Support Thrift client mutual TLS

[HTHou]

Summary

• Add thrift_ssl_client_auth to require client certificates for Thrift SSL connections without reusing REST client_auth.
• Add optional client keystore support for Java Session, SessionPool, table session builders, JDBC, CLI, and import/export tools.
• Extend integration-test SSL helpers and add IoTDBClientMutualSSLIT coverage for mTLS client paths.

Notes

The server-side keystore/truststore paths remain the shared existing SSL settings. The new option only controls whether the Thrift SSL server requires client certificate authentication.

Validation

• mvn spotless:apply -pl iotdb-client/service-rpc,iotdb-client/session,iotdb-client/jdbc,iotdb-client/cli,iotdb-core/node-commons,iotdb-core/datanode
• mvn spotless:apply -pl integration-test -P with-integration-tests
• mvn compile -pl iotdb-client/service-rpc,iotdb-client/session,iotdb-client/jdbc,iotdb-client/cli,iotdb-core/node-commons
• mvn test -pl iotdb-client/jdbc -Dtest=UtilsTest
• git diff --check

mvn compile -pl iotdb-core/node-commons,iotdb-core/datanode is currently blocked by existing generated parser compile errors in ASTVisitor.java for MAX_SCHEMA_REGION_GROUP_NUM() and MAX_DATA_REGION_GROUP_NUM().

IoTDBClientMutualSSLIT compiles and runs when current client modules are in the reactor; positive mTLS client cases pass, but the negative server-side enforcement case requires a locally built server containing this PR's DataNode changes. The local DataNode build is blocked by the parser issue above.

[codecov]

Codecov Report

❌ Patch coverage is 35.35912% with 117 lines in your changes missing coverage. Please review.
✅ Project coverage is 41.44%. Comparing base (a98bd56) to head (d161740).
⚠️ Report is 19 commits behind head on master.

Files with missing lines	Patch %	Lines
...rg/apache/iotdb/db/service/ExternalRPCService.java	0.00%	35 Missing ⚠️
...java/org/apache/iotdb/tool/common/OptionsUtil.java	0.00%	18 Missing ⚠️
...nt/cli/src/main/java/org/apache/iotdb/cli/Cli.java	0.00%	16 Missing ⚠️
...a/org/apache/iotdb/tool/data/AbstractDataTool.java	0.00%	14 Missing ⚠️
...g/apache/iotdb/tool/schema/AbstractSchemaTool.java	0.00%	12 Missing ⚠️
...ava/org/apache/iotdb/session/pool/SessionPool.java	40.00%	6 Missing ⚠️
.../org/apache/iotdb/session/TableSessionBuilder.java	0.00%	4 Missing ⚠️
...he/iotdb/session/pool/TableSessionPoolBuilder.java	0.00%	4 Missing ⚠️
...in/java/org/apache/iotdb/jdbc/IoTDBConnection.java	0.00%	3 Missing ⚠️
.../org/apache/iotdb/rpc/BaseRpcTransportFactory.java	0.00%	3 Missing ⚠️
... and 2 more

Additional details and impacted files

@@             Coverage Diff              @@
##             master   #18026      +/-   ##
============================================
+ Coverage     41.31%   41.44%   +0.13%     
  Complexity      318      318              
============================================
  Files          5273     5282       +9     
  Lines        368330   369399    +1069     
  Branches      47681    47806     +125     
============================================
+ Hits         152159   153095     +936     
- Misses       216171   216304     +133     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

This PR adds end-to-end mutual TLS (mTLS) support for IoTDB’s external Thrift RPC: a new server-side flag to require client certificates, plus optional client keystore configuration across the Java Session APIs, JDBC, CLI/tools, and integration-test coverage for the mTLS client paths.

Changes:

• Add thrift_ssl_client_auth configuration and wire it into the DataNode external Thrift RPC service so the server can require client certificates when SSL is enabled.
• Extend client connection stacks (Session/SessionPool/Table sessions, JDBC, CLI/tools) to optionally provide a client key store + password for mTLS.
• Extend integration-test environment SSL helpers and add IoTDBClientMutualSSLIT validating mTLS connectivity across Session/Pool/Table/JDBC clients.

Reviewed changes

Copilot reviewed 30 out of 30 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonDescriptor.java	Loads new thrift_ssl_client_auth property into common config.
iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/conf/CommonConfig.java	Adds thriftSSLClientAuth flag with getter/setter.
iotdb-core/node-commons/src/assembly/resources/conf/iotdb-system.properties.template	Documents and exposes thrift_ssl_client_auth in the template.
iotdb-core/datanode/src/main/java/org/apache/iotdb/db/service/ExternalRPCService.java	Switches Thrift thread construction based on SSL + client-auth requirement.
iotdb-client/session/src/main/java/org/apache/iotdb/session/ThriftConnection.java	Passes optional client keystore config into RPC transport creation.
iotdb-client/session/src/main/java/org/apache/iotdb/session/TableSessionBuilder.java	Adds builder setters for client keystore path/password (mTLS).
iotdb-client/session/src/main/java/org/apache/iotdb/session/SessionConnection.java	Threads client keystore parameters through connection initialization/reconnect paths.
iotdb-client/session/src/main/java/org/apache/iotdb/session/Session.java	Persists client keystore fields and exposes builder setters.
iotdb-client/session/src/main/java/org/apache/iotdb/session/pool/TableSessionPoolBuilder.java	Adds builder setters for client keystore path/password (mTLS).
iotdb-client/session/src/main/java/org/apache/iotdb/session/pool/SessionPool.java	Carries client keystore config into pooled session construction and node discovery.
iotdb-client/session/src/main/java/org/apache/iotdb/session/NodesSupplier.java	Supplies client keystore config when creating node connections.
iotdb-client/session/src/main/java/org/apache/iotdb/session/AbstractSessionBuilder.java	Adds fields to hold client keystore settings for session builders.
iotdb-client/service-rpc/src/main/java/org/apache/iotdb/rpc/BaseRpcTransportFactory.java	Extends SSL transport creation to optionally set a client key store for mTLS.
iotdb-client/jdbc/src/test/java/org/apache/iotdb/jdbc/UtilsTest.java	Adds JDBC URL parsing assertions for keystore properties.
iotdb-client/jdbc/src/main/java/org/apache/iotdb/jdbc/Utils.java	Parses key_store / key_store_pwd into connection params.
iotdb-client/jdbc/src/main/java/org/apache/iotdb/jdbc/IoTDBConnectionParams.java	Adds JDBC connection params for client keystore path/password.
iotdb-client/jdbc/src/main/java/org/apache/iotdb/jdbc/IoTDBConnection.java	Uses updated SSL transport factory API including client keystore fields.
iotdb-client/jdbc/src/main/java/org/apache/iotdb/jdbc/Config.java	Introduces JDBC property keys for client keystore settings.
iotdb-client/cli/src/main/java/org/apache/iotdb/tool/schema/AbstractSchemaTool.java	Enables CLI schema tools to pass optional client keystore for mTLS.
iotdb-client/cli/src/main/java/org/apache/iotdb/tool/data/AbstractDataTool.java	Enables CLI data tools to pass optional client keystore for mTLS.
iotdb-client/cli/src/main/java/org/apache/iotdb/tool/common/OptionsUtil.java	Adds CLI option definitions for client keystore args.
iotdb-client/cli/src/main/java/org/apache/iotdb/tool/common/Constants.java	Adds constants for new CLI keystore flags.
iotdb-client/cli/src/main/java/org/apache/iotdb/cli/Cli.java	Allows specifying truststore/keystore via args (otherwise prompts) and passes them to JDBC properties.
iotdb-client/cli/src/main/java/org/apache/iotdb/cli/AbstractCli.java	Adds CLI option parsing/plumbing for client keystore fields.
integration-test/src/test/java/org/apache/iotdb/session/it/IoTDBClientMutualSSLIT.java	New IT validating mTLS connectivity across Session/Pool/Table/JDBC clients.
integration-test/src/main/java/org/apache/iotdb/itbase/env/CommonConfig.java	Extends IT common config interface with setThriftSSLClientAuth.
integration-test/src/main/java/org/apache/iotdb/it/env/remote/config/RemoteCommonConfig.java	Implements new IT common config method as a no-op for remote env.
integration-test/src/main/java/org/apache/iotdb/it/env/cluster/env/AbstractEnv.java	Propagates mTLS client keystore properties into client connection helpers when server requires client auth.
integration-test/src/main/java/org/apache/iotdb/it/env/cluster/config/MppSharedCommonConfig.java	Propagates new thrift_ssl_client_auth setting to CN/DN in IT cluster configs.
integration-test/src/main/java/org/apache/iotdb/it/env/cluster/config/MppCommonConfig.java	Writes thrift_ssl_client_auth into generated properties for IT cluster nodes.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sonarqubecloud]

Quality Gate failed

Failed conditions
6.4% Duplication on New Code (required ≤ 5%)

See analysis details on SonarQube Cloud