diff --git a/.licenserc.yaml b/.licenserc.yaml index 5852dab25aa51ae..b0892047c601f2b 100644 --- a/.licenserc.yaml +++ b/.licenserc.yaml @@ -80,6 +80,11 @@ header: - "docker/thirdparties/docker-compose/hive/scripts/create_tpch1_parquet.hql" - "docker/thirdparties/docker-compose/hive/scripts/preinstalled_data/" - "docker/thirdparties/docker-compose/iceberg/spark-defaults.conf.tpl" + - "conf/mysql_ssl_default_certificate/*" + - "conf/mysql_ssl_default_certificate/client_certificate/ca.pem" + - "conf/mysql_ssl_default_certificate/client_certificate/client-cert.pem" + - "conf/mysql_ssl_default_certificate/client_certificate/client-key.pem" + - "regression-test/ssl_default_certificate/*" - "extension/beats/go.mod" - "extension/beats/go.sum" diff --git a/conf/mysql_ssl_default_certificate/README.md b/conf/mysql_ssl_default_certificate/README.md new file mode 100644 index 000000000000000..9b2805751a50511 --- /dev/null +++ b/conf/mysql_ssl_default_certificate/README.md @@ -0,0 +1 @@ +All certificates in this directory are generated by default and cannot be used in a production environment. The certificates in the ```./client_certificate``` are used to verify the identity of the client. For more details, refer to ```docs/en/docs/admin-manual/certificate.md``` diff --git a/conf/mysql_ssl_default_certificate/ca_certificate.p12 b/conf/mysql_ssl_default_certificate/ca_certificate.p12 new file mode 100644 index 000000000000000..3098460e8b3c7b5 Binary files /dev/null and b/conf/mysql_ssl_default_certificate/ca_certificate.p12 differ diff --git a/conf/mysql_ssl_default_certificate/certificate.p12 b/conf/mysql_ssl_default_certificate/certificate.p12 deleted file mode 100644 index d54fde284b85bca..000000000000000 Binary files a/conf/mysql_ssl_default_certificate/certificate.p12 and /dev/null differ diff --git a/conf/mysql_ssl_default_certificate/client_certificate/ca.pem b/conf/mysql_ssl_default_certificate/client_certificate/ca.pem new file mode 100644 index 000000000000000..dae83616299486c --- /dev/null +++ b/conf/mysql_ssl_default_certificate/client_certificate/ca.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIID7zCCAtegAwIBAgIUFFyovmu0XNcivWB0qsOVztoITk8wDQYJKoZIhvcNAQEL +BQAwgYYxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlqaW5nMRAwDgYDVQQHDAdC +ZWlqaW5nMQ4wDAYDVQQKDAVEb3JpczEOMAwGA1UECwwFRG9yaXMxDjAMBgNVBAMM +BURvcmlzMSMwIQYJKoZIhvcNAQkBFhRkZXZAZG9yaXMuYXBhY2hlLm9yZzAeFw0y +MzA0MTAxMDQyMjRaFw0zMzAyMTYxMDQyMjRaMIGGMQswCQYDVQQGEwJDTjEQMA4G +A1UECAwHQmVpamluZzEQMA4GA1UEBwwHQmVpamluZzEOMAwGA1UECgwFRG9yaXMx +DjAMBgNVBAsMBURvcmlzMQ4wDAYDVQQDDAVEb3JpczEjMCEGCSqGSIb3DQEJARYU +ZGV2QGRvcmlzLmFwYWNoZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQCmL5CmsOWZGGOY4QJ+KoLFvqC4sjSrMtxQjZA3QtYz0E3hc/1vukmTU2MU +EskY4B9gklp4LvoTTbjCdHb1ZzxSqYbkfZL2N55s1j5g5Gphy8fAU4LxlcAX+D2g +k2lsfGn/BnM4jefv1rNAXITF5gpFJtz43hZX39v/ciQEbovtn8jxaaSZJE1pY4NO +LxH0+8OU3pLeVPDoV5Ij0Irm4FKrUVYbbwhitruzU3qhUzCX3fyPtTMoxEaHsxSo +IuR/3LSuRJnRvO8/3HFI4nBCurQZe7W/rNCiADMD7ECDUAbAmzZs8oH/teMRQIIF +S17xQDVhy+fMEiIb5vrJpsSnkxdjAgMBAAGjUzBRMB0GA1UdDgQWBBSb2l0QFsBP +Uf4rpqjnx4hqhh3IyzAfBgNVHSMEGDAWgBSb2l0QFsBPUf4rpqjnx4hqhh3IyzAP +BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBxXsKx45fVAnxUxN57 +ULJQnwPwqzzhk7LXpn0HhqmVasF1JFnp970ZqW048B7V25NEY828BXuzDj5Oe1Ap +V0yzqh87sVXkRnP1zQi3B6xlyC2w8R2FLzk4NgkZZOSd6es6XV9GDCSaHaMWnwCz +QD/lv1rultohtyeMYk3erc8aLDkEFfjGmeFb9HNpeyas/KQQuAS1XnxsTdhJm+F9 +MVDqMRVZWudFQWt1Tu7OC+5D8nZzDblMuKDptM6ZdUAvy5DpospOLnWK0c04QGKk +RMYp5sxrNeBzyNJIpyEh3V94y1mH/QzQUIGQmNKL1tAKtyIsDcaXPMSW5ojdvxHJ +iN+q +-----END CERTIFICATE----- diff --git a/conf/mysql_ssl_default_certificate/client_certificate/client-cert.pem b/conf/mysql_ssl_default_certificate/client_certificate/client-cert.pem new file mode 100644 index 000000000000000..f2996bc60563f34 --- /dev/null +++ b/conf/mysql_ssl_default_certificate/client_certificate/client-cert.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDgzCCAmsCAQEwDQYJKoZIhvcNAQELBQAwgYYxCzAJBgNVBAYTAkNOMRAwDgYD +VQQIDAdCZWlqaW5nMRAwDgYDVQQHDAdCZWlqaW5nMQ4wDAYDVQQKDAVEb3JpczEO +MAwGA1UECwwFRG9yaXMxDjAMBgNVBAMMBURvcmlzMSMwIQYJKoZIhvcNAQkBFhRk +ZXZAZG9yaXMuYXBhY2hlLm9yZzAeFw0yMzA0MTAxMDQ1MjBaFw0zMzAyMTYxMDQ1 +MjBaMIGHMQswCQYDVQQGEwJDTjEQMA4GA1UECAwHQmVpamluZzEQMA4GA1UEBwwH +QmVpamluZzEOMAwGA1UECgwFRG9yaXMxDjAMBgNVBAsMBURvcmlzMQ8wDQYDVQQD +DAZDbGllbnQxIzAhBgkqhkiG9w0BCQEWFGRldkBkb3Jpcy5hcGFjaGUub3JnMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArWZoLynFbkTTXry3rRoOT0yI ++VWE8Qs/cdKshT8ecNrWgkoMbBtGEoPahtC+BuMfyHsdNSx6Iyyxgee2f41Mqhfv +c9ssZFbq93NPE7rbb8v+LoZkibp5ErM4vtDmKcBp4ZEsWMRxauXYipyvdyGCbswD +M/Hd0PPFubpEoqg/8qjIz/TbQIXbJ2FYkKFv8Z3RYvy0GP5ZVpTm4zcYB6RAzr6z ++qbA3Li/0UjUVSdhzsoDWn5lOfX6Dp7yAuiocSMpMk65A/pwwRPSJ9u/gPP2LVsJ +L5uBogk29Hj5QBwRGePz0hJnDR3C4Lb786zHWk0QmHvVxQJq+DIbY8vlMhv6DwID +AQABMA0GCSqGSIb3DQEBCwUAA4IBAQCgi2pRKqWiZv6Xlpn4Viv/N+G9J+0/IUnd +YWvhmF4yzBb4R4FjyxiKG9d79o6JhhJ1ts5fmNk/idS0sBoj8FOkj53KAbw6pHBQ +bO3f+UYWLvx8I8F5iycAseA5GTid2cOU8s/gY34rhvey2PGzR+hxfDDGbpRxXFKw +X4zOKCYK8qAR9dDc8MOJyAs30NXn6vxiQSNijJe7+0J91NbAOHw/NeaIS673exqs +K7nPiAe7tPwZOY5LsZxzrosTIsUryheM8S+S0Sqess+zkKMV1xbCbyk2eMbhdfyL +5xLGv7HxnIEoJyRKQ4q0wk9GteLdvlSAKJ1cTe/n8NOf36cXZj/s +-----END CERTIFICATE----- diff --git a/conf/mysql_ssl_default_certificate/client_certificate/client-key.pem b/conf/mysql_ssl_default_certificate/client_certificate/client-key.pem new file mode 100644 index 000000000000000..350f34da24334b4 --- /dev/null +++ b/conf/mysql_ssl_default_certificate/client_certificate/client-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEArWZoLynFbkTTXry3rRoOT0yI+VWE8Qs/cdKshT8ecNrWgkoM +bBtGEoPahtC+BuMfyHsdNSx6Iyyxgee2f41Mqhfvc9ssZFbq93NPE7rbb8v+LoZk +ibp5ErM4vtDmKcBp4ZEsWMRxauXYipyvdyGCbswDM/Hd0PPFubpEoqg/8qjIz/Tb +QIXbJ2FYkKFv8Z3RYvy0GP5ZVpTm4zcYB6RAzr6z+qbA3Li/0UjUVSdhzsoDWn5l +OfX6Dp7yAuiocSMpMk65A/pwwRPSJ9u/gPP2LVsJL5uBogk29Hj5QBwRGePz0hJn +DR3C4Lb786zHWk0QmHvVxQJq+DIbY8vlMhv6DwIDAQABAoIBAQCgQ3IvhQ/w5rPl +b87jsp1fNYGz0RLaJmcxMGI7lSbxb5GrQf1RPbP6ENu8ltnLS8hoZ0GLj9wi/n/h +bOQD5/jfjNfH4N6arqrkojKILb/7CDOZlKT/ltWoLvVXh4PzOt+hl6fBM28QOfd1 +xXN3TAVdmjmrnPRC18v76Oje3VqdT1TyZT9oWFCj906AtiTW+77h6XccWFRC3A99 +lNUM3nCmwgik+MOZ6vNkkNbCb4KlLJXebX+hY6XPqszjEYbp5mdvPczSniAV//V+ +BJINHs4XV3JfdY5BfzRzARt1fkQRDwae0FkVjPVROQQ5TkU3XDPtnXxVaXoQm3QB +HNYT7LbhAoGBANp7Ys4zSphFXodip4AkGfRlyCVgzPWyvCWMZy9UQcw1Mh2ab/6x +CYiW9RSSbmNd1cC6zh4lwLrfTQHNvmWLxnUPt+Uu6DLZFJnDqhFPj6CHYoB3t8AX +iwozAIqE/qSlXYAAN26hyoNPxO8+mtQk4Noupmp8vpaVbuB9BfElS0FFAoGBAMst +MDYTGU+T5BKNl1IE3HlXT2YsJm6QfREXoopYC9vr0R/0/kZX6lQnuujGxTZG9tEo +geoAf82vKCmYDVPfGf0o8L9f+KcB2GP3JRXmqn7n1ALMLTQDG4GPsa5aK+ey+lue +xXM6zDqWNcz/YEvfAz/SdLHIavwn1y0Nr6iMACFDAoGBAK6p34areKIdKwIe+3u0 +4M8Co6xGI/T0q/d0tHUg7e08RdFmyswZal65GDsXCYsE1ELc1LVDRz3eEOk1O1Zh +FQo2w7RD+LvV0eNPimGGcnNKaJP9oXe/GpfPyEn1IsIrtYEEK0yVqZmqpu0A5rRc +uymSC9ar3Y3y7w4mxR5Qy0XlAoGAMYp3Mvg9N7Yr6ooz13/v8nZjmdoyFMuOc1h7 +/ZeybJF3kH9AcQ6GyLZXUOMGu1FaZW2nH9O3VgPbmyjENyszPxN4gHF6Q96jUNy2 +Yjy4XfFRNM1sSD5pupG7FXRPOFPfz+9K3en8Wly+CZpLdLSQKkO6yI7B53IfeZDY +wBRDA9kCgYAnzeIm+c8ahQ6HNWdRtuMdPeP/2sHyJV9tv/ZTsi2QAgfd4rqmGEhM +20eJp4RQzB68wIDMZcoSP8xpACZQYwH5RZvQ8zo53SXrgWgb6XYno8lRc0cxh5oL +ILtgCAxt/20PcpFx5Igh04TIOsYY2Ksp56cbJL6u7uyBnKwwa4XpCg== +-----END RSA PRIVATE KEY----- diff --git a/conf/mysql_ssl_default_certificate/server_certificate.p12 b/conf/mysql_ssl_default_certificate/server_certificate.p12 new file mode 100644 index 000000000000000..a0956a6396441b1 Binary files /dev/null and b/conf/mysql_ssl_default_certificate/server_certificate.p12 differ diff --git a/docs/en/docs/admin-manual/certificate.md b/docs/en/docs/admin-manual/certificate.md index 22c29cb0fdbf8c1..05e6027ff9c4381 100644 --- a/docs/en/docs/admin-manual/certificate.md +++ b/docs/en/docs/admin-manual/certificate.md @@ -26,32 +26,52 @@ under the License. # Key Certificate Configuration -Doris needs a key certificate file to verify the SSL encrypted connection. The default key certificate file is located at `Doris/fe/mysql_ssl_default_certificate/certificate.p12`, and the default password is `doris`. You can modify the FE configuration file `conf/fe. conf`, add `mysql_ssl_default_certificate = /path/to/your/certificate` to modify the key certificate file, and you can also add the password corresponding to your custom key book file through `mysql_ssl_default_certificate_password = your_password`. +Enabling SSL functionality in Doris requires configuring both a CA key certificate and a server-side key certificate. To enable mutual authentication, a client-side key certificate must also be generated: + +* The default CA key certificate file is located at `Doris/fe/mysql_ssl_default_certificate/ca_certificate.p12`, with a default password of `doris`. You can modify the FE configuration file `conf/fe.conf` to add `mysql_ssl_default_ca_certificate = /path/to/your/certificate` to change the CA key certificate file. You can also add `mysql_ssl_default_ca_certificate_password = your_password` to specify the password for your custom key certificate file. +* The default server-side key certificate file is located at `Doris/fe/mysql_ssl_default_certificate/server_certificate.p12`, with a default password of `doris`. You can modify the FE configuration file `conf/fe.conf` to add `mysql_ssl_default_server_certificate = /path/to/your/certificate` to change the server-side key certificate file. You can also add `mysql_ssl_default_server_certificate_password = your_password` to specify the password for your custom key certificate file. +* By default, a client-side key certificate is also generated and stored in `Doris/fe/mysql_ssl_default_certificate/client-key.pem` and `Doris/fe/mysql_ssl_default_certificate/client_certificate/`. ## Custom key certificate file -In addition to the Doris default certificate file, you can also generate a custom certificate file through `openssl`. Proceed as follows: +In addition to the Doris default certificate file, you can also generate a custom certificate file through `openssl`. Here are the steps (refer to [Creating SSL Certificates and Keys Using OpenSSL](https://dev.mysql.com/doc/refman/8.0/en/creating-ssl-files-using-openssl.html)): -1. Run the following OpenSSL command to generate your private key and public certificate. Answer the questions and enter the Common Name when prompted. +1. Generate the CA, server-side, and client-side keys and certificates: ```bash -openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem +# Generate the CA certificate +openssl genrsa 2048 > ca-key.pem +openssl req -new -x509 -nodes -days 3600 \ + -key ca-key.pem -out ca.pem + +# Generate the server certificate and sign it with the above CA +# server-cert.pem = public key, server-key.pem = private key +openssl req -newkey rsa:2048 -days 3600 \ + -nodes -keyout server-key.pem -out server-req.pem +openssl rsa -in server-key.pem -out server-key.pem +openssl x509 -req -in server-req.pem -days 3600 \ + -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem + +# Generate the client certificate and sign it with the above CA +# client-cert.pem = public key, client-key.pem = private key +openssl req -newkey rsa:2048 -days 3600 \ + -nodes -keyout client-key.pem -out client-req.pem +openssl rsa -in client-key.pem -out client-key.pem +openssl x509 -req -in client-req.pem -days 3600 \ + -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem ``` -2. Review the created certificate. +2. Verify the created certificates: ```bash -openssl x509 -text -noout -in certificate.pem +openssl verify -CAfile ca.pem server-cert.pem client-cert.pem ``` 3. Combine your key and certificate in a PKCS#12 (P12) bundle. ```bash -openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12 -``` +# Package the CA key and certificate +openssl pkcs12 -inkey ca-key.pem -in ca.pem -export -out ca_certificate.p12 -4. Validate your P2 file. -```bash -openssl pkcs12 -in certificate.p12 -noout -info +# Package the server-side key and certificate +openssl pkcs12 -inkey server-key.pem -in server.pem -export -out server_certificate.p12 ``` -After completing these operations, you can get the certificate.p12 file. - >[reference documents](https://www.ibm.com/docs/en/api-connect/2018.x?topic=overview-generating-self-signed-certificate-using-openssl) diff --git a/docs/en/docs/get-starting/get-starting.md b/docs/en/docs/get-starting/get-starting.md index 69be69525dbd877..03020547fba0aea 100644 --- a/docs/en/docs/get-starting/get-starting.md +++ b/docs/en/docs/get-starting/get-starting.md @@ -164,7 +164,7 @@ ReplayedJournalId: 49292 Doris supports SSL-based encrypted connections. It currently supports TLS1.2 and TLS1.3 protocols. Doris' SSL mode can be enabled through the following configuration: Modify the FE configuration file `conf/fe.conf` and add `enable_ssl = true`. -Next, connect to Doris through `mysql` client, mysql supports three SSL modes: +Next, connect to Doris through `mysql` client, mysql supports five SSL modes: 1. `mysql -uroot -P9030 -h127.0.0.1` is the same as `mysql --ssl-mode=PREFERRED -uroot -P9030 -h127.0.0.1`, both try to establish an SSL encrypted connection at the beginning, if it fails , a normal connection is attempted. @@ -172,12 +172,14 @@ Next, connect to Doris through `mysql` client, mysql supports three SSL modes: 3. `mysql --ssl-mode=REQUIRED -uroot -P9030 -h127.0.0.1`, force the use of SSL encrypted connections. +4.`mysql --ssl-mode=VERIFY_CA --ssl-ca=ca.pem -uroot -P9030 -h127.0.0.1`, force the use of SSL encrypted connection and verify the validity of the server's identity by specifying the CA certificate。 + +5.`mysql --ssl-mode=VERIFY_CA --ssl-ca=ca.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem -uroot -P9030 -h127.0.0.1`, force the use of SSL encrypted connection, two-way ssl。 + >Note: >`--ssl-mode` parameter is introduced by mysql5.7.11 version, please refer to [here](https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-connp-props-security.html) for mysql client version lower than this version。 -Doris needs a key certificate file to verify the SSL encrypted connection. The default key certificate file is located at `Doris/fe/mysql_ssl_default_certificate/certificate.p12`, and the default password is `doris`. You can modify the FE configuration file `conf/fe. conf`, add `mysql_ssl_default_certificate = /path/to/your/certificate` to modify the key certificate file, and you can also add the password corresponding to your custom key book file through `mysql_ssl_default_certificate_password = your_password`. - -For the generation of the key certificate file, please refer to [Key Certificate Configuration](../admin-manual/certificate.md)。 +Doris needs a key certificate file to verify the SSL encrypted connection. The default key certificate file is located at `Doris/fe/mysql_ssl_default_certificate/`. For the generation of the key certificate file, please refer to [Key Certificate Configuration](../admin-manual/certificate.md)。 #### Stop FE diff --git a/docs/zh-CN/docs/admin-manual/certificate.md b/docs/zh-CN/docs/admin-manual/certificate.md index c00d3241565e88f..5f9186c9d3dc7f2 100644 --- a/docs/zh-CN/docs/admin-manual/certificate.md +++ b/docs/zh-CN/docs/admin-manual/certificate.md @@ -26,36 +26,53 @@ under the License. # SSL密钥证书配置 -Doris开启SSL功能需要配置密钥证书,默认的密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/certificate.p12`,默认密码为`doris`,您可以通过修改FE配置文件`conf/fe.conf`,添加`mysql_ssl_default_certificate = /path/to/your/certificate`修改密钥证书文件,同时也可以通过`mysql_ssl_default_certificate_password = your_password`添加对应您自定义密钥证书文件的密码。 +Doris开启SSL功能需要配置CA密钥证书和Server端密钥证书,如需开启双向认证,还需生成Client端密钥证书: +* 默认的CA密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/ca_certificate.p12`,默认密码为`doris`,您可以通过修改FE配置文件`conf/fe.conf`,添加`mysql_ssl_default_ca_certificate = /path/to/your/certificate`修改CA密钥证书文件,同时也可以通过`mysql_ssl_default_ca_certificate_password = your_password`添加对应您自定义密钥证书文件的密码。 +* 默认的Server端密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/server_certificate.p12`,默认密码为`doris`,您可以通过修改FE配置文件`conf/fe.conf`,添加`mysql_ssl_default_server_certificate = /path/to/your/certificate`修改Server端密钥证书文件,同时也可以通过`mysql_ssl_default_server_certificate_password = your_password`添加对应您自定义密钥证书文件的密码。 +* 默认生成了一份Client端的密钥证书,分别存放在`Doris/fe/mysql_ssl_default_certificate/client-key.pem`和`Doris/fe/mysql_ssl_default_certificate/client_certificate/`。 ## 自定义密钥证书文件 -除了Doris默认的证书文件,您也可以通过`openssl`生成自定义的证书文件。步骤如下: - -1.运行以下OpenSSL命令以生成您的私钥和公共证书,回答问题并在出现提示时输入答案。 - -```bash -openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem +除了Doris默认的证书文件,您也可以通过`openssl`生成自定义的证书文件。步骤参考[mysql生成ssl证书](https://dev.mysql.com/doc/refman/8.0/en/creating-ssl-files-using-openssl.html) +具体如下: +1. 生成CA、Server端和Client端的密钥和证书 ``` - -2.查看创建的证书。 - -```bash -openssl x509 -text -noout -in certificate.pem +# 生成CA certificate +openssl genrsa 2048 > ca-key.pem +openssl req -new -x509 -nodes -days 3600 \ + -key ca-key.pem -out ca.pem + +# 生成server certificate, 并用上述CA签名 +# server-cert.pem = public key, server-key.pem = private key +openssl req -newkey rsa:2048 -days 3600 \ + -nodes -keyout server-key.pem -out server-req.pem +openssl rsa -in server-key.pem -out server-key.pem +openssl x509 -req -in server-req.pem -days 3600 \ + -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem + +# 生成client certificate, 并用上述CA签名 +# client-cert.pem = public key, client-key.pem = private key +openssl req -newkey rsa:2048 -days 3600 \ + -nodes -keyout client-key.pem -out client-req.pem +openssl rsa -in client-key.pem -out client-key.pem +openssl x509 -req -in client-req.pem -days 3600 \ + -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem ``` -3.将您的密钥和证书合并到 PKCS#12 (P12) 包中。 +2.验证创建的证书。 ```bash - openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12 +openssl verify -CAfile ca.pem server-cert.pem client-cert.pem ``` -4.验证您的P12文件。 +3.将您的CA密钥和证书和Sever端密钥和证书分别合并到 PKCS#12 (P12) 包中。 ```bash -openssl pkcs12 -in certificate.p12 -noout -info -``` +# 打包CA密钥和证书 +openssl pkcs12 -inkey ca-key.pem -in ca.pem -export -out ca_certificate.p12 -完成这些操作后即可得到certificate.p12文件。 +# 打包Server端密钥和证书 +openssl pkcs12 -inkey server-key.pem -in server.pem -export -out server_certificate.p12 +``` >[参考文档](https://www.ibm.com/docs/en/api-connect/2018.x?topic=overview-generating-self-signed-certificate-using-openssl) diff --git a/docs/zh-CN/docs/get-starting/get-starting.md b/docs/zh-CN/docs/get-starting/get-starting.md index 5ce1bbe0065c050..ad4de7f5c5c532e 100644 --- a/docs/zh-CN/docs/get-starting/get-starting.md +++ b/docs/zh-CN/docs/get-starting/get-starting.md @@ -168,7 +168,7 @@ ReplayedJournalId: 49292 Doris支持基于SSL的加密连接,当前支持TLS1.2,TLS1.3协议,可以通过以下配置开启Doris的SSL模式: 修改FE配置文件`conf/fe.conf`,添加`enable_ssl = true`即可。 -接下来通过`mysql`客户端连接Doris,mysql支持三种SSL模式: +接下来通过`mysql`客户端连接Doris,mysql支持五种SSL模式: 1.`mysql -uroot -P9030 -h127.0.0.1`与`mysql --ssl-mode=PREFERRED -uroot -P9030 -h127.0.0.1`一样,都是一开始试图建立SSL加密连接,如果失败,则尝试使用普通连接。 @@ -176,12 +176,15 @@ Doris支持基于SSL的加密连接,当前支持TLS1.2,TLS1.3协议,可以 3.`mysql --ssl-mode=REQUIRED -uroot -P9030 -h127.0.0.1`,强制使用SSL加密连接。 +4.`mysql --ssl-mode=VERIFY_CA --ssl-ca=ca.pem -uroot -P9030 -h127.0.0.1`,强制使用SSL加密连接,并且通过指定CA证书验证服务端身份是否有效。 + +5.`mysql --ssl-mode=VERIFY_CA --ssl-ca=ca.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem -uroot -P9030 -h127.0.0.1`,强制使用SSL加密连接,双向验证。 + + >注意: >`--ssl-mode`参数是mysql5.7.11版本引入的,低于此版本的mysql客户端请参考[这里](https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-connp-props-security.html)。 -Doris开启SSL加密连接需要密钥证书文件验证,默认的密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/certificate.p12`,默认密码为`doris`,您可以通过修改FE配置文件`conf/fe.conf`,添加`mysql_ssl_default_certificate = /path/to/your/certificate`修改密钥证书文件,同时也可以通过`mysql_ssl_default_certificate_password = your_password`添加对应您自定义密钥书文件的密码。 - -密钥证书文件的生成请参考[密钥证书配置](../admin-manual/certificate.md)。 +Doris开启SSL加密连接需要密钥证书文件验证,默认的密钥证书文件位于`Doris/fe/mysql_ssl_default_certificate/`下。密钥证书文件的生成请参考[密钥证书配置](../admin-manual/certificate.md)。 #### 停止 FE 节点 diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/Config.java b/fe/fe-common/src/main/java/org/apache/doris/common/Config.java index d7eb93d78f4d8fb..7ecab22d8f0d3ef 100644 --- a/fe/fe-common/src/main/java/org/apache/doris/common/Config.java +++ b/fe/fe-common/src/main/java/org/apache/doris/common/Config.java @@ -2043,17 +2043,36 @@ public class Config extends ConfigBase { public static boolean enable_ssl = true; /** - * Default certificate file location for mysql ssl connection. + * If set to ture, ssl connection needs to authenticate client's certificate. */ @ConfField(mutable = false, masterOnly = false) - public static String mysql_ssl_default_certificate = System.getenv("DORIS_HOME") - + "/mysql_ssl_default_certificate/certificate.p12"; + public static boolean ssl_force_client_auth = false; /** - * Password for default certificate file. + * Default CA certificate file location for mysql ssl connection. */ @ConfField(mutable = false, masterOnly = false) - public static String mysql_ssl_default_certificate_password = "doris"; + public static String mysql_ssl_default_ca_certificate = System.getenv("DORIS_HOME") + + "/mysql_ssl_default_certificate/ca_certificate.p12"; + + /** + * Default server certificate file location for mysql ssl connection. + */ + @ConfField(mutable = false, masterOnly = false) + public static String mysql_ssl_default_server_certificate = System.getenv("DORIS_HOME") + + "/mysql_ssl_default_certificate/server_certificate.p12"; + + /** + * Password for default CA certificate file. + */ + @ConfField(mutable = false, masterOnly = false) + public static String mysql_ssl_default_ca_certificate_password = "doris"; + + /** + * Password for default CA certificate file. + */ + @ConfField(mutable = false, masterOnly = false) + public static String mysql_ssl_default_server_certificate_password = "doris"; /** * Used to set session variables randomly to check more issues in github workflow diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlSslContext.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlSslContext.java index 3aa7dd45a7f147c..cda57d6b4f0b323 100644 --- a/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlSslContext.java +++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlSslContext.java @@ -47,9 +47,10 @@ public class MysqlSslContext { private SSLContext sslContext; private String protocol; private ByteBuffer serverAppData; - private static final String keyStoreFile = Config.mysql_ssl_default_certificate; - private static final String trustStoreFile = Config.mysql_ssl_default_certificate; - private static final String certificatePassword = Config.mysql_ssl_default_certificate_password; + private static final String keyStoreFile = Config.mysql_ssl_default_server_certificate; + private static final String trustStoreFile = Config.mysql_ssl_default_ca_certificate; + private static final String caCertificatePassword = Config.mysql_ssl_default_ca_certificate_password; + private static final String serverCertificatePassword = Config.mysql_ssl_default_server_certificate_password; private ByteBuffer serverNetData; private ByteBuffer clientAppData; private ByteBuffer clientNetData; @@ -68,13 +69,14 @@ private void initSslContext() { KeyStore ks = KeyStore.getInstance("PKCS12"); KeyStore ts = KeyStore.getInstance("PKCS12"); - char[] password = certificatePassword.toCharArray(); + char[] serverPassword = serverCertificatePassword.toCharArray(); + char[] caPassword = caCertificatePassword.toCharArray(); - ks.load(Files.newInputStream(Paths.get(keyStoreFile)), password); - ts.load(Files.newInputStream(Paths.get(trustStoreFile)), password); + ks.load(Files.newInputStream(Paths.get(keyStoreFile)), serverPassword); + ts.load(Files.newInputStream(Paths.get(trustStoreFile)), caPassword); KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); - kmf.init(ks, password); + kmf.init(ks, serverPassword); TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init(ts); @@ -91,6 +93,10 @@ private void initSslEngine() { // set to server mode sslEngine.setUseClientMode(false); sslEngine.setEnabledCipherSuites(sslEngine.getSupportedCipherSuites()); + sslEngine.setWantClientAuth(true); + if (Config.ssl_force_client_auth) { + sslEngine.setNeedClientAuth(true); + } } public SSLEngine getSslEngine() { diff --git a/regression-test/certificate.p12 b/regression-test/certificate.p12 deleted file mode 100644 index d54fde284b85bca..000000000000000 Binary files a/regression-test/certificate.p12 and /dev/null differ diff --git a/regression-test/conf/regression-conf.groovy b/regression-test/conf/regression-conf.groovy index fa2a4e3cc20aa6b..ed1f393a33eadc1 100644 --- a/regression-test/conf/regression-conf.groovy +++ b/regression-test/conf/regression-conf.groovy @@ -38,6 +38,7 @@ suitePath = "${DORIS_HOME}/regression-test/suites" dataPath = "${DORIS_HOME}/regression-test/data" pluginPath = "${DORIS_HOME}/regression-test/plugins" realDataPath = "${DORIS_HOME}/regression-test/realdata" +sslCertificatePath = "${DORIS_HOME}/regression-test/ssl_default_certificate" // will test /.groovy // empty group will test all group diff --git a/regression-test/framework/src/main/groovy/org/apache/doris/regression/Config.groovy b/regression-test/framework/src/main/groovy/org/apache/doris/regression/Config.groovy index 027de85c7d5672a..c0062e9eac98360 100644 --- a/regression-test/framework/src/main/groovy/org/apache/doris/regression/Config.groovy +++ b/regression-test/framework/src/main/groovy/org/apache/doris/regression/Config.groovy @@ -53,6 +53,7 @@ class Config { public String realDataPath public String cacheDataPath public String pluginPath + public String sslCertificatePath public String testGroups public String excludeGroups @@ -90,7 +91,7 @@ class Config { String feHttpAddress, String feHttpUser, String feHttpPassword, String metaServiceHttpAddress, String suitePath, String dataPath, String realDataPath, String cacheDataPath, String testGroups, String excludeGroups, String testSuites, String excludeSuites, - String testDirectories, String excludeDirectories, String pluginPath) { + String testDirectories, String excludeDirectories, String pluginPath, String sslCertificatePath) { this.defaultDb = defaultDb this.jdbcUrl = jdbcUrl this.jdbcUser = jdbcUser @@ -110,6 +111,7 @@ class Config { this.testDirectories = testDirectories this.excludeDirectories = excludeDirectories this.pluginPath = pluginPath + this.sslCertificatePath = sslCertificatePath } static Config fromCommandLine(CommandLine cmd) { @@ -137,6 +139,7 @@ class Config { config.realDataPath = FileUtils.getCanonicalPath(cmd.getOptionValue(realDataOpt, config.realDataPath)) config.cacheDataPath = cmd.getOptionValue(cacheDataOpt, config.cacheDataPath) config.pluginPath = FileUtils.getCanonicalPath(cmd.getOptionValue(pluginOpt, config.pluginPath)) + config.sslCertificatePath = FileUtils.getCanonicalPath(cmd.getOptionValue(sslCertificateOpt, config.sslCertificatePath)) config.suiteWildcard = cmd.getOptionValue(suiteOpt, config.testSuites) .split(",") .collect({s -> s.trim()}) @@ -244,7 +247,8 @@ class Config { configToString(obj.excludeSuites), configToString(obj.testDirectories), configToString(obj.excludeDirectories), - configToString(obj.pluginPath) + configToString(obj.pluginPath), + configToString(obj.sslCertificatePath) ) def declareFileNames = config.getClass() @@ -327,6 +331,11 @@ class Config { log.info("Set dataPath to '${config.pluginPath}' because not specify.".toString()) } + if (config.sslCertificatePath == null) { + config.sslCertificatePath = "regression-test/ssl_default_certificate" + log.info("Set sslCertificatePath to '${config.sslCertificatePath}' because not specify.".toString()) + } + if (config.testGroups == null) { config.testGroups = "default" log.info("Set testGroups to '${config.testGroups}' because not specify.".toString()) @@ -491,10 +500,7 @@ class Config { String useSslConfig = "verifyServerCertificate=false&useSSL=" + useSsl + "&requireSSL=false" String tlsVersion = "TLSv1.2" String tlsVersionConfig = "&enabledTLSProtocols=" + tlsVersion - String keyStoreFile = "file:regression-test/certificate.p12" - String keyStoreFileConfig = "&trustCertificateKeyStoreUrl=" + keyStoreFile + "&clientCertificateKeyStoreUrl=" + keyStoreFile - String password = "&trustCertificateKeyStorePassword=doris&clientCertificateKeyStorePassword=doris" - String sslUrl = useSslConfig + tlsVersionConfig + keyStoreFileConfig + password + String sslUrl = useSslConfig + tlsVersionConfig // e.g: jdbc:mysql://locahost:8080/dbname? if (url.charAt(url.length() - 1) == '?') { return url + sslUrl diff --git a/regression-test/framework/src/main/groovy/org/apache/doris/regression/ConfigOptions.groovy b/regression-test/framework/src/main/groovy/org/apache/doris/regression/ConfigOptions.groovy index 574ab0a131cd9c3..5355f8a14cd73b7 100644 --- a/regression-test/framework/src/main/groovy/org/apache/doris/regression/ConfigOptions.groovy +++ b/regression-test/framework/src/main/groovy/org/apache/doris/regression/ConfigOptions.groovy @@ -41,6 +41,7 @@ class ConfigOptions { static Option realDataOpt static Option cacheDataOpt static Option pluginOpt + static Option sslCertificateOpt static Option suiteOpt static Option excludeSuiteOpt static Option groupsOpt @@ -148,6 +149,16 @@ class ConfigOptions { .longOpt("plugin") .desc("the plugin path") .build() + + sslCertificateOpt = Option.builder("ssl") + .argName("sslCertificatePath") + .required(false) + .hasArg(true) + .type(String.class) + .longOpt("sslCertificatePath") + .desc("the sslCertificate path") + .build() + suiteOpt = Option.builder("s") .argName("suiteName") .required(false) @@ -316,6 +327,7 @@ class ConfigOptions { .addOption(pathOpt) .addOption(dataOpt) .addOption(pluginOpt) + .addOption(sslCertificateOpt) .addOption(confOpt) .addOption(suiteOpt) .addOption(excludeSuiteOpt) diff --git a/regression-test/ssl_default_certificate/ca.pem b/regression-test/ssl_default_certificate/ca.pem new file mode 100644 index 000000000000000..dae83616299486c --- /dev/null +++ b/regression-test/ssl_default_certificate/ca.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIID7zCCAtegAwIBAgIUFFyovmu0XNcivWB0qsOVztoITk8wDQYJKoZIhvcNAQEL +BQAwgYYxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlqaW5nMRAwDgYDVQQHDAdC +ZWlqaW5nMQ4wDAYDVQQKDAVEb3JpczEOMAwGA1UECwwFRG9yaXMxDjAMBgNVBAMM +BURvcmlzMSMwIQYJKoZIhvcNAQkBFhRkZXZAZG9yaXMuYXBhY2hlLm9yZzAeFw0y +MzA0MTAxMDQyMjRaFw0zMzAyMTYxMDQyMjRaMIGGMQswCQYDVQQGEwJDTjEQMA4G +A1UECAwHQmVpamluZzEQMA4GA1UEBwwHQmVpamluZzEOMAwGA1UECgwFRG9yaXMx +DjAMBgNVBAsMBURvcmlzMQ4wDAYDVQQDDAVEb3JpczEjMCEGCSqGSIb3DQEJARYU +ZGV2QGRvcmlzLmFwYWNoZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQCmL5CmsOWZGGOY4QJ+KoLFvqC4sjSrMtxQjZA3QtYz0E3hc/1vukmTU2MU +EskY4B9gklp4LvoTTbjCdHb1ZzxSqYbkfZL2N55s1j5g5Gphy8fAU4LxlcAX+D2g +k2lsfGn/BnM4jefv1rNAXITF5gpFJtz43hZX39v/ciQEbovtn8jxaaSZJE1pY4NO +LxH0+8OU3pLeVPDoV5Ij0Irm4FKrUVYbbwhitruzU3qhUzCX3fyPtTMoxEaHsxSo +IuR/3LSuRJnRvO8/3HFI4nBCurQZe7W/rNCiADMD7ECDUAbAmzZs8oH/teMRQIIF +S17xQDVhy+fMEiIb5vrJpsSnkxdjAgMBAAGjUzBRMB0GA1UdDgQWBBSb2l0QFsBP +Uf4rpqjnx4hqhh3IyzAfBgNVHSMEGDAWgBSb2l0QFsBPUf4rpqjnx4hqhh3IyzAP +BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBxXsKx45fVAnxUxN57 +ULJQnwPwqzzhk7LXpn0HhqmVasF1JFnp970ZqW048B7V25NEY828BXuzDj5Oe1Ap +V0yzqh87sVXkRnP1zQi3B6xlyC2w8R2FLzk4NgkZZOSd6es6XV9GDCSaHaMWnwCz +QD/lv1rultohtyeMYk3erc8aLDkEFfjGmeFb9HNpeyas/KQQuAS1XnxsTdhJm+F9 +MVDqMRVZWudFQWt1Tu7OC+5D8nZzDblMuKDptM6ZdUAvy5DpospOLnWK0c04QGKk +RMYp5sxrNeBzyNJIpyEh3V94y1mH/QzQUIGQmNKL1tAKtyIsDcaXPMSW5ojdvxHJ +iN+q +-----END CERTIFICATE----- diff --git a/regression-test/ssl_default_certificate/client-cert.pem b/regression-test/ssl_default_certificate/client-cert.pem new file mode 100644 index 000000000000000..f2996bc60563f34 --- /dev/null +++ b/regression-test/ssl_default_certificate/client-cert.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDgzCCAmsCAQEwDQYJKoZIhvcNAQELBQAwgYYxCzAJBgNVBAYTAkNOMRAwDgYD +VQQIDAdCZWlqaW5nMRAwDgYDVQQHDAdCZWlqaW5nMQ4wDAYDVQQKDAVEb3JpczEO +MAwGA1UECwwFRG9yaXMxDjAMBgNVBAMMBURvcmlzMSMwIQYJKoZIhvcNAQkBFhRk +ZXZAZG9yaXMuYXBhY2hlLm9yZzAeFw0yMzA0MTAxMDQ1MjBaFw0zMzAyMTYxMDQ1 +MjBaMIGHMQswCQYDVQQGEwJDTjEQMA4GA1UECAwHQmVpamluZzEQMA4GA1UEBwwH +QmVpamluZzEOMAwGA1UECgwFRG9yaXMxDjAMBgNVBAsMBURvcmlzMQ8wDQYDVQQD +DAZDbGllbnQxIzAhBgkqhkiG9w0BCQEWFGRldkBkb3Jpcy5hcGFjaGUub3JnMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArWZoLynFbkTTXry3rRoOT0yI ++VWE8Qs/cdKshT8ecNrWgkoMbBtGEoPahtC+BuMfyHsdNSx6Iyyxgee2f41Mqhfv +c9ssZFbq93NPE7rbb8v+LoZkibp5ErM4vtDmKcBp4ZEsWMRxauXYipyvdyGCbswD +M/Hd0PPFubpEoqg/8qjIz/TbQIXbJ2FYkKFv8Z3RYvy0GP5ZVpTm4zcYB6RAzr6z ++qbA3Li/0UjUVSdhzsoDWn5lOfX6Dp7yAuiocSMpMk65A/pwwRPSJ9u/gPP2LVsJ +L5uBogk29Hj5QBwRGePz0hJnDR3C4Lb786zHWk0QmHvVxQJq+DIbY8vlMhv6DwID +AQABMA0GCSqGSIb3DQEBCwUAA4IBAQCgi2pRKqWiZv6Xlpn4Viv/N+G9J+0/IUnd +YWvhmF4yzBb4R4FjyxiKG9d79o6JhhJ1ts5fmNk/idS0sBoj8FOkj53KAbw6pHBQ +bO3f+UYWLvx8I8F5iycAseA5GTid2cOU8s/gY34rhvey2PGzR+hxfDDGbpRxXFKw +X4zOKCYK8qAR9dDc8MOJyAs30NXn6vxiQSNijJe7+0J91NbAOHw/NeaIS673exqs +K7nPiAe7tPwZOY5LsZxzrosTIsUryheM8S+S0Sqess+zkKMV1xbCbyk2eMbhdfyL +5xLGv7HxnIEoJyRKQ4q0wk9GteLdvlSAKJ1cTe/n8NOf36cXZj/s +-----END CERTIFICATE----- diff --git a/regression-test/ssl_default_certificate/client-key.pem b/regression-test/ssl_default_certificate/client-key.pem new file mode 100644 index 000000000000000..350f34da24334b4 --- /dev/null +++ b/regression-test/ssl_default_certificate/client-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEArWZoLynFbkTTXry3rRoOT0yI+VWE8Qs/cdKshT8ecNrWgkoM +bBtGEoPahtC+BuMfyHsdNSx6Iyyxgee2f41Mqhfvc9ssZFbq93NPE7rbb8v+LoZk +ibp5ErM4vtDmKcBp4ZEsWMRxauXYipyvdyGCbswDM/Hd0PPFubpEoqg/8qjIz/Tb +QIXbJ2FYkKFv8Z3RYvy0GP5ZVpTm4zcYB6RAzr6z+qbA3Li/0UjUVSdhzsoDWn5l +OfX6Dp7yAuiocSMpMk65A/pwwRPSJ9u/gPP2LVsJL5uBogk29Hj5QBwRGePz0hJn +DR3C4Lb786zHWk0QmHvVxQJq+DIbY8vlMhv6DwIDAQABAoIBAQCgQ3IvhQ/w5rPl +b87jsp1fNYGz0RLaJmcxMGI7lSbxb5GrQf1RPbP6ENu8ltnLS8hoZ0GLj9wi/n/h +bOQD5/jfjNfH4N6arqrkojKILb/7CDOZlKT/ltWoLvVXh4PzOt+hl6fBM28QOfd1 +xXN3TAVdmjmrnPRC18v76Oje3VqdT1TyZT9oWFCj906AtiTW+77h6XccWFRC3A99 +lNUM3nCmwgik+MOZ6vNkkNbCb4KlLJXebX+hY6XPqszjEYbp5mdvPczSniAV//V+ +BJINHs4XV3JfdY5BfzRzARt1fkQRDwae0FkVjPVROQQ5TkU3XDPtnXxVaXoQm3QB +HNYT7LbhAoGBANp7Ys4zSphFXodip4AkGfRlyCVgzPWyvCWMZy9UQcw1Mh2ab/6x +CYiW9RSSbmNd1cC6zh4lwLrfTQHNvmWLxnUPt+Uu6DLZFJnDqhFPj6CHYoB3t8AX +iwozAIqE/qSlXYAAN26hyoNPxO8+mtQk4Noupmp8vpaVbuB9BfElS0FFAoGBAMst +MDYTGU+T5BKNl1IE3HlXT2YsJm6QfREXoopYC9vr0R/0/kZX6lQnuujGxTZG9tEo +geoAf82vKCmYDVPfGf0o8L9f+KcB2GP3JRXmqn7n1ALMLTQDG4GPsa5aK+ey+lue +xXM6zDqWNcz/YEvfAz/SdLHIavwn1y0Nr6iMACFDAoGBAK6p34areKIdKwIe+3u0 +4M8Co6xGI/T0q/d0tHUg7e08RdFmyswZal65GDsXCYsE1ELc1LVDRz3eEOk1O1Zh +FQo2w7RD+LvV0eNPimGGcnNKaJP9oXe/GpfPyEn1IsIrtYEEK0yVqZmqpu0A5rRc +uymSC9ar3Y3y7w4mxR5Qy0XlAoGAMYp3Mvg9N7Yr6ooz13/v8nZjmdoyFMuOc1h7 +/ZeybJF3kH9AcQ6GyLZXUOMGu1FaZW2nH9O3VgPbmyjENyszPxN4gHF6Q96jUNy2 +Yjy4XfFRNM1sSD5pupG7FXRPOFPfz+9K3en8Wly+CZpLdLSQKkO6yI7B53IfeZDY +wBRDA9kCgYAnzeIm+c8ahQ6HNWdRtuMdPeP/2sHyJV9tv/ZTsi2QAgfd4rqmGEhM +20eJp4RQzB68wIDMZcoSP8xpACZQYwH5RZvQ8zo53SXrgWgb6XYno8lRc0cxh5oL +ILtgCAxt/20PcpFx5Igh04TIOsYY2Ksp56cbJL6u7uyBnKwwa4XpCg== +-----END RSA PRIVATE KEY----- diff --git a/regression-test/suites/mysql_ssl_p0/test_mysql_connection.groovy b/regression-test/suites/mysql_ssl_p0/test_mysql_connection.groovy index f95ef88058421a3..68fbe46dfe3a7ba 100644 --- a/regression-test/suites/mysql_ssl_p0/test_mysql_connection.groovy +++ b/regression-test/suites/mysql_ssl_p0/test_mysql_connection.groovy @@ -14,6 +14,7 @@ // KIND, either express or implied. See the License for the // specific language governing permissions and limitations // under the License. +import org.apache.doris.regression.Config suite("test_mysql_connection") { suite -> // NOTE: this suite need you install mysql client 5.7 + to support --ssl-mode parameter @@ -39,10 +40,20 @@ suite("test_mysql_connection") { suite -> String cmdDefault = "mysql -uroot -h" + mysqlHost + " -P" + mysqlPort + " -e \"show variables\""; String cmdDisabledSsl = "mysql --ssl-mode=DISABLE -uroot -h" + mysqlHost + " -P" + mysqlPort + " -e \"show variables\""; String cmdSsl12 = "mysql --ssl-mode=REQUIRED -uroot -h" + mysqlHost + " -P" + mysqlPort + " --tls-version=TLSv1.2 -e \"show variables\""; + // client verifies server certificate + String cmdv1 = "mysql --ssl-mode=VERIFY_CA --ssl-ca=" + context.config.sslCertificatePath + "/ca.pem -uroot -h" + mysqlHost + " -P" + mysqlPort + " --tls-version=TLSv1.2 -e \"show variables\""; + + // two-way ssl auth (client and server both verify their respective certificates) + String cmdv2 = "mysql --ssl-mode=VERIFY_CA --ssl-ca=" + context.config.sslCertificatePath + "/ca.pem \ + --ssl-cert=" + context.config.sslCertificatePath + "/client-cert.pem \ + --ssl-key=" + context.config.sslCertificatePath + "/client-key.pem -uroot -h" + mysqlHost + " -P" + mysqlPort + " --tls-version=TLSv1.2 -e \"show variables\""; + // The current mysql-client version of the test environment is 5.7.32, which does not support TLSv1.3, so comment this part. // String cmdSsl13 = "mysql --ssl-mode=REQUIRED -uroot -h" + mysqlHost + " -P" + mysqlPort + " --tls-version=TLSv1.3 -e \"show variables\""; executeMySQLCommand(cmdDefault); executeMySQLCommand(cmdDisabledSsl); executeMySQLCommand(cmdSsl12); // executeMySQLCommand(cmdSsl13); + executeMySQLCommand(cmdv1); + executeMySQLCommand(cmdv2); }