[fix](s3 client)add default ca cert list for s3 client to avoid probl…

…em:'curlCode:77' (#32285) (#32485) Co-authored-by: ryanzryu <[email protected]>
apache · Mar 20, 2024 · be1948a · be1948a
1 parent b869fa7
commit be1948a
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 0 deletions.
diff --git a/be/src/common/config.cpp b/be/src/common/config.cpp
@@ -1136,6 +1136,16 @@ DEFINE_mInt32(query_statistics_reserve_timeout_ms, "30000");
 
 DEFINE_mBool(check_segment_when_build_rowset_meta, "false");
 
+DEFINE_mInt32(max_s3_client_retry, "10");
+
+DEFINE_String(trino_connector_plugin_dir, "${DORIS_HOME}/connectors");
+
+// ca_cert_file is in this path by default, Normally no modification is required
+// ca cert default path is different from different OS
+DEFINE_mString(ca_cert_file_paths,
+               "/etc/pki/tls/certs/ca-bundle.crt;/etc/ssl/certs/ca-certificates.crt;"
+               "/etc/ssl/ca-bundle.pem");
+
 // clang-format off
 #ifdef BE_TEST
 // test s3

diff --git a/be/src/common/config.h b/be/src/common/config.h
@@ -1189,6 +1189,15 @@ DECLARE_mInt32(query_statistics_reserve_timeout_ms);
 
 DECLARE_mBool(check_segment_when_build_rowset_meta);
 
+// max s3 client retry times
+DECLARE_mInt32(max_s3_client_retry);
+
+// the directory for storing the trino-connector plugins.
+DECLARE_String(trino_connector_plugin_dir);
+
+// the file paths(one or more) of CA cert, splite using ";" aws s3 lib use it to init s3client
+DECLARE_mString(ca_cert_file_paths);
+
 #ifdef BE_TEST
 // test s3
 DECLARE_String(test_s3_resource);

diff --git a/be/src/util/s3_util.cpp b/be/src/util/s3_util.cpp
@@ -28,6 +28,7 @@
 
 #include <atomic>
 #include <cstdlib>
+#include <filesystem>
 #include <functional>
 #include <ostream>
 #include <utility>
@@ -99,6 +100,18 @@ S3ClientFactory::S3ClientFactory() {
         return std::make_shared<DorisAWSLogger>(logLevel);
     };
     Aws::InitAPI(_aws_options);
+    _ca_cert_file_path = get_valid_ca_cert_path();
+}
+
+string S3ClientFactory::get_valid_ca_cert_path() {
+    vector<std::string> vec_ca_file_path = doris::split(config::ca_cert_file_paths, ";");
+    vector<std::string>::iterator it = vec_ca_file_path.begin();
+    for (; it != vec_ca_file_path.end(); ++it) {
+        if (std::filesystem::exists(*it)) {
+            return *it;
+        }
+    }
+    return "";
 }
 
 S3ClientFactory::~S3ClientFactory() {
@@ -142,6 +155,16 @@ std::shared_ptr<Aws::S3::S3Client> S3ClientFactory::create(const S3Conf& s3_conf
     Aws::Client::ClientConfiguration aws_config = S3ClientFactory::getClientConfiguration();
     aws_config.endpointOverride = s3_conf.endpoint;
     aws_config.region = s3_conf.region;
+    std::string ca_cert = get_valid_ca_cert_path();
+    if ("" != _ca_cert_file_path) {
+        aws_config.caFile = _ca_cert_file_path;
+    } else {
+        // config::ca_cert_file_paths is valmutable,get newest value if file path invaild
+        _ca_cert_file_path = get_valid_ca_cert_path();
+        if ("" != _ca_cert_file_path) {
+            aws_config.caFile = _ca_cert_file_path;
+        }
+    }
     if (s3_conf.max_connections > 0) {
         aws_config.maxConnections = s3_conf.max_connections;
     } else {

diff --git a/be/src/util/s3_util.h b/be/src/util/s3_util.h
@@ -116,10 +116,12 @@ class S3ClientFactory {
 
 private:
     S3ClientFactory();
+    static std::string get_valid_ca_cert_path();
 
     Aws::SDKOptions _aws_options;
     std::mutex _lock;
     std::unordered_map<uint64_t, std::shared_ptr<Aws::S3::S3Client>> _cache;
+    std::string _ca_cert_file_path;
 };
 
 } // end namespace doris