trino-gateway icon indicating copy to clipboard operation
trino-gateway copied to clipboard
verified publisher icon trinodb

[Improvement] JDBC Connection Configuration with Flexible SSL and Property Injection

Open felicity3786 opened this issue 1 year ago • 4 comments

Description

Summary: Today, the Trino Gateway only supports very basic JDBC connection initialization, assuming standard username/password settings. It lacks support for important real-world features like client-side certificates (mTLS), custom truststore setups, or fine-grained SSL configurations when connecting to databases (e.g., MySQL). I would like to help contributing a more flexible, extensible JDBC connection management system.

Additional context and related issues

Right now, current gateway code hardcodes simple username/password based JDBC setup. It is difficult to configure SSL/TLS for databases that require client certificates (e.g., SslMode=VERIFY_CA for MySQL). Gateway users with stricter security requirements (like us at LinkedIn) must patch or fork the code. And it is not cleanly extensible for new future other database types.

At LinkedIn, We already implemented the following internally and would like to contribute it upstream:

  • Introduce a JdbcPropertiesProvider interface for generating connection properties.
  • Add DefaultJdbcPropertiesProvider (default simple username/password).
  • Add MySqlJdbcPropertiesProvider to handle MySQL-specific SSL properties:
    • Handles clientCertificateKeyStoreUrl, clientCertificateKeyStorePassword, etc.
    • Supports different SslMode settings (DISABLED, VERIFY_CA, etc.).
  • Introduce a JdbcPropertiesProviderFactory to pick the right provider automatically based on configuration.
  • Refactor JdbcConnectionManager to use these properties instead of hardcoded username/password.
  • Add Airlift-compliant @Singleton / Guice bindings for better dependency injection.

Benefits: The changes will help

  • Secure and flexible database connections (support MySQL client cert auth, etc.).
  • Easily extensible for Oracle, or other databases in the future.
  • More separation of concerns: connection properties logic decoupled from connection management.
  • Retains full backward compatibility (H2, MySQL username/password still work out of the box).

Release notes

( ) This is not user-visible or is docs only, and no release notes are required. ( ) Release notes are required. Please propose a release note for me. ( ) Release notes are required, with the following suggested text:

* Fix some things. ({issue}`issuenumber`)

felicity3786 avatar Apr 28 '25 22:04 felicity3786

Current diff LGTM, cc @willmostly

xkrogen avatar May 01 '25 15:05 xkrogen

Needs a rebase and adjustment to recently merged PR about JDBC connection properties

mosabua avatar Jun 18 '25 05:06 mosabua

Please let us know when you rebased and updated this PR @Felicity-3786

mosabua avatar Jul 18 '25 06:07 mosabua

Please let us know when you rebased and updated this PR @Felicity-3786

Thanks @mosabua for reminding! Rebased, mind taking another look?

felicity3786 avatar Jul 22 '25 00:07 felicity3786