Enable client to get certificate from system keystore #22341
Conversation
Notes for manual testingFor manual testing, a CA is required along with a server certificate and a user certificate. Server
Client (Windows)
If the CA is not already trusted, the above steps must be repeated but running as Administrator
When running the Trino client with the system keystore, a password prompt will appear in the UI if the key has been imported in 'high-security' mode (not the default). Client (Mac)
I found the process to be quite fiddly.
This code will show whether the certificate has an accessible key: KeyStore keyStore = KeyStore.getInstance("KeychainStore");
keyStore.load(null, null);
Enumeration<String> enumerator = keyStore.aliases();
while (enumerator.hasMoreElements()) {
String alias = enumerator.nextElement();
// This needs to return true!
System.out.println(alias + " " + keyStore.isKeyEntry(alias));
}When running the Trino client with the system keystore, a password prompt will appear in the UI for the system keystore. This requires administrator credentials and can be denied. A second prompt will then appear requesting permission to the user's login keystore. |
huw0
force-pushed
the
use-system-keystore
branch
2 times, most recently
from
a598085
to
da752d5
Compare
huw0
force-pushed
the
use-system-keystore
branch
6 times, most recently
from
ceb091b
to
3e18250
Compare
|
This is my first PR against the main trino repo. I'm seeing some CI failures however I'm seeing the same on some other recent PRs? |
huw0
force-pushed
the
use-system-keystore
branch
from
3e18250
to
a5dc72d
Compare
|
This pull request has gone a while without any activity. Tagging the Trino developer relations team: @bitsondatadev @colebow @mosabua |
| { | ||
| String osName = Optional.ofNullable(StandardSystemProperty.OS_NAME.value()).orElse(""); | ||
| Optional<String> systemKeyStoreType = keyStoreType; | ||
| if (!systemKeyStoreType.isPresent()) { |
There was a problem hiding this comment.
Do we need to add something for Linux since that is actually our main supported operating system .. neither Windows or MacOS are ..
There was a problem hiding this comment.
Initially I just added support for Windows. However I wanted to ensure feature parity in the client with the system trust store option so added MacOS too.
I'd be interested in Linux support as well, but as far as I know there isn't a standardised way to do this that is supported out of the box with JDK Providers?
I guess this is probably due to the proliferation of different Linux keystore implementations, some of which are provided by the different desktop environments and some by various auth tooling.
|
Can you rebase? |
huw0
force-pushed
the
use-system-keystore
branch
from
a5dc72d
to
76c97f7
Compare
client/trino-client/src/main/java/io/trino/client/uri/TrinoUri.java
Outdated
Show resolved
Hide resolved
huw0
force-pushed
the
use-system-keystore
branch
from
76c97f7
to
6cd8940
Compare
|
@nineinchnick ptal :) |
client/trino-client/src/main/java/io/trino/client/OkHttpUtil.java
Outdated
Show resolved
Hide resolved
client/trino-client/src/main/java/io/trino/client/OkHttpUtil.java
Outdated
Show resolved
Hide resolved
huw0
force-pushed
the
use-system-keystore
branch
4 times, most recently
from
58ad33d
to
e6b5bd8
Compare
client/trino-client/src/main/java/io/trino/client/OkHttpUtil.java
Outdated
Show resolved
Hide resolved
|
You want to push the fixes for the nits and merge @wendigo ? |
|
@mosabua let's do it! |
wendigo
force-pushed
the
use-system-keystore
branch
from
e6b5bd8
to
e400048
Compare
Description
In #10482 support was added for the client to use the system truststore. This adds a further property for using the system keystore. This is helpful in corporate environments where PKI infrastructure is automatically provisioned by Active Directory.
Release notes
( ) This is not user-visible or is docs only, and no release notes are required.
( ) Release notes are required. Please propose a release note for me.
(x) Release notes are required, with the following suggested text: