Add support for mTLS authentication in Arrow Flight client

[elbinpallimalilibm]

Description

Add support for mTLS authentication in Arrow Flight client

Motivation and Context

If the Flight server has mTLS authentication enabled, then the Flight client should be able to use client certificate and key.

Impact

Test Plan

Added positive and negative test cases against an mTLS enabled Flight server.

Contributor checklist

• Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
• PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
• Documented new properties (with its default value), SQL syntax, functions, or other functionality.
• If release notes are required, they follow the release notes guidelines.
• Adequate tests were added if applicable.
• CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

Arrow Flight Connector Template Changes
* Added support for mTLS authentication in Arrow Flight client.

[elbinpallimalilibm]

https://github.com/prestodb/presto/actions/runs/15201290385/job/42755765576?pr=25179 @steveburnett I'm not able to figure out why the presto-docs check is failing. Can you help here?

Edit : Waiting for fix to be merged here.

[steveburnett]

Fix has been merged, and the test is now passing - see #25188 for an example. Rebase your PR to re-run the CI tests and docs / test (:presto-docs) (pull_request) should pass for this PR as well.

[pratyakshsharma]

Thank you for the fix @elbinpallimalilibm. I have added few comments, please check.

[pratyakshsharma]

I think it will be good to add a comment here saying this is needed for mTLS auth.

[elbinpallimalilibm]

Added comments.

[BryanCutler]

instead of a javadoc, could you put this in a @ConfigDescription?

[pratyakshsharma]

trying to understand it a bit better, what happens if the certificate and key are invalid? Lets use a try-catch block here? And maybe add a test case covering this scenario?

[elbinpallimalilibm]

If the cert is invalid, executing a query will give the user an error that the cert is invalid. Added a test case that covers this scenario.

[pratyakshsharma]

Lets add a try-catch here as well and modify the error message in the test case accordingly. Thank you for adding test case for this though.

[elbinpallimalilibm]

The invalid cert exception is thrown only at line 84 FlightClient flightClient = flightClientBuilder.build(); and we might get exception due to other reasons as well from the build method. So adding a try...catch here will not help in modifying the error message.

[pratyakshsharma]

Ok, I actually foresee improperly configured client cert/key as a very probable source of error, and hence wanted to cover the scenario with a proper user facing message. Anyways I leave the final decision to you.

[elbinpallimalilibm]

Refactored the code to catch errors due to invalid cert or key file. Rethrowing a Presto Exception with a custom message for those scenarios.

[pratyakshsharma]

nit: lets modify these to include "in case of mTLS authentication" to make it more clear?

[elbinpallimalilibm]

Updated the docs.

[pratyakshsharma]

The 2 test classes have a lot of duplicate code. Please see if we can use inheritance to avoid this redundant code?

[elbinpallimalilibm]

Refactored the test classes.

[steveburnett]

LGTM! (docs)

Pull branch, local doc build, looks good. Thanks!

[pratyakshsharma]

Thank you for addressing earlier comments. I have few more minor comments, once addressed, I will approve.

[pratyakshsharma]

why are we modifying the access-modifier?

[elbinpallimalilibm]

We need to create query runner with pre-defined catalog properties from the new test classes. That's why the method was changed to public from private.

[pratyakshsharma]

Does protected or other modifier work instead?

[elbinpallimalilibm]

Changed to protected

[pratyakshsharma]

Lets add a try-catch here as well and modify the error message in the test case accordingly. Thank you for adding test case for this though.

[pratyakshsharma]

Does this method need to be public? How about making it package private? Similarly for other methods apart from createQueryRunner, lets make them as restricted as possible.

[pratyakshsharma]

The access modifiers here will change based on my above comment.

[pratyakshsharma]

Couple more comments, rest looks good

[pratyakshsharma]

Does protected or other modifier work instead?

[pratyakshsharma]

Lets change this to package private as well?

[elbinpallimalilibm]

Changed

[pratyakshsharma]

Thank you for patiently addressing all comments. Few refactorings needed, rest looks good

[pratyakshsharma]

Suggested change

	if (cause.filter(c -> c instanceof InvalidKeyException).isPresent()) {
	if (e instanceOf InvalidKeyException) {

[pratyakshsharma]

can be simplified like this.

[elbinpallimalilibm]

e will be instance of IllegalArgumentException. Inner exception e.getCause if not null, will be an instance of InvalidKeyException

[pratyakshsharma]

ditto

[pratyakshsharma]

the error messages here are all identical, can be modified in different blocks.

[pratyakshsharma]

Suggested change

	logger.error("Error closing input stream", e);
	logger.error("Error closing input stream for clientCertificate", e);

[elbinpallimalilibm]

Updated

[pratyakshsharma]

ditto

[pratyakshsharma]

Thank you for the proactive responses. LGTM!

[pratyakshsharma]

@prestodb/committers this should be good for final pass

[ZacBlanco]

One comment. Also, I think instead of having 3 test classes, let's combine the TestArrowFlightMTLSFails and TestArrowFlightMTLSInvalidCert into a single file. Just add catalogs to the query runner with those configurations, and then execute the test queries against those catalogs instead. This way we don't need to test 3 separate classes.

[ZacBlanco]

This optional also doesn't really provide value. There is no real use of the option value. Let's just use e.getCause() directly and do the cause instanceof <XYZ> check in the conditional instead.

[elbinpallimalilibm]

Refactored to use e.getCause() instanceof ..

[elbinpallimalilibm]

One comment. Also, I think instead of having 3 test classes, let's combine the TestArrowFlightMTLSFails and TestArrowFlightMTLSInvalidCert into a single file. Just add catalogs to the query runner with those configurations, and then execute the test queries against those catalogs instead. This way we don't need to test 3 separate classes.

Merged the three test classes into one.

[BryanCutler]

Looks good, just a few minor nits

[BryanCutler]

instead of a javadoc, could you put this in a @ConfigDescription?

[BryanCutler]

nit: period

[BryanCutler]

same here about @ConfigDescription

[BryanCutler]

LGTM