search

trinodb / trino

Official repository of Trino, the distributed SQL query engine for big data, formerly known as PrestoSQL (https://trino.io)
https://trino.io
Apache License 2.0
10.45k stars 3.01k forks source link

Support MongoDB TLS configuration #6364

Closed pixie79 closed 2 years ago

pixie79 commented 3 years ago

Hi,

I have two different mongo setups. One which is in a local kubernetes stack the other using cloud hosted Atlas.

Using presto i can connect fine to the Atlas version but not the local one. My local mongo is configured to only allow TLS connections and has its services available only via TLS. However, the TLS is signed by an internal CA.

I have imported the full mongo ca chain to my keystore and then updated the following settings:

jmx.config

    -Djavax.net.ssl.trustStore=/etc/keystore/cacerts
    -Djavax.net.ssl.trustStoreType=pkcs12
    -Djavax.net.ssl.trustStorePassword=changeit

config.properties

    http-server.https.keystore.path=/etc/keystore/keystore.p12
    http-server.https.keystore.key=xxx
    http-server.https.truststore.path=/etc/keystore/cacerts
    http-server.https.truststore.key=xxx
    internal-communication.https.required=false
    internal-communication.https.keystore.path=/etc/keystore/keystore.p12
    internal-communication.https.keystore.key=xxx
    internal-communication.https.truststore.path=/etc/keystore/cacerts
    internal-communication.https.truststore.key=xxx
    workerInfo.http-client.trust-store-path=/etc/keystore/cacerts
    workerInfo.http-client.trust-store-password=xxx
    dynamic.http-client.trust-store-path=/etc/keystore/cacerts
    dynamic.http-client.trust-store-password=xxx
    discovery.http-client.trust-store-path=/etc/keystore/cacerts
    discovery.http-client.trust-store-password=xxx

mongodb.properties: | connector.name=mongodb mongodb.seeds=mongodb-0.mongodb.databases.svc.cluster.local,mongodb-1.mongodb.databases.svc.cluster.local,mongodb-2.mongodb.databases.svc.cluster.local mongodb.credentials=user:password@admin mongodb.ssl.enabled=true mongodb.required-replica-set=rs0

I believe presto can find the servers ok, but I do not think it is presenting an TLS cert to mongo as I see a lot of the following errors in my mongo logs: {"t":{"$date":"2020-12-16T16:26:55.304+00:00"},"s":"I", "c":"NETWORK", "id":22988, "ctx":"conn15864","msg":"Error receiving request from client. Ending connection from remote","attr":{"error":{"code":141,"codeName":"SSLHandshakeFailed","errmsg":"no SSL certificate provided by peer; connection rejected"},"remote":"10.42.1.59:48560","connectionId":15864}}

In Presto logs i see no errors but if i try a call they just time out.

Any ideas on what i have missed welcome :)

pixie79 commented 3 years ago

I have managed to prove that the error appear to be Presto is not sending a valid TLS cert to mongo, as if i switch Mongo to allow non TLS connections then everything is ok.

Is there a config line missing for the connector to enable me to specify what TLS cert should be used for the connection?

ebyhr commented 3 years ago

@pixie79 Probably, we need to modify code and prepare new configurations for that case. Let me take a look.

ebyhr commented 3 years ago

In Presto logs i see no errors but if i try a call they just time out.

@pixie79 Could you share Presto server log just in case?

ebyhr commented 2 years ago

Closing as #9819