`	`237`	`grpc_port: self.grpc_port as u16,`
`238`	`238`	`specification: self.specification.unwrap().into(),`
`239`		`- use_tls: self.use_tls,`
`240`	`239`	`}`
`241`	`240`	`}`
`242`	`241`	`}`
Original file line number	Diff line number	Diff line change
`@@ -80,7 +80,6 @@ pub struct ExecutorMetadata {`
`80`	`80`	`pub port: u16,`
`81`	`81`	`pub grpc_port: u16,`
`82`	`82`	`pub specification: ExecutorSpecification,`
`83`		`- pub use_tls: bool,`
`84`	`83`	`}`
`85`	`84`
`86`	`85`	`/// Specification of an executor, indicting executor resources, like total task slots`
Original file line number	Diff line number	Diff line change
`@@ -207,7 +207,6 @@ impl Into<protobuf::ExecutorMetadata> for ExecutorMetadata {`
`207`	`207`	`port: self.port as u32,`
`208`	`208`	`grpc_port: self.grpc_port as u32,`
`209`	`209`	`specification: Some(self.specification.into()),`
`210`		`- use_tls: self.use_tls,`
`211`	`210`	`}`
`212`	`211`	`}`
`213`	`212`	`}`