Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support more insecure configuration for Trino #538

Open
Mrzyxing opened this issue Oct 30, 2024 · 2 comments
Open

Support more insecure configuration for Trino #538

Mrzyxing opened this issue Oct 30, 2024 · 2 comments

Comments

@Mrzyxing
Copy link

We have some self-signed HTTPS servers and are using it in an insecure mode, but we cannot proxy it for two reasons:

  • health check
    ClusterStatsJdbcMonitor.java does not support insecure properties(use JDBC cause we got 404 for REST check)
    However, this could be easily added and we can quickly implement it and let the backend work
  • proxy request
    ProxyRequestHandler.java also missing insecure properties
    Unfortunately, we cannot add an insecure handler because it appears that Airlift requires a certificate configuration

In our enviromnet, there are many insecure usage, Is there any way to simply skip SSL verification, or is there a plan to add this configuration?
@oneonestar
Copy link
Member

Does this work for you?
https://trinodb.github.io/trino-gateway/security/?h=insecure#extra-self-signed-certificate-in-trino

@Mrzyxing
Copy link
Author

Mrzyxing commented Nov 1, 2024

Does this work for you? https://trinodb.github.io/trino-gateway/security/?h=insecure#extra-self-signed-certificate-in-trino

Not actually.
Execute ~/trino-cli-418-executable.jar --server https://proxy-address:443 --catalog hive --user admin --password --insecure with select * from system.runtime.nodes , and it will returen an error of ProxyResponseHandler because ProxyRequestHandler post this sql to a https server via /v1/statement/ but use the default JettyClient which not support the insecure (or just not recongnize ?).
Currently, I am just foce enable JettyClient support insecure as follow work around:

# io.trino.gateway.baseapp.BaseApp.java

    private static void registerProxyResources(Binder binder)
    {
        jaxrsBinder(binder).bind(RouteToBackendResource.class);
        jaxrsBinder(binder).bind(RouterPreMatchContainerRequestFilter.class);
        jaxrsBinder(binder).bind(ProxyRequestHandler.class);
        # trust all
        binder.bind(SslContextFactory.Client.class).toInstance(new SslContextFactory.Client(true));
        httpClientBinder(binder).bindHttpClient("proxy", ForProxy.class);
        httpClientBinder(binder).bindHttpClient("monitor", ForMonitor.class);
    }

It worked, but looks like ugly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@oneonestar @Mrzyxing