Add generic SSL/TLS configuration support

[HTHou]

Description

This PR generalizes IoTDB SSL/TLS handling around the existing thrift SSL switches and wires the selected SSL protocol through the client, service, REST, and consensus paths.

Changes include:

• Add a shared RpcSslUtils helper for TLS protocol normalization, thrift SSL transport parameter creation, SSLContext/key manager/trust manager creation, keystore/truststore type detection, and certificate validation.
• Add the shared ssl_protocol configuration with default TLS, load it from common and REST configs, and apply it to thrift SSL services, internal SSL clients, REST HTTPS, and Ratis certificate loading.
• Extend Java client entry points to carry SSL protocol settings through Session, TableSession, SessionPool, TableSessionPool, JDBC URL/properties parsing, CLI, and data/schema import/export tools.
• Keep cipher suites out of user-facing configuration so transports rely on the defaults selected by the configured SSL/TLS protocol and the active JSSE implementation.
• Reuse the shared SSL utility in Ratis and thrift service setup, update the Ratis dependency metadata, and clean up related REST dependency exclusions.
• Make the integration-test environment SSL-aware so EnvFactory-created JDBC connections, Sessions, TableSessions, SessionPools, and TableSessionPools work when thrift client SSL is enabled.
• Add IoTDBClientSSLIT to verify that non-SSL clients cannot connect to an SSL thrift port and that SSL Session, TableSession, and JDBC clients can connect and execute basic read/write flows.

Validation

• ./mvnw spotless:apply -pl iotdb-client/service-rpc,iotdb-core/node-commons
• ./mvnw -pl iotdb-client/service-rpc,iotdb-client/isession,iotdb-client/session,iotdb-client/jdbc,iotdb-client/cli,iotdb-core/node-commons -DskipTests compile
• ./mvnw -pl iotdb-client/jdbc -Dtest=UtilsTest#testParseSslConfig test
• mvn spotless:apply -pl integration-test -P with-integration-tests
• mvn verify -DskipUTs -Dit.test=IoTDBClientSSLIT -DfailIfNoTests=false -Dfailsafe.failIfNoSpecifiedTests=false -pl integration-test -am -P with-integration-tests
• git diff --check

[codecov]

Codecov Report

❌ Patch coverage is 17.72727% with 181 lines in your changes missing coverage. Please review.
✅ Project coverage is 41.21%. Comparing base (3ebc264) to head (5d44daa).
⚠️ Report is 27 commits behind head on master.

Files with missing lines	Patch %	Lines
...rc/main/java/org/apache/iotdb/rpc/RpcSslUtils.java	7.14%	78 Missing ⚠️
...a/org/apache/iotdb/tool/data/AbstractDataTool.java	0.00%	17 Missing ⚠️
...g/apache/iotdb/tool/schema/AbstractSchemaTool.java	0.00%	13 Missing ⚠️
...java/org/apache/iotdb/tool/common/OptionsUtil.java	0.00%	9 Missing ⚠️
.../org/apache/iotdb/rpc/BaseRpcTransportFactory.java	0.00%	7 Missing ⚠️
...b/commons/service/AbstractThriftServiceThread.java	0.00%	5 Missing ⚠️
...va/org/apache/iotdb/session/SessionConnection.java	0.00%	4 Missing ⚠️
...ava/org/apache/iotdb/session/pool/SessionPool.java	42.85%	4 Missing ⚠️
...che/iotdb/db/conf/rest/IoTDBRestServiceConfig.java	0.00%	4 Missing ⚠️
...nt/cli/src/main/java/org/apache/iotdb/cli/Cli.java	0.00%	3 Missing ⚠️
... and 22 more

Additional details and impacted files

@@             Coverage Diff              @@
##             master   #17854      +/-   ##
============================================
+ Coverage     41.04%   41.21%   +0.17%     
  Complexity      318      318              
============================================
  Files          5258     5258              
  Lines        365157   366150     +993     
  Branches      47204    47355     +151     
============================================
+ Hits         149878   150912    +1034     
+ Misses       215279   215238      -41     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Caideyipi]

I think there are two correctness issues in this PR:

1. ssl_protocol=TLS is used as both the SSLContext algorithm and Jetty enabled protocol for REST HTTPS. In RestService.configureSSL, the value is passed to sslContextFactory.setIncludeProtocols(protocol). The default template value is TLS, but JSSE enabled protocol names are normally TLSv1.3, TLSv1.2, etc., not TLS. So enabling REST HTTPS with the default config can leave Jetty with no matching enabled protocol / fail TLS handshakes. The context algorithm and enabled protocol list should be separate, or REST should not call setIncludeProtocols for the generic TLS value.

2. The legacy SSL overloads in BaseRpcTransportFactory now explicitly call the new overload with null, null, so internal synchronous SSL clients still do not use ssl_protocol / ssl_provider_class. For example SyncDataNodeInternalServiceClient, SyncConfigNodeIServiceClient, and IoT consensus sync clients call the old overload while enable_internal_ssl is true. If a custom JSSE provider is required, the server side may register it through CommonDescriptor.configureRpcSsl(), but these clients create their SSL transport without that provider and can fail to connect. These internal clients should pass commonConfig.getSslProtocol() and commonConfig.getSslProviderClass() to the new overload.

[Caideyipi]

I reviewed the latest head (a55227f). I do not see a functional issue in the implemented ssl_protocol support, so I am approving the implemented functionality.

Non-blocking follow-ups:

1. The PR description still mentions ssl_provider_class and optional JSSE provider registration, but the current code only implements ssl_protocol. Please either remove that claim from the PR text or add provider support.
2. The integration-test EnvFactory SSL helpers do not propagate ssl_protocol into client connection properties/builders, so ITs built through AbstractEnv would still use the default TLS protocol even when a non-default ssl_protocol is configured. This does not appear to affect production code, but it would be worth fixing to make future protocol-specific ITs meaningful.

I also rechecked the previously discussed REST default-protocol concern and the sync internal-client propagation path. Those look addressed in the current version.

[HTHou]

Thanks for the review. I addressed both follow-ups:

• Updated the PR description to remove the stale ssl_provider_class / provider-registration wording and describe the current full PR scope.
• Added ssl_protocol propagation in the integration-test env helpers. When thrift client SSL is enabled, EnvFactory-created JDBC connections, Sessions, TableSessions, SessionPools, and TableSessionPools now receive the configured protocol as well.

Validation:

• mvn spotless:apply -pl integration-test -P with-integration-tests
• mvn verify -DskipUTs -Dit.test=IoTDBClientSSLIT -DfailIfNoTests=false -Dfailsafe.failIfNoSpecifiedTests=false -pl integration-test -am -P with-integration-tests
• git diff --check

[Copilot]

Pull request overview

This PR generalizes SSL/TLS handling by introducing a shared RpcSslUtils utility and propagating a new ssl_protocol setting through IoTDB’s server-side Thrift/REST/consensus stacks and through Java client entry points (Session/TableSession/JDBC/CLI). It also updates the integration-test environment to support SSL-enabled Thrift clients and adds an SSL-focused IT.

Changes:

• Add ssl_protocol configuration (default TLS) and wire it through common + REST configs, Thrift SSL server/client transports, and Ratis TLS material loading.
• Extend Java clients (Session/TableSession/SessionPool/JDBC/CLI tools) to carry ssl_protocol through connection building and URL/property parsing.
• Update integration-test env to auto-configure SSL clients when Thrift SSL is enabled; add IoTDBClientSSLIT.

Reviewed changes

Copilot reviewed 56 out of 56 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
pom.xml	Updates Ratis version and excludes OTel API/context from ratis-common.
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/service/AbstractThriftServiceThread.java	Switches Thrift SSL keystore/truststore handling to RpcSslUtils.
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonDescriptor.java	Loads ssl_protocol and configures global RPC SSL defaults via RpcSslUtils.
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java	Adds sslProtocol field + getters/setters to common config.
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncIoTConsensusV2ServiceClient.java	Passes ssl_protocol into internal SSL transport creation.
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncDataNodeMPPDataExchangeServiceClient.java	Passes ssl_protocol into internal SSL transport creation.
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncDataNodeInternalServiceClient.java	Passes ssl_protocol into internal SSL transport creation.
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncConfigNodeIServiceClient.java	Passes ssl_protocol into internal SSL transport creation.
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/client/sync/SyncAINodeClient.java	Passes ssl_protocol into internal SSL transport creation.
iotdb-core/node-commons/src/assembly/resources/conf/iotdb-system.properties.template	Documents and adds ssl_protocol configuration key.
iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/client/ConfigNodeClient.java	Threads ssl_protocol into DataNode→ConfigNode SSL Thrift connection.
iotdb-core/datanode/src/main/java/org/apache/iotdb/db/protocol/client/an/AINodeClient.java	Threads ssl_protocol into DataNode→AINode SSL Thrift connection.
iotdb-core/datanode/src/main/java/org/apache/iotdb/db/conf/rest/IoTDBRestServiceDescriptor.java	Loads/normalizes ssl_protocol for REST service config.
iotdb-core/datanode/src/main/java/org/apache/iotdb/db/conf/rest/IoTDBRestServiceConfig.java	Adds sslProtocol field + getters/setters for REST config.
iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/ratis/utils/Utils.java	Reuses RpcSslUtils for key/trust manager creation for Ratis gRPC TLS.
iotdb-core/consensus/src/main/java/org/apache/iotdb/consensus/iot/client/SyncIoTConsensusServiceClient.java	Passes ssl_protocol into IoT consensus SSL transport creation.
iotdb-client/session/src/main/java/org/apache/iotdb/session/ThriftConnection.java	Adds sslProtocol argument and passes it into SSL transport factory.
iotdb-client/session/src/main/java/org/apache/iotdb/session/TableSessionBuilder.java	Adds sslProtocol(...) builder method for table sessions.
iotdb-client/session/src/main/java/org/apache/iotdb/session/SessionConnection.java	Propagates sslProtocol to SSL transport creation and reconnect paths.
iotdb-client/session/src/main/java/org/apache/iotdb/session/Session.java	Stores sslProtocol in Session and exposes builder setter.
iotdb-client/session/src/main/java/org/apache/iotdb/session/pool/TableSessionPoolBuilder.java	Adds sslProtocol(...) builder method for table session pools.
iotdb-client/session/src/main/java/org/apache/iotdb/session/pool/SessionPool.java	Persists and forwards sslProtocol into created sessions and node suppliers.
iotdb-client/session/src/main/java/org/apache/iotdb/session/NodesSupplier.java	Threads sslProtocol into background node-availability connection checks.
iotdb-client/session/src/main/java/org/apache/iotdb/session/AbstractSessionBuilder.java	Adds sslProtocol field with default.
iotdb-client/service-rpc/src/test/java/org/apache/iotdb/rpc/RpcUtilsTest.java	Adds tests for TLS protocol normalization/validation.
iotdb-client/service-rpc/src/main/java/org/apache/iotdb/rpc/RpcSslUtils.java	Introduces shared SSL utility for protocol normalization, store loading, managers, and Thrift SSL params.
iotdb-client/service-rpc/src/main/java/org/apache/iotdb/rpc/BaseRpcTransportFactory.java	Adds SSL-transport creation overloads that accept sslProtocol and uses RpcSslUtils.
iotdb-client/jdbc/src/test/java/org/apache/iotdb/jdbc/UtilsTest.java	Adds JDBC URL parsing test for ssl_protocol.
iotdb-client/jdbc/src/main/java/org/apache/iotdb/jdbc/Utils.java	Parses JDBC ssl_protocol into connection params.
iotdb-client/jdbc/src/main/java/org/apache/iotdb/jdbc/IoTDBConnectionParams.java	Adds sslProtocol field + getters/setters with default.
iotdb-client/jdbc/src/main/java/org/apache/iotdb/jdbc/IoTDBConnection.java	Passes sslProtocol to SSL transport creation.
iotdb-client/jdbc/src/main/java/org/apache/iotdb/jdbc/Config.java	Adds JDBC property key ssl_protocol and default.
iotdb-client/isession/src/main/java/org/apache/iotdb/isession/SessionConfig.java	Adds DEFAULT_SSL_PROTOCOL.
iotdb-client/cli/src/main/java/org/apache/iotdb/tool/schema/ImportSchemaTree.java	Reuses shared CLI SSL configuration helper.
iotdb-client/cli/src/main/java/org/apache/iotdb/tool/schema/ImportSchemaTable.java	Reuses shared CLI SSL configuration helper.
iotdb-client/cli/src/main/java/org/apache/iotdb/tool/schema/ExportSchemaTree.java	Reuses shared CLI SSL configuration helper.
iotdb-client/cli/src/main/java/org/apache/iotdb/tool/schema/ExportSchemaTable.java	Reuses shared CLI SSL configuration helper.
iotdb-client/cli/src/main/java/org/apache/iotdb/tool/schema/AbstractSchemaTool.java	Adds sslProtocol CLI arg parsing + helper methods to apply SSL settings to builders.
iotdb-client/cli/src/main/java/org/apache/iotdb/tool/data/ImportDataTree.java	Reuses shared CLI SSL configuration helper.
iotdb-client/cli/src/main/java/org/apache/iotdb/tool/data/ImportDataTable.java	Reuses shared CLI SSL configuration helper.
iotdb-client/cli/src/main/java/org/apache/iotdb/tool/data/ExportDataTree.java	Reuses shared CLI SSL configuration helper.
iotdb-client/cli/src/main/java/org/apache/iotdb/tool/data/ExportDataTable.java	Reuses shared CLI SSL configuration helper.
iotdb-client/cli/src/main/java/org/apache/iotdb/tool/data/AbstractDataTool.java	Adds sslProtocol CLI arg parsing + helper methods to apply SSL settings to builders.
iotdb-client/cli/src/main/java/org/apache/iotdb/tool/common/OptionsUtil.java	Adds CLI option for ssl_protocol.
iotdb-client/cli/src/main/java/org/apache/iotdb/tool/common/Constants.java	Defines CLI constants for ssl_protocol.
iotdb-client/cli/src/main/java/org/apache/iotdb/cli/Cli.java	Includes ssl_protocol property when constructing connection properties.
iotdb-client/cli/src/main/java/org/apache/iotdb/cli/AbstractCli.java	Adds CLI option parsing/support for ssl_protocol.
integration-test/src/test/java/org/apache/iotdb/session/it/IoTDBClientSSLIT.java	Adds IT verifying SSL-only Thrift port behavior and SSL Session/TableSession/JDBC connectivity.
integration-test/src/main/java/org/apache/iotdb/itbase/env/CommonConfig.java	Extends IT CommonConfig with Thrift SSL enablement and sslProtocol setter.
integration-test/src/main/java/org/apache/iotdb/it/env/remote/config/RemoteCommonConfig.java	Adds no-op implementations for new SSL-related setters in remote env config.
integration-test/src/main/java/org/apache/iotdb/it/env/cluster/env/AbstractEnv.java	Makes env-created JDBC/Sessions/Pools SSL-aware when Thrift client SSL is enabled.
integration-test/src/main/java/org/apache/iotdb/it/env/cluster/config/MppSharedCommonConfig.java	Propagates new SSL-related settings across CN/DN shared test config.
integration-test/src/main/java/org/apache/iotdb/it/env/cluster/config/MppCommonConfig.java	Persists enable_thrift_ssl and ssl_protocol into test node properties.
integration-test/src/main/java/org/apache/iotdb/it/env/cluster/config/MppBaseConfig.java	Exposes getProperty(key, defaultValue) for env SSL property reads.
external-service-impl/rest/src/main/java/org/apache/iotdb/rest/RestService.java	Applies normalized TLS protocol configuration to Jetty HTTPS setup.
external-service-impl/rest/pom.xml	Cleans up redundant exclusions related to jakarta.annotation-api.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sonarqubecloud]

Quality Gate passed

Issues
12 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
2.4% Duplication on New Code

See analysis details on SonarQube Cloud