Hot reloading of SSL certificates in gremlin-server
ππ» Hey. I'm trying to understand how SSL/TLS certificates are handled in TinkerPop.
Based on this code (https://github.com/apache/tinkerpop/blob/9627b78bcf38a0faf6a94dcd8ae3b80390d837f7/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/AbstractChannelizer.java#L324-L354), keystore files (certificates) are loaded once, on Channel initialization.
This would mean that a Channel keeps using the same certificate for its lifespan and, assuming they are long-lived, I imagine this could be an issue if users want to refresh their certificates often.
Would there be a way to reload those certicates (e.g. periodically, on file change)?
If not, would you have a suggested approach that would make sense to contribute?
As an example, grpc-java, which is also based on Netty, offers this solution: https://github.com/grpc/grpc-java/pull/8175/
Thanks!
GitHub
advancedtls: adding AdvancedTlsX509TrustManager and AdvancedTlsX509...
This pull request adds the following classes to io.grpc.util:
an AdvancedTlsX509TrustManager that supports
reloading root certificates from the file system or memory
disabling host name verificat...
GitHub
tinkerpop/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin...
Apache TinkerPop - a graph computing framework. Contribute to apache/tinkerpop development by creating an account on GitHub.
Solution:Jump to solution
It might be worth taking a look at this solution someone created which uses scheduled file based change detection https://github.com/Hakky54/java-tutorials/blob/main/instant-server-ssl-reloading-with-netty/netty-server/README.md
GitHub
java-tutorials/instant-server-ssl-reloading-with-netty/netty-server...
π A repository containing different java tutorials - Hakky54/java-tutorials
8 Replies
i dont think there's any way to currently do the reloads, so something would have to be built. @Kennh any thoughts on this one?
I've been thinking about this for a little bit since I read it, but I don't have any current recommendations on how to move forward with this. I'll have to think about it some more as I can see this evolving into a more general way of reloading server settings where lots of different server settings could get updated on the fly.
Solution
It might be worth taking a look at this solution someone created which uses scheduled file based change detection https://github.com/Hakky54/java-tutorials/blob/main/instant-server-ssl-reloading-with-netty/netty-server/README.md
GitHub
java-tutorials/instant-server-ssl-reloading-with-netty/netty-server...
π A repository containing different java tutorials - Hakky54/java-tutorials
Thanks! That lib relies on https://github.com/Hakky54/sslcontext-kickstart which has an Apache License. It'd make the implementation simpler, but I'm not sure how reliable that dependency is / what guarantees we have it'll be maintained.
If we don't want to use the library itself the author's solution could be used as inspiration for TinkerPop specific solution
ππ» Hey! Iβve put together a solution using the library @Andrea shared. You can check out the code here: https://github.com/apache/tinkerpop/pull/3078
If thereβs interest, happy to take it further and contribute it.
GitHub
Support hot reloading of SSL certificates by cdegroc Β· Pull Reques...
This PR introduces support for dynamic reloading of SSL certificates:
Adds a file watcher that monitors certificate files for changes every minute. When changes are detected, the certificates are ...
thanks for taking the time to submit that
That's great! If you are happy with the code and it works well for you then you can mark it ready for review as it's currently in a draft state.