apache / arrow-rs

Official Rust implementation of Apache Arrow

https://arrow.apache.org/

Apache License 2.0

2.63k stars 803 forks source link

fix: enable TLS roots for flight CLI client #6640

Closed crepererum closed 3 weeks ago

crepererum commented 3 weeks ago

Which issue does this PR close?

Rationale for this change

Otherwise you get:

Error: setup client

Caused by:
    0: connect to endpoint
    1: transport error
    2: invalid peer certificate: UnknownIssuer
    3: invalid peer certificate: UnknownIssuer

Also see https://github.com/hyperium/tonic/issues/1904 .

What changes are included in this PR?

Just call the method that registers the roots that we include via feature flags anyways.

Are there any user-facing changes?

TLS works again.

tustvold commented 3 weeks ago

Ideally we'd have a test of this, but I don't feel strongly and it is probably difficult to setup

crepererum commented 3 weeks ago

Ideally we'd have a test of this, but I don't feel strongly and it is probably difficult to setup

I thought about that, but that would require that we have a server that has a certificate that is accepted by the Mozilla CA bundle, so without additional infrastructure, I don't think that's feasible.

Or we do something "stupid" like point the client to https://apache.org and check the error message that should say something like "not found" (because the gRPC endpoint isn't implemented) but that kinda proofs that the TLS connection worked. WDYT?

tustvold commented 3 weeks ago

That sounds like it could very well end up being flaky, I think let's leave it for now and we can always revisit