[#41] feat(server): Add https support for Jetty server

[qqqttt123]

What changes were proposed in this pull request?

I add a https connector referring to the implement of Apache Livy(incubating).

Why are the changes needed?

Fix: #41

Does this PR introduce any user-facing change?

Yes, I add the documents.

How was this patch tested?

Manual test.

I run the command

# generate the key store
cd $JAVA_HOME
bin/keytool -genkeypair  -alias localhost \
        -keyalg RSA -keysize 4096 -keypass localhost \
        -sigalg SHA256withRSA \
        -keystore localhost.jks -storetype JKS -storepass localhost \
        -dname "cn=localhost,ou=localhost,o=localhost,l=beijing,st=beijing,c=cn" \
        -validity 36500
# generate the certificate
bin/keytool -export -alias localhost -keystore localhost.jks -file  localhost.crt -storepass localhost

# import the certificate
bin/keytool -import -alias localhost -keystore jre/lib/security/cacerts -file localhost.crt -storepass changeit -noprompt

# server's configuration
gravitino.server.webserver.host localhost
gravitino.server.webserver.httpsEnable true
gravitino.server.webserver.keyStorePath ${JAVA_HOME}/localhost.jks (Configuration doesn't support to resolve environment variable, so you should replace ${JAVA_HOME} with the actual value)
gravitino.server.webserver.keyStorePassword localhost
gravitino.server.webserver.managerPassword localhost

# user GravitinoClient to call the version api
String uri = "https://localhost:8443";
GravitinoClient client = GravitinoClient.builder(uri).build();
GravitinoVersion gravitinoVersion = client.getVersion();
# The result is successful.

[github-actions]

Code Coverage Report

Overall Project	65.78% -0.42%	🟢
Files changed	59.82%	🔴

Module	Coverage
server-common	66.57% -10.82%	🔴

Files

Module	File	Coverage
server-common	JettyServerConfig.java	92.69% -6.36%	🟢
	JettyServer.java	46.23% -21.82%	🔴

[yuqi1129]

Shouldn't we use https as default?

[qqqttt123]

HTTPS will make deployment more complex. So we don't choose to enable the feature by default. Many other systems made a similar choice.

[jerryshao]

I would suggest changing to "gravitino.server.webserver.enableHttps"

[qqqttt123]

Fixed.

[mchades]

Usually, once HTTPS is set up, most services will configure redirection to redirect all HTTP traffic to HTTPS to ensure the security of communication. Should we support this ability?

[mchades]

user can not start services on both https and http at the same time?

[qqqttt123]

Livy chooses http or https. I follow the suggestion. Thanks.

[mchades]

OK, but should we tell the user in the document that if gravitino.server.webserver.httpsPort=true then all configurations about HTTP(such as HTTP port) will be invalidated?

[mchades]

I also have a concern about the convenience and compatibility of migration:

If the user wants to enable HTTPS after running the service on HTTP for a period of time, for your current implementation, they must complete all HTTP client refactoring before switching. It's a big matter for online service

[qqqttt123]

What's your suggestion?

[mchades]

I suggest supporting both HTTP and HTTPS.

[mchades]

ditto

[qqqttt123]

Fixed.

[qqqttt123]

Usually, once HTTPS is set up, most services will configure redirection to redirect all HTTP traffic to HTTPS to ensure the security of communication. Should we support this ability?

Could you give me some examples?

[mchades]

Usually, once HTTPS is set up, most services will configure redirection to redirect all HTTP traffic to HTTPS to ensure the security of communication. Should we support this ability?

Could you give me some examples?

I'm referring to the web service, such as http://github.com, http://google.com, http://apple.com

[diqiu50]

How to handle exceptions on https initialize. Would it be easy for the user to understand if the original exception is thrown?

[qqqttt123]

What exception should we handle?

[diqiu50]

Missing integration tests.

[qqqttt123]

Missing integration tests.

Integration tests may be difficult. Some steps need human interaction.

[qqqttt123]

Missing integration tests.

I find I can add the option -no-prompt to skip human interaction. I will have a try to add a integration test.

[FANNG1]

Gravitino server and Iceberg REST server have it's configuration doc, I wonder whether it's proper to put security configuration here.

[qqqttt123]

It's ok for us not to add these configuration options in those documents. Spark also follows this document style.

[jerryshao]

I think you should add more doc example about how to configure https.

[qqqttt123]

Add a warning log if we enable OAuth and HTTP.

[qqqttt123]

Add a warning log if we enable OAuth and HTTP.

Fixed.

[qqqttt123]

For documents, we just add some simple configuration options. I will polish the document in the next pr.

[qqqttt123]

I have addressed the comments. @jerryshao Could you review this pr if you have time?

[jerryshao]

Have you tested with Gravitino Client and curl. As I remembered there will be some settings in the client side if client side auth is enable.

Also some other configurations like keystore type, trustStore, trustStorePassword, trustStoreType, algorithm probably are also required, can you please check the Spark's code SSLOptions.

[jerryshao]

I would suggest changing to "gravitino.server.webserver.enableHttps"

[jerryshao]

Also here

[qqqttt123]

I will fix.

[qqqttt123]

Fixed.

[jerryshao]

Basically not just oauth2, all the token based auth should be with https, otherwise it has a risk of token leakage.

[qqqttt123]

OK, I got it.

[qqqttt123]

Fixed.

[qqqttt123]

Have you tested with Gravitino Client and curl. As I remembered there will be some settings in the client side if client side auth is enable.

Also some other configurations like keystore type, trustStore, trustStorePassword, trustStoreType, algorithm probably are also required, can you please check the Spark's code SSLOptions.

I have tested by GravitinoClient.

[jerryshao]

Have you tested with Gravitino Client and curl. As I remembered there will be some settings in the client side if client side auth is enable.
Also some other configurations like keystore type, trustStore, trustStorePassword, trustStoreType, algorithm probably are also required, can you please check the Spark's code SSLOptions.

I have tested by GravitinoClient.

My point is the second sentence.

[jerryshao]

How do you configure this? and algorithm, it would be better to add more docs about it.

[qqqttt123]

OK, I will add more description referring the doc of Spark.

[jerryshao]

I remembered that you have a sever side check for auth and HTTP, why do you remove that check?

[qqqttt123]

I remembered that you have a sever side check for auth and HTTP, why do you remove that check?

Because we choose simpleAuth by default, the server always use the authentication mechanism, simple or OAuth. The server always faces the risk of token data leak.

[jerryshao]

Why do you use html links rather than markdown style?

[qqqttt123]

Spark chooses this style. I will change it to markdown style. Fixed.

[jerryshao]

Also are you going to add more security doc here in this PR, or you will split into a doc PR?

[qqqttt123]

I will split into a doc PR.

[jerryshao]

I think all these must-setting configurations should have no default empty string as value, right? Using default value here is a bit misleading.

[qqqttt123]

Yes, but they are must-setting configurations, it's weird if we use createWithOptional. It will report a error if we choose to use createWithDefault(null). So I choose to use empty value here.

[jerryshao]

I see, maybe we need to add a method in ConfigEntry called create to support configurations with no default value. @qqqttt123 can you please create an issue to track this?

[qqqttt123]

Created #950