Skip to content

disable-multi-stage-tls #14275

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gortiz wants to merge 4 commits into from
Closed

disable-multi-stage-tls #14275

gortiz wants to merge 4 commits into from

Conversation

@gortiz
Copy link
Contributor

@gortiz gortiz commented Oct 22, 2024

Pinot 1.2.0 doesn't support TLS connections between multi-stage nodes. PR #13645 tried fix that, but there were a couple of issues in the implementation. Given it is difficult to test TLS without an actual environment, that PR was merged without testing it. That PR is partial in the sense that query servers are enabled with TLS but it is not enabled in query clients (basically the brokers).

In general we tend to add new flags for new features whenever is possible to minimize the impact on deployment and in case there is an issue be able to disable the new feature. But the #13645 enabled the feature as long as TLS was configured for single-stage queries. As a result, when a cluster where TLS is enabled is started with the code in master, multi-stage queries fail because servers try to connect without TLS and while servers ask for it.

This PR doesn't fix the original problem but:

  1. Adds a new config to enable TLS on multi-stage. That config is disabled by default
  2. Uses that config instead of the single stage one to decide whether multi-stage QueryServer should use TLS or not.
  3. It also fails when this property is turned on, as we know it is not actually implemented.

The reason to not fix the issue right now is the lack of time to test it properly. Instead we need to fix the regression in our test deployments.

yashmayya
yashmayya reviewed Oct 22, 2024
View reviewed changes
Copy link
Contributor

@yashmayya yashmayya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gortiz any particular reason why we're introducing the config here even though we won't support it being turned on? Why not simply make it off by default and introduce the config when the issue with the dispatch client is fixed?

@gortiz
Copy link
Contributor Author

gortiz commented Oct 22, 2024

any particular reason why we're introducing the config here even though we won't support it being turned on? Why not simply make it off by default and introduce the config when the issue with the dispatch client is fixed?

We could just rollback #13645, but I think most of the changes from @anandheritage can be kept. It is just a matter of enabling TLS in the client side. What we are also going to need for sure is a property to enable/disable TLS between broker and server in multi-stage.

But maybe you are right, just disable it would be better. Mainly because configs are pretty complex right now and my property would also require to add a similar (but slightly different) property for brokers in future.

Therefore I'm going to approve the rollback from @soumitra-st (#14259) and then we can implement TLS with more time to think about how to configure it easily.

@gortiz gortiz mentioned this pull request Oct 22, 2024
Merged
@codecov-commenter
Copy link

codecov-commenter commented Oct 22, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 14.28571% with 6 lines in your changes missing coverage. Please review.

Project coverage is 63.72%. Comparing base (59551e4) to head (6e71feb).
Report is 1217 commits behind head on master.

Files with missing lines Patch % Lines
...rg/apache/pinot/server/starter/ServerInstance.java 0.00% 3 Missing ⚠️
.../apache/pinot/server/worker/WorkerQueryServer.java 0.00% 2 Missing ⚠️
.../java/org/apache/pinot/server/conf/ServerConf.java 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@             Coverage Diff              @@
##             master   #14275      +/-   ##
============================================
+ Coverage     61.75%   63.72%   +1.97%     
- Complexity      207     1536    +1329     
============================================
  Files          2436     2628     +192     
  Lines        133233   145004   +11771     
  Branches      20636    22188    +1552     
============================================
+ Hits          82274    92400   +10126     
- Misses        44911    45778     +867     
- Partials       6048     6826     +778
Flag Coverage Δ
custom-integration1 100.00% <ø> (+99.99%) ⬆️
integration 100.00% <ø> (+99.99%) ⬆️
integration1 100.00% <ø> (+99.99%) ⬆️
integration2 0.00% <ø> (ø)
java-11 63.69% <14.28%> (+1.98%) ⬆️
java-21 63.61% <14.28%> (+1.98%) ⬆️
skip-bytebuffers-false 63.71% <14.28%> (+1.96%) ⬆️
skip-bytebuffers-true 63.58% <14.28%> (+35.86%) ⬆️
temurin 63.72% <14.28%> (+1.97%) ⬆️
unittests 63.71% <14.28%> (+1.97%) ⬆️
unittests1 55.41% <100.00%> (+8.52%) ⬆️
unittests2 34.31% <0.00%> (+6.58%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@gortiz gortiz closed this Oct 23, 2024
@yashmayya yashmayya mentioned this pull request Nov 5, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yashmayya yashmayya yashmayya left review comments

@Jackie-Jiang Jackie-Jiang Awaiting requested review from Jackie-Jiang

@klsince klsince Awaiting requested review from klsince

@xiangfu0 xiangfu0 Awaiting requested review from xiangfu0

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gortiz @codecov-commenter @yashmayya