diff --git a/data_substrate b/data_substrate index 09d3b4d4..ca396ca3 160000 --- a/data_substrate +++ b/data_substrate @@ -1 +1 @@ -Subproject commit 09d3b4d412c952843029311e9eae4b91ef4dc7c7 +Subproject commit ca396ca35fd5fb04088886de01958a08d97e58a9 diff --git a/include/redis_service.h b/include/redis_service.h index ce6aaf54..db10b0a0 100644 --- a/include/redis_service.h +++ b/include/redis_service.h @@ -218,6 +218,11 @@ class RedisServiceImpl : public brpc::RedisService bool AddCommandHandler(const std::string &name, RedisCommandHandler *handler); + // TLS configuration accessors + bool IsTlsEnabled() const { return enable_tls_; } + const std::string& GetTlsCertFile() const { return tls_cert_file_; } + const std::string& GetTlsKeyFile() const { return tls_key_file_; } + // This function should not be touched by user and used by brpc deverloper // only. RedisCommandHandler *FindCommandHandler( @@ -560,6 +565,11 @@ class RedisServiceImpl : public brpc::RedisService // read and write-write conflict are both retried. bool retry_on_occ_error_{false}; + // TLS configuration + bool enable_tls_{false}; + std::string tls_cert_file_; + std::string tls_key_file_; + #ifdef VECTOR_INDEX_ENABLED // Vector index related std::unique_ptr vector_index_worker_pool_{nullptr}; diff --git a/src/redis_server.cpp b/src/redis_server.cpp index 284a75ef..10b0dfe0 100644 --- a/src/redis_server.cpp +++ b/src/redis_server.cpp @@ -21,6 +21,7 @@ */ #include #include +#include #include #include @@ -504,6 +505,25 @@ int main(int argc, char *argv[]) // Notice: redis_service_impl will be deleted in server's destructor. server_options.redis_service = redis_service_impl.release(); server_options.has_builtin_services = false; + + // Configure TLS if enabled + if (redis_service_ptr->IsTlsEnabled()) + { + brpc::ServerSSLOptions *ssl_options = + server_options.mutable_ssl_options(); + + // Set server certificate and key (required when TLS is enabled) + // Validation in Init() ensures both files are provided + ssl_options->default_cert.certificate = + redis_service_ptr->GetTlsCertFile(); + ssl_options->default_cert.private_key = + redis_service_ptr->GetTlsKeyFile(); + + LOG(INFO) << "TLS enabled for brpc server. Certificate: " + << redis_service_ptr->GetTlsCertFile() + << ", Key: " << redis_service_ptr->GetTlsKeyFile(); + } + if (server.Start(redis_ip_port.c_str(), &server_options) != 0) { LOG(ERROR) << "Failed to start EloqKV server."; diff --git a/src/redis_service.cpp b/src/redis_service.cpp index 58640ba4..e146210c 100644 --- a/src/redis_service.cpp +++ b/src/redis_service.cpp @@ -38,6 +38,7 @@ #include #include #include +#include #include #include #include @@ -134,6 +135,10 @@ DEFINE_string( DEFINE_bool(retry_on_occ_error, true, "Retry transaction on OCC caused error."); +DEFINE_bool(enable_tls, false, "Enable TLS for brpc RPC connections"); +DEFINE_string(tls_cert_file, "", "Path to TLS certificate file (PEM format)"); +DEFINE_string(tls_key_file, "", "Path to TLS private key file (PEM format)"); + namespace EloqKV { const auto NUM_VCPU = std::thread::hardware_concurrency(); @@ -441,6 +446,77 @@ bool RedisServiceImpl::Init(brpc::Server &brpc_server) // tx_service_ #endif + // Read TLS configuration + enable_tls_ = !CheckCommandLineFlagIsDefault("enable_tls") + ? FLAGS_enable_tls + : config_reader.GetBoolean("local", "enable_tls", false); + + if (enable_tls_) + { + tls_cert_file_ = + !CheckCommandLineFlagIsDefault("tls_cert_file") + ? FLAGS_tls_cert_file + : config_reader.GetString("local", "tls_cert_file", ""); + + tls_key_file_ = + !CheckCommandLineFlagIsDefault("tls_key_file") + ? FLAGS_tls_key_file + : config_reader.GetString("local", "tls_key_file", ""); + + // Validate that both certificate and key files are specified (required + // when TLS is enabled) + if (tls_cert_file_.empty() || tls_key_file_.empty()) + { + LOG(ERROR) << "TLS is enabled but certificate or key file path is " + "not specified. " + << "Please set both tls_cert_file and tls_key_file."; + return false; + } + + // Validate that certificate file exists and is readable + std::error_code error_code; + if (!std::filesystem::exists(tls_cert_file_, error_code)) + { + LOG(ERROR) + << "TLS certificate file does not exist or is not accessible: " + << tls_cert_file_; + if (error_code.value() != 0) + { + LOG(ERROR) << "Error code: " << error_code.value() + << ", error message: " << error_code.message(); + } + return false; + } + + // Validate that key file exists and is readable + if (!std::filesystem::exists(tls_key_file_, error_code)) + { + LOG(ERROR) << "TLS key file does not exist or is not accessible: " + << tls_key_file_; + if (error_code.value() != 0) + { + LOG(ERROR) << "Error code: " << error_code.value() + << ", error message: " << error_code.message(); + } + return false; + } + + // Check if files are regular files (not directories) + if (!std::filesystem::is_regular_file(tls_cert_file_, error_code)) + { + LOG(ERROR) << "TLS certificate file is not a regular file: " + << tls_cert_file_; + return false; + } + + if (!std::filesystem::is_regular_file(tls_key_file_, error_code)) + { + LOG(ERROR) << "TLS key file is not a regular file: " + << tls_key_file_; + return false; + } + } + return true; }