你怎么在Java中启用Apache Arrow FlightClient上的TLS?

huangapple go评论74阅读模式
英文:

How do I enable TLS on an Apache Arrow FlightClient in Java?

问题

以下是已翻译的内容:

  • clientCertificate(InputStream clientCertificate, InputStream clientKey)clientCertificate(InputStream clientCertificate, InputStream clientKey)方法用于设置客户端证书和密钥。

  • useTls()useTls()方法用于启用TLS(传输层安全)。

  • overrideHostname(String hostname)overrideHostname(String hostname)方法用于覆盖主机名。

  • trustedCertificates(InputStream stream)trustedCertificates(InputStream stream)方法用于设置信任的证书。

  • verifyServer(boolean verifyServer)verifyServer(boolean verifyServer)方法用于验证服务器。

需要使用它们中的哪些以启用和使用TLS与FlightServer建立连接,以及它们之间的关系?

英文:

The documentation for the Java Apache Arrow (v11.0.0) FlightClient.Builder has several methods related to constructing a TLS-enabled client:

  • clientCertificate(InputStream clientCertificate, InputStream clientKey)
  • useTls()
  • overrideHostname(String hostname)
  • trustedCertificates(InputStream stream)
  • verifyServer(boolean verifyServer)

The descriptions aren't detailed enough for me to understand which ones are needed to enable and use TLS in connections with a FlightServer. There could easily be some gap in my understanding of TLS that would help me more easily consume this documentation.

Do I need to use all of these? Are some of them redundant? How are they related?

答案1

得分: 1

我看了一下实现这个API的代码,以获取一些见解。

useTls只是告诉底层客户端构建器开始组装TLS启用的SSL上下文。通过将grpc+tls方案附加到位置属性可以实现相同效果。

其余的选项用于添加到SSL上下文中。上下文构建器由io.netty.handler.ssl.SslContextBuilder提供。

  • clientCertificate(cert, key)将提供的证书/密钥添加到SSL上下文的密钥管理器。
  • trustedCertificates(cert)将提供的证书添加到信任管理器(用于第三方连接验证)。
  • verifyServer(bool)如果上述两者中的任何一个提供,不能为false,因为它们需要用于验证服务器。如果为false,信任管理器将仅使用InsecureTrustManagerFactory.INSTANCE进行设置。
  • overrideHostname(hostname)在通道构建器上调用底层的overrideAuthority()。这与我尝试做的事情没有真正关系。

我需要使用所有这些选项吗(忽略overrideHostname)?这取决于客户端将连接到的服务器上的TLS配置。

它们中有哪些是多余的?如果location属性已经附加了TLS方案,那么useTls()是多余的。

英文:

I took a look at the code that implements this API for some insights.

useTls simply tells the underlying client builder to start putting together SSL Context for the TLS-enabled client. The same effect is achieved by having the grpc+tls scheme attached to the location attribute.

The rest of the options are used for adding to the SSL Context. The context builder is provided by io.netty.handler.ssl.SslContextBuilder.

  • clientCertificate(cert, key) adds the provided cert/key to the SSL Context's key manager.
  • trustedCertificates(cert) adds the provided cert to the trust manager (for third party connection verification).
  • verifyServer(bool) cannot be false if either of the above two are provided, since they are required to verify the server. If this is false, the trust manager will simply be set up using InsecureTrustManagerFactory.INSTANCE.
  • overrideHostname(hostname) calls the underlying overrideAuthority() on the channel builder. This isn't really related to what I'm trying to do.

Do I need to use all of these (ignoring overrideHostname)? It depends on how the TLS is configured on the server the client will connect to.

Are any of them redundant? useTls() is redundant if the location attribute already has the TLS scheme attached.

huangapple
  • 本文由 发表于 2023年3月31日 04:00:04
  • 转载请务必保留本文链接:https://go.coder-hub.com/75892490.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定