Merge pull request #2755 from etschannen/feature-tls-environment-vars

re-added support for configuration TLS options with environment variables

documentation/sphinx/source/downloads.rst

@@ -10,38 +10,38 @@ macOS
 
 The macOS installation package is supported on macOS 10.7+. It includes the client and (optionally) the server.
 
-* `FoundationDB-6.2.16.pkg <https://www.foundationdb.org/downloads/6.2.16/macOS/installers/FoundationDB-6.2.16.pkg>`_
+* `FoundationDB-6.2.17.pkg <https://www.foundationdb.org/downloads/6.2.17/macOS/installers/FoundationDB-6.2.17.pkg>`_
 
 Ubuntu
 ------
 
 The Ubuntu packages are supported on 64-bit Ubuntu 12.04+, but beware of the Linux kernel bug in Ubuntu 12.x.
 
-* `foundationdb-clients-6.2.16-1_amd64.deb <https://www.foundationdb.org/downloads/6.2.16/ubuntu/installers/foundationdb-clients_6.2.16-1_amd64.deb>`_
-* `foundationdb-server-6.2.16-1_amd64.deb <https://www.foundationdb.org/downloads/6.2.16/ubuntu/installers/foundationdb-server_6.2.16-1_amd64.deb>`_ (depends on the clients package)
+* `foundationdb-clients-6.2.17-1_amd64.deb <https://www.foundationdb.org/downloads/6.2.17/ubuntu/installers/foundationdb-clients_6.2.17-1_amd64.deb>`_
+* `foundationdb-server-6.2.17-1_amd64.deb <https://www.foundationdb.org/downloads/6.2.17/ubuntu/installers/foundationdb-server_6.2.17-1_amd64.deb>`_ (depends on the clients package)
 
 RHEL/CentOS EL6
 ---------------
 
 The RHEL/CentOS EL6 packages are supported on 64-bit RHEL/CentOS 6.x.
 
-* `foundationdb-clients-6.2.16-1.el6.x86_64.rpm <https://www.foundationdb.org/downloads/6.2.16/rhel6/installers/foundationdb-clients-6.2.16-1.el6.x86_64.rpm>`_
-* `foundationdb-server-6.2.16-1.el6.x86_64.rpm <https://www.foundationdb.org/downloads/6.2.16/rhel6/installers/foundationdb-server-6.2.16-1.el6.x86_64.rpm>`_ (depends on the clients package)
+* `foundationdb-clients-6.2.17-1.el6.x86_64.rpm <https://www.foundationdb.org/downloads/6.2.17/rhel6/installers/foundationdb-clients-6.2.17-1.el6.x86_64.rpm>`_
+* `foundationdb-server-6.2.17-1.el6.x86_64.rpm <https://www.foundationdb.org/downloads/6.2.17/rhel6/installers/foundationdb-server-6.2.17-1.el6.x86_64.rpm>`_ (depends on the clients package)
 
 RHEL/CentOS EL7
 ---------------
 
 The RHEL/CentOS EL7 packages are supported on 64-bit RHEL/CentOS 7.x.
 
-* `foundationdb-clients-6.2.16-1.el7.x86_64.rpm <https://www.foundationdb.org/downloads/6.2.16/rhel7/installers/foundationdb-clients-6.2.16-1.el7.x86_64.rpm>`_
-* `foundationdb-server-6.2.16-1.el7.x86_64.rpm <https://www.foundationdb.org/downloads/6.2.16/rhel7/installers/foundationdb-server-6.2.16-1.el7.x86_64.rpm>`_ (depends on the clients package)
+* `foundationdb-clients-6.2.17-1.el7.x86_64.rpm <https://www.foundationdb.org/downloads/6.2.17/rhel7/installers/foundationdb-clients-6.2.17-1.el7.x86_64.rpm>`_
+* `foundationdb-server-6.2.17-1.el7.x86_64.rpm <https://www.foundationdb.org/downloads/6.2.17/rhel7/installers/foundationdb-server-6.2.17-1.el7.x86_64.rpm>`_ (depends on the clients package)
 
 Windows
 -------
 
 The Windows installer is supported on 64-bit Windows XP and later. It includes the client and (optionally) the server.
 
-* `foundationdb-6.2.16-x64.msi <https://www.foundationdb.org/downloads/6.2.16/windows/installers/foundationdb-6.2.16-x64.msi>`_
+* `foundationdb-6.2.17-x64.msi <https://www.foundationdb.org/downloads/6.2.17/windows/installers/foundationdb-6.2.17-x64.msi>`_
 
 API Language Bindings
 =====================
@@ -58,18 +58,18 @@ On macOS and Windows, the FoundationDB Python API bindings are installed as part
 
 If you need to use the FoundationDB Python API from other Python installations or paths, download the Python package:
 
-* `foundationdb-6.2.16.tar.gz <https://www.foundationdb.org/downloads/6.2.16/bindings/python/foundationdb-6.2.16.tar.gz>`_
+* `foundationdb-6.2.17.tar.gz <https://www.foundationdb.org/downloads/6.2.17/bindings/python/foundationdb-6.2.17.tar.gz>`_
 
 Ruby 1.9.3/2.0.0+
 -----------------
 
-* `fdb-6.2.16.gem <https://www.foundationdb.org/downloads/6.2.16/bindings/ruby/fdb-6.2.16.gem>`_
+* `fdb-6.2.17.gem <https://www.foundationdb.org/downloads/6.2.17/bindings/ruby/fdb-6.2.17.gem>`_
 
 Java 8+
 -------
 
-* `fdb-java-6.2.16.jar <https://www.foundationdb.org/downloads/6.2.16/bindings/java/fdb-java-6.2.16.jar>`_
-* `fdb-java-6.2.16-javadoc.jar <https://www.foundationdb.org/downloads/6.2.16/bindings/java/fdb-java-6.2.16-javadoc.jar>`_
+* `fdb-java-6.2.17.jar <https://www.foundationdb.org/downloads/6.2.17/bindings/java/fdb-java-6.2.17.jar>`_
+* `fdb-java-6.2.17-javadoc.jar <https://www.foundationdb.org/downloads/6.2.17/bindings/java/fdb-java-6.2.17-javadoc.jar>`_
 
 Go 1.11+
 --------

documentation/sphinx/source/release-notes.rst

@@ -2,6 +2,14 @@
 Release Notes
 #############
 
+6.2.17
+======
+
+Fixes
+-----
+
+* Restored the ability to set TLS configuration using environment variables. `(PR #2755) <https://github.com/apple/foundationdb/pull/2755>`_.
+
 6.2.16
 ======
 

fdbclient/NativeAPI.actor.cpp

@@ -811,6 +811,8 @@ Database Database::createDatabase( Reference<ClusterConnectionFile> connFile, in
 		}
 	}
 
+	g_network->initTLS();
+
 	Reference<AsyncVar<ClientDBInfo>> clientInfo(new AsyncVar<ClientDBInfo>());
 	Reference<AsyncVar<Reference<ClusterConnectionFile>>> connectionFile(new AsyncVar<Reference<ClusterConnectionFile>>());
 	connectionFile->set(connFile);
@@ -890,20 +892,24 @@ void setNetworkOption(FDBNetworkOptions::Option option, Optional<StringRef> valu
 			break;
 		case FDBNetworkOptions::TLS_CERT_PATH:
 			validateOptionValue(value, true);
+			tlsParams.tlsCertBytes = "";
 			tlsParams.tlsCertPath = value.get().toString();
 			break;
 		case FDBNetworkOptions::TLS_CERT_BYTES: {
 			validateOptionValue(value, true);
+			tlsParams.tlsCertPath = "";
 			tlsParams.tlsCertBytes = value.get().toString();
 			break;
 		}
 		case FDBNetworkOptions::TLS_CA_PATH: {
 			validateOptionValue(value, true);
+			tlsParams.tlsCABytes = "";
 			tlsParams.tlsCAPath = value.get().toString();
 			break;
 		}
 		case FDBNetworkOptions::TLS_CA_BYTES: {
 			validateOptionValue(value, true);
+			tlsParams.tlsCAPath = "";
 			tlsParams.tlsCABytes = value.get().toString();
 			break;
 		}
@@ -912,23 +918,21 @@ void setNetworkOption(FDBNetworkOptions::Option option, Optional<StringRef> valu
 			tlsParams.tlsPassword = value.get().toString();
 			break;
 		case FDBNetworkOptions::TLS_KEY_PATH:
-			validateOptionValue(value, true);		
+			validateOptionValue(value, true);
+			tlsParams.tlsKeyBytes = "";
 			tlsParams.tlsKeyPath = value.get().toString();
 			break;
 		case FDBNetworkOptions::TLS_KEY_BYTES: {
 			validateOptionValue(value, true);
+			tlsParams.tlsKeyPath = "";
 			tlsParams.tlsKeyBytes = value.get().toString();
 			break;
 		}
 		case FDBNetworkOptions::TLS_VERIFY_PEERS:
 			validateOptionValue(value, true);
 			initTLSPolicy();
 #ifndef TLS_DISABLED
-			if (!tlsPolicy->set_verify_peers({ value.get().toString() })) {
-				TraceEvent(SevWarnAlways, "TLSValidationSetError")
-					.detail("Input", value.get().toString() );
-				throw invalid_option_value();
-			}
+			tlsPolicy->set_verify_peers({ value.get().toString() });
 #endif
 			break;
 		case FDBNetworkOptions::CLIENT_BUGGIFY_ENABLE:

fdbrpc/Platform.cpp

@@ -112,24 +112,6 @@ int eraseDirectoryRecursive(std::string const& dir) {
 	return __eraseDirectoryRecurseiveCount;
 }
 
-std::string getDefaultConfigPath() {
-#ifdef _WIN32
-	TCHAR szPath[MAX_PATH];
-	if( SHGetFolderPath(NULL, CSIDL_COMMON_APPDATA, NULL, 0, szPath)  != S_OK ) {
-		TraceEvent(SevError, "WindowsAppDataError").GetLastError();
-		throw platform_error();
-	}
-	std::string _filepath(szPath);
-	return _filepath + "\\foundationdb";
-#elif defined(__linux__)
-	return "/etc/foundationdb";
-#elif defined(__APPLE__)
-	return "/usr/local/etc/foundationdb";
-#else
-	#error Port me!
-#endif
-}
-
 bool isSse42Supported()
 {
 #if defined(_WIN32)
@@ -145,7 +127,4 @@ bool isSse42Supported()
 #endif
 }
 
-std::string getDefaultClusterFilePath() {
-	return joinPath(platform::getDefaultConfigPath(), "fdb.cluster");
-}
 } // namespace platform

fdbrpc/Platform.h

@@ -30,12 +30,6 @@ namespace platform {
 // Avoid in production code: not atomic, not fast, not reliable in all environments
 int eraseDirectoryRecursive(std::string const& directory);
 
-// Returns the absolute platform-dependant path for the default fdb.cluster file
-std::string getDefaultClusterFilePath();
-
-// Returns the absolute platform-dependant path for server-based files
-std::string getDefaultConfigPath();
-
 bool isSse42Supported();
 
 } // namespace platform

fdbserver/fdbserver.actor.cpp

@@ -1553,7 +1553,13 @@ int main(int argc, char* argv[]) {
 		} else {
 #ifndef TLS_DISABLED
 			if ( tlsVerifyPeers.size() ) {
-			  tlsPolicy->set_verify_peers( tlsVerifyPeers );
+				try {
+					tlsPolicy->set_verify_peers( tlsVerifyPeers );
+				} catch( Error &e ) {
+					fprintf(stderr, "ERROR: The format of the --tls_verify_peers option is incorrect.\n");
+					printHelpTeaser(argv[0]);
+					flushAndExit(FDB_EXIT_ERROR);
+				}
 			}
 #endif
 			g_network = newNet2(useThreadPool, true, tlsPolicy, tlsParams);
@@ -1569,7 +1575,7 @@ int main(int argc, char* argv[]) {
 			}
 
 			openTraceFile(publicAddresses.address, rollsize, maxLogsSize, logFolder, "trace", logGroup);
-
+			g_network->initTLS();
 
 			if (expectsPublicAddress) {
 				for (int ii = 0; ii < (publicAddresses.secondaryAddress.present() ? 2 : 1); ++ii) {