Enable TLS for Netty4GrpcServerTransport by finnegancarroll · Pull Request #17796 · opensearch-project/OpenSearch

finnegancarroll · 2025-04-04T04:22:40Z

Description

Introduces SecureNetty4GrpcServerTransport, a TLS enabled alternative to Netty4GrpcServerTransport.
Security settings for this transport are configurable under OpenSearchSecureSettingsFactory experimental API.
Otherwise default JDK SSLContext is used with client auth REQUIRED.

Please find ongoing work supporting auxiliary transports in security plugin here:
#17854

Integration tests:

./gradlew :plugins:transport-grpc:internalClusterTest

Related Issues

Partially resolves #16905

Check List

Functionality includes testing.
API changes companion pull request created, if applicable.
Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

finnegancarroll · 2025-04-04T04:28:32Z

@reta @cwperks @andrross
Apologies I force pushed to the pr branch after closing the PR and am not sure of the commit hash before rebasing...
Moving all commits here.
Original PR: #17406

Unresolved conversations:

Enable TLS for Netty4GrpcServerTransport #17406 (comment)
Enable TLS for Netty4GrpcServerTransport #17406 (comment)
Enable TLS for Netty4GrpcServerTransport #17406 (comment)
Addressed here: Enable TLS for Netty4GrpcServerTransport #17406 (comment)

github-actions · 2025-04-09T23:30:35Z

✅ Gradle check result for 17eea00: SUCCESS

reta · 2025-04-10T02:33:42Z

@cwperks LGTY? thanks @finnegancarroll !

cwperks

Everything has been addressed. Thank you @finnegancarroll! This is a great forward looking feature.

) - Adds SecureAuxTransportSettingsProvider to provide aux transports access to a javax SSLContext and cipher/client auth params for configuring TLS. - Implements SecureNetty4GrpcServerTransport to consume a SecureAuxTransportSettingsProvider for a TLS enabled gRPC transport. - Add aux transport type settings and port setttings for new secure transport. - Add logic to detect and register secure aux transports provided by plugins. - Integration tests for SecureNetty4GrpcServerTransport basic client cert authentication. Signed-off-by: Finn Carroll <carrofin@amazon.com> Signed-off-by: Sriram Ganesh <srignsh22@gmail.com>

) - Adds SecureAuxTransportSettingsProvider to provide aux transports access to a javax SSLContext and cipher/client auth params for configuring TLS. - Implements SecureNetty4GrpcServerTransport to consume a SecureAuxTransportSettingsProvider for a TLS enabled gRPC transport. - Add aux transport type settings and port setttings for new secure transport. - Add logic to detect and register secure aux transports provided by plugins. - Integration tests for SecureNetty4GrpcServerTransport basic client cert authentication. Signed-off-by: Finn Carroll <carrofin@amazon.com> Signed-off-by: Harsh Kothari <techarsh@amazon.com>

github-actions bot added enhancement Enhancement or improvement to existing feature or request Plugins Roadmap:Cost/Performance/Scale Project-wide roadmap label v3.0.0 Issues and PRs related to version 3.0.0 labels Apr 4, 2025

finnegancarroll force-pushed the grpc-secure-transport-save-apr3 branch from 915f062 to 17eea00 Compare April 9, 2025 22:31

reta approved these changes Apr 10, 2025

View reviewed changes

cwperks approved these changes Apr 10, 2025

View reviewed changes

reta merged commit 18a3b75 into opensearch-project:main Apr 10, 2025
31 of 32 checks passed

cwperks mentioned this pull request Apr 10, 2025

Fix compilation issue after Secure gRPC PR (#17796) merged into core opensearch-project/security#5263

Merged

5 tasks

peterzhuamazon mentioned this pull request Apr 10, 2025

[RELEASE] Release version 3.0.0 opensearch-project/opensearch-build#3747

Closed

66 tasks

This was referenced Apr 10, 2025

Add TLS configuration settings/endpoints for auxiliary transports opensearch-project/security#5152

Closed

[Feature Request] Security plugin integration for grpc-transport plugin #16905

Closed

opensearch-ci-bot mentioned this pull request May 6, 2025

[AUTOCUT] Gradle Check Flaky Test Report for IndexServiceTests #14407

Open

BrewTestBot mentioned this pull request May 6, 2025

opensearch 3.0.0 Homebrew/homebrew-core#222665

Merged

opensearch-ci-bot mentioned this pull request May 7, 2025

[AUTOCUT] Gradle Check Flaky Test Report for RemoteStoreStatsIT #14310

Open

opensearch-ci-bot mentioned this pull request Aug 17, 2025

[AUTOCUT] Gradle Check Flaky Test Report for QueryPhaseTests #14551

Open

This was referenced Jan 8, 2026

docs: add gRPC Transport & Services report for v3.0.0 tkykenmt/opensearch-feature-explorer#321

Merged

[v3.0.0] Security Code Quality & Testing tkykenmt/opensearch-feature-explorer#207

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Enable TLS for Netty4GrpcServerTransport#17796

Enable TLS for Netty4GrpcServerTransport#17796
reta merged 1 commit intoopensearch-project:mainfrom
finnegancarroll:grpc-secure-transport-save-apr3

finnegancarroll commented Apr 4, 2025 •

edited

Loading

Uh oh!

finnegancarroll commented Apr 4, 2025

Uh oh!

github-actions bot commented Apr 9, 2025

Uh oh!

reta commented Apr 10, 2025

Uh oh!

cwperks left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

finnegancarroll commented Apr 4, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Related Issues

Check List

Uh oh!

finnegancarroll commented Apr 4, 2025

Uh oh!

github-actions bot commented Apr 9, 2025

Uh oh!

reta commented Apr 10, 2025

Uh oh!

cwperks left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

finnegancarroll commented Apr 4, 2025 •

edited

Loading