Merge pull request cdapio#15513 from cdapio/CDAP-20928-disable-ssl-ce…

…rt-validation [CDAP-20928] Disable SSL verification for internal clients in system services
cloudsufi · Dec 27, 2023 · 722ce47 · 722ce47
2 parents 1ae1852 + a590565
commit 722ce47
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 14 deletions.
diff --git a/cdap-app-fabric/src/main/java/io/cdap/cdap/app/services/AbstractServiceDiscoverer.java b/cdap-app-fabric/src/main/java/io/cdap/cdap/app/services/AbstractServiceDiscoverer.java
@@ -24,7 +24,6 @@
 import io.cdap.cdap.common.service.ServiceDiscoverable;
 import io.cdap.cdap.proto.ProgramType;
 import io.cdap.cdap.proto.id.ProgramId;
-import io.cdap.common.http.HttpRequestConfig;
 import java.io.IOException;
 import java.net.HttpURLConnection;
 import java.net.URL;
@@ -85,6 +84,8 @@ public HttpURLConnection openConnection(String namespaceId, String applicationId
   }
 
   /**
+   * Gets a factory for creating clients for CDAP services.
+   *
    * @return the {@link RemoteClientFactory}
    */
   protected abstract RemoteClientFactory getRemoteClientFactory();
@@ -103,7 +104,7 @@ private RemoteClient createRemoteClient(String namespaceId, String applicationId
         ProgramType.SERVICE, serviceId);
     String basePath = String.format("%s/namespaces/%s/apps/%s/services/%s/methods/",
         Constants.Gateway.API_VERSION_3_TOKEN, namespaceId, applicationId, serviceId);
-    return getRemoteClientFactory().createRemoteClient(discoveryName, HttpRequestConfig.DEFAULT,
-        basePath);
+    return getRemoteClientFactory().createRemoteClient(discoveryName,
+        RemoteClientFactory.NO_VERIFY_HTTP_REQUEST_CONFIG, basePath);
   }
 }
diff --git a/...fabric/src/main/java/io/cdap/cdap/internal/app/runtime/monitor/InternalRouterService.java b/...fabric/src/main/java/io/cdap/cdap/internal/app/runtime/monitor/InternalRouterService.java
@@ -66,7 +66,7 @@ public void modify(ChannelPipeline pipeline) {
         .setHost(cConf.get(Constants.InternalRouter.BIND_ADDRESS))
         .setPort(cConf.getInt(Constants.InternalRouter.BIND_PORT));
 
-    if (cConf.getBoolean(Constants.InternalRouter.SSL_ENABLED)) {
+    if (cConf.getBoolean(Constants.Security.SSL.INTERNAL_ENABLED)) {
       new HttpsEnabler().configureKeyStore(cConf, sConf).enable(builder);
     }
 

diff --git a/cdap-common/src/main/java/io/cdap/cdap/common/conf/Constants.java b/cdap-common/src/main/java/io/cdap/cdap/common/conf/Constants.java
@@ -2495,7 +2495,6 @@ public static final class InternalRouter {
 
     public static final String BIND_ADDRESS = "internal.router.service.bind.address";
     public static final String BIND_PORT = "internal.router.service.bind.port";
-    public static final String SSL_ENABLED = "internal.router.service.ssl.enabled";
     public static final String CLIENT_ENABLED = "internal.router.client.enabled";
     public static final String SERVER_ENABLED = "internal.router.server.enabled";
   }

diff --git a/cdap-common/src/main/resources/cdap-default.xml b/cdap-common/src/main/resources/cdap-default.xml
@@ -6063,15 +6063,6 @@
     </description>
   </property>
 
-  <property>
-    <name>internal.router.service.ssl.enabled</name>
-    <value>${ssl.internal.enabled}</value>
-    <description>
-      Enable usage of SSL for the internal router service. By default, it is
-      disabled.
-    </description>
-  </property>
-
   <property>
     <name>internal.router.client.enabled</name>
     <value>false</value>