Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HPCC-33260 Allow a BM DFS service+dafilesrv to be secured #19422

Open
wants to merge 2 commits into
base: candidate-9.10.x
Choose a base branch
from
Open

HPCC-33260 Allow a BM DFS service+dafilesrv to be secured #19422

wants to merge 2 commits into from

Conversation

jakesmith
Copy link
Member

@jakesmith jakesmith commented Jan 16, 2025
edited
Loading

  1. Ensure BM DFS meta is remapped to point to the BM dafilesrv and correct secure port.
  2. Allow dafilesrv to be configured with a CA/certs/trusted peers, so that it can be configured to only accepts connections from trusted clients.

Type of change:

  • This change is a bug fix (non-breaking change which fixes an issue).
  • This change is a new feature (non-breaking change which adds functionality).
  • This change improves the code (refactor or other change that does not change the functionality)
  • This change fixes warnings (the fix does not alter the functionality or the generated code)
  • This change is a breaking change (fix or feature that will cause existing behavior to change).
  • This change alters the query API (existing queries will have to be recompiled)

Checklist:

  • My code follows the code style of this project.
    • My code does not create any new warnings from compiler, build system, or lint.
  • The commit message is properly formatted and free of typos.
    • The commit message title makes sense in a changelog, by itself.
    • The commit is signed.
  • My change requires a change to the documentation.
    • I have updated the documentation accordingly, or...
    • I have created a JIRA ticket to update the documentation.
    • Any new interfaces or exported functions are appropriately commented.
  • I have read the CONTRIBUTORS document.
  • The change has been fully tested:
    • I have added tests to cover my changes.
    • All new and existing tests passed.
    • I have checked that this change does not introduce memory leaks.
    • I have used Valgrind or similar tools to check for potential issues.
  • I have given due consideration to all of the following potential concerns:
    • Scalability
    • Performance
    • Security
    • Thread-safety
    • Cloud-compatibility
    • Premature optimization
    • Existing deployed queries will not be broken
    • This change fixes the problem, not just the symptom
    • The target branch of this pull request is appropriate for such a change.
  • There are no similar instances of the same problem that should be addressed
    • I have addressed them here
    • I have raised JIRA issues to address them separately
  • This is a user interface / front-end modification
    • I have tested my changes in multiple modern browsers
    • The component(s) render as expected

Smoketest:

  • Send notifications about my Pull Request position in Smoketest queue.
  • Test my draft Pull Request.

Testing:

@jakesmith jakesmith force-pushed the HPCC-33260-secure-dm-dfs branch 2 times, most recently from 6eeda69 to 181a4aa Compare January 16, 2025 16:48
@jakesmith jakesmith changed the title HPCCC-33260 Allow a BM DFS service+dafilesrv to be secured HPCC-33260 Allow a BM DFS service+dafilesrv to be secured Jan 16, 2025
@jakesmith
HPCC-33260 Allow a BM DFS service+dafilesrv to be secured
c3a3002 
1) Ensure BM DFS meta is remapped to point to the BM dafilesrv
and correct secure port.
2) Allow dafilesrv to be configured with a CA/certs/trusted peers,
so that it can be configured to only accepts connections from
trusted clients.

Signed-off-by: Jake Smith <[email protected]>
@jakesmith jakesmith force-pushed the HPCC-33260-secure-dm-dfs branch from 181a4aa to c3a3002 Compare January 17, 2025 14:46
ghalliday
ghalliday reviewed Jan 20, 2025
View reviewed changes
Copy link
Member

@ghalliday ghalliday left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. I think one leak though

fs/dafsserver/dafsserver.cpp
IPropertyTree *cert = getComponentConfigSP()->getPropTree("cert");
if (cert)
{
Owned<ISyncedPropertyTree> certSyncedWrapper = createSyncedPropertyTree(cert);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor: cert will be leaked - line 151 should be an owned instance or call queryPropTree

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

whoops, should be owned, to avoid theoretical config change and invalidation of it before being used.
Will change.

fs/dafilesrv/dafilesrv.cpp Outdated
@@ -590,6 +590,15 @@ int main(int argc, const char* argv[])
if (componentExpert)
synchronizePTree(expert, componentExpert, false, true);

// merge in bare-metal dafilesrv component cert settings into newConfig
IPropertyTree *componentCert = nullptr;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

trivial: could combine with the next line (I wouldn't have commented if not only comment).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should be combined. Will change.

@jakesmith
HPCC-33260 missing "cert" validation check/skip and review changes
a50602f 
Add check for "cert" configuration to avoid legacy
environment.conf check.

Review changes

Signed-off-by: Jake Smith <[email protected]>
@jakesmith jakesmith requested a review from ghalliday January 20, 2025 12:55
@jakesmith
Copy link
Member Author

jakesmith commented Jan 20, 2025
edited
Loading

@ghalliday - please review 2nd commit. It includes the review changes, but also a change that I had in my docker testing branch that I missed/not been merged.

ghalliday
ghalliday approved these changes Jan 20, 2025
View reviewed changes
Copy link
Member

@ghalliday ghalliday left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please merge once mark has reviewed and code is squashed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ghalliday ghalliday ghalliday approved these changes

@mckellyln mckellyln Awaiting requested review from mckellyln

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jakesmith @ghalliday