diff options
| author | yuryalekseev <yuryalekseev@yandex-team.com> | 2023-08-04 09:36:16 +0300 |
|---|---|---|
| committer | yuryalekseev <yuryalekseev@yandex-team.com> | 2023-08-04 09:36:16 +0300 |
| commit | a31fbc593bb366758c2bed894e1de2020cf94153 (patch) | |
| tree | 509ec9612b3715c609486b848404036e24bacf32 | |
| parent | 9eaf36f6cfd6eb76a084e8591756e5e6b569fbae (diff) | |
| download | ydb-a31fbc593bb366758c2bed894e1de2020cf94153.tar.gz | |
YT-17268: Add support for load_from_certs_dir to bus config.
| -rw-r--r-- | yt/yt/core/bus/tcp/config.cpp | 5 | ||||
| -rw-r--r-- | yt/yt/core/bus/tcp/config.h | 4 | ||||
| -rw-r--r-- | yt/yt/core/bus/tcp/connection.cpp | 23 | ||||
| -rw-r--r-- | yt/yt/core/bus/tcp/dispatcher_impl.cpp | 6 | ||||
| -rw-r--r-- | yt/yt/core/bus/tcp/dispatcher_impl.h | 2 |
5 files changed, 36 insertions, 4 deletions
diff --git a/yt/yt/core/bus/tcp/config.cpp b/yt/yt/core/bus/tcp/config.cpp index ed0074651f..380ff36cba 100644 --- a/yt/yt/core/bus/tcp/config.cpp +++ b/yt/yt/core/bus/tcp/config.cpp @@ -32,6 +32,9 @@ void TTcpDispatcherConfig::Register(TRegistrar registrar) registrar.Parameter("multiplexing_bands", &TThis::MultiplexingBands) .Default(); + + registrar.Parameter("bus_certs_dir", &TThis::BusCertsDir) + .Default(); } TTcpDispatcherConfigPtr TTcpDispatcherConfig::ApplyDynamic( @@ -123,6 +126,8 @@ void TBusConfig::Register(TRegistrar registrar) .Default(); registrar.Parameter("use_key_pair_from_ssl_context", &TThis::UseKeyPairFromSslContext) .Default(false); + registrar.Parameter("load_from_certs_dir", &TThis::LoadFromCertsDir) + .Default(false); } //////////////////////////////////////////////////////////////////////////////// diff --git a/yt/yt/core/bus/tcp/config.h b/yt/yt/core/bus/tcp/config.h index b086553743..25786783d5 100644 --- a/yt/yt/core/bus/tcp/config.h +++ b/yt/yt/core/bus/tcp/config.h @@ -42,6 +42,9 @@ public: TTcpDispatcherConfigPtr ApplyDynamic(const TTcpDispatcherDynamicConfigPtr& dynamicConfig) const; + //! Used to store TLS/SSL certificate files. + std::optional<TString> BusCertsDir; + REGISTER_YSON_STRUCT(TTcpDispatcherConfig); static void Register(TRegistrar registrar); @@ -94,6 +97,7 @@ public: std::optional<TString> CertificateChainFile; std::optional<TString> PrivateKeyFile; std::optional<TString> CipherList; + bool LoadFromCertsDir; // For testing purposes. bool UseKeyPairFromSslContext; diff --git a/yt/yt/core/bus/tcp/connection.cpp b/yt/yt/core/bus/tcp/connection.cpp index 8dca9a3f28..c11560617b 100644 --- a/yt/yt/core/bus/tcp/connection.cpp +++ b/yt/yt/core/bus/tcp/connection.cpp @@ -1935,6 +1935,11 @@ void TTcpConnection::TryEstablishSslSession() YT_LOG_DEBUG("Starting TLS/SSL connection (VerificationMode: %v)", VerificationMode_); + if (Config_->LoadFromCertsDir && !TTcpDispatcher::TImpl::Get()->GetBusCertsDir()) { + Abort(TError(NBus::EErrorCode::SslError, "The bus_certs_dir is not set in static tcp dispatcher config")); + return; + } + Ssl_.reset(SSL_new(TSslContext::Get()->GetSslCtx())); if (!Ssl_) { Abort(TError(NBus::EErrorCode::SslError, "Failed to create a new SSL structure: %v", GetLastSslErrorString())); @@ -1953,6 +1958,9 @@ void TTcpConnection::TryEstablishSslSession() } } +#define GET_CERT_FILE_PATH(file) \ + (Config_->LoadFromCertsDir ? JoinPaths(*TTcpDispatcher::TImpl::Get()->GetBusCertsDir(), (file)) : (file)) + if (ConnectionType_ == EConnectionType::Server) { SSL_set_accept_state(Ssl_.get()); @@ -1962,7 +1970,8 @@ void TTcpConnection::TryEstablishSslSession() return; } - if (SSL_use_certificate_chain_file(Ssl_.get(), Config_->CertificateChainFile->data()) != 1) { + const auto& certChainFile = GET_CERT_FILE_PATH(*Config_->CertificateChainFile); + if (SSL_use_certificate_chain_file(Ssl_.get(), certChainFile.data()) != 1) { Abort(TError(NBus::EErrorCode::SslError, "Failed to load certificate chain: %v", GetLastSslErrorString())); return; } @@ -1972,7 +1981,8 @@ void TTcpConnection::TryEstablishSslSession() return; } - if (SSL_use_RSAPrivateKey_file(Ssl_.get(), Config_->PrivateKeyFile->data(), SSL_FILETYPE_PEM) != 1) { + const auto& privateKeyFile = GET_CERT_FILE_PATH(*Config_->PrivateKeyFile); + if (SSL_use_RSAPrivateKey_file(Ssl_.get(), privateKeyFile.data(), SSL_FILETYPE_PEM) != 1) { Abort(TError(NBus::EErrorCode::SslError, "Failed to load private key: %v", GetLastSslErrorString())); return; } @@ -1994,16 +2004,19 @@ void TTcpConnection::TryEstablishSslSession() return; } [[fallthrough]]; - case EVerificationMode::Ca: + case EVerificationMode::Ca: { if (!Config_->CAFile) { Abort(TError(NBus::EErrorCode::SslError, "The CA file is not set in bus config")); return; } - TSslContext::Get()->LoadCAFileIfNotLoaded(*Config_->CAFile); + + const auto& caFile = GET_CERT_FILE_PATH(*Config_->CAFile); + TSslContext::Get()->LoadCAFileIfNotLoaded(caFile); // Enable verification of the peer's certificate with the CA. SSL_set_verify(Ssl_.get(), SSL_VERIFY_PEER, /* callback */ nullptr); break; + } case EVerificationMode::None: break; default: @@ -2019,6 +2032,8 @@ void TTcpConnection::TryEstablishSslSession() NetworkCounters_.Exchange(TTcpDispatcher::TImpl::Get()->GetCounters(NetworkName_, IsEncrypted())); UpdateConnectionCount(1); } + +#undef GET_CERT_FILE_PATH } bool TTcpConnection::OnSslAckPacketReceived() diff --git a/yt/yt/core/bus/tcp/dispatcher_impl.cpp b/yt/yt/core/bus/tcp/dispatcher_impl.cpp index 5accc4d1d0..eafc309b93 100644 --- a/yt/yt/core/bus/tcp/dispatcher_impl.cpp +++ b/yt/yt/core/bus/tcp/dispatcher_impl.cpp @@ -321,6 +321,12 @@ void TTcpDispatcher::TImpl::OnPeriodicCheck() } } +std::optional<TString> TTcpDispatcher::TImpl::GetBusCertsDir() const +{ + auto guard = ReaderGuard(PollerLock_); + return Config_->BusCertsDir; +} + //////////////////////////////////////////////////////////////////////////////// } // namespace NYT::NBus diff --git a/yt/yt/core/bus/tcp/dispatcher_impl.h b/yt/yt/core/bus/tcp/dispatcher_impl.h index bc6e059a15..e82ea17ef8 100644 --- a/yt/yt/core/bus/tcp/dispatcher_impl.h +++ b/yt/yt/core/bus/tcp/dispatcher_impl.h @@ -53,6 +53,8 @@ public: NYTree::IYPathServicePtr GetOrchidService(); + std::optional<TString> GetBusCertsDir() const; + private: friend class TTcpDispatcher; |