feat(plugin-mongodb): TLS configuration support in MongoClientConfig

[imsayari404]

This PR introduces TLS support in the MongoDB connector

Description

Motivation and Context

Impact

Test Plan

presto> SELECT * FROM mongodb.tm_lakehouse_engine_db_2.aizen;
 emp_name | emp_location | emp_id | dep_id | u_id 
----------+--------------+--------+--------+------
 wade     | sanfransico  |      7 | AF62   |    2 
 Sam      | dallas       |     46 | Zf6    |    8 
 Root     | kochi        |     12 | AF6    |    4 
 tom      | mumbai       |      4 | Ax5    |    1 
 robert   | hyderabad    |      3 | Zf6    |    9 
 ivan     | bangalore    |     43 | BF4    |   10 
 Yan      | dubai        |      8 | BF4    |    3 
 Tom      | kochi        |     58 | AF6    |    6 
 Jorge    | Sydney       |     34 | Zf6    |    5 
 Bot      | bangalore    |     97 | BF4    |    7 
(10 rows)

Query 20250806_093152_00001_ujc79, FINISHED, 1 node
Splits: 17 total, 17 done (100.00%)
[Latency: client-side: 0:01, server-side: 0:01] [10 rows, 390B] [8 rows/s, 329B/s]

Contributor checklist

• Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
• PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
• Documented new properties (with its default value), SQL syntax, functions, or other functionality.
• If release notes are required, they follow the release notes guidelines.
• Adequate tests were added if applicable.
• CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

MongoDB Connector Changes
* Add TLS/SSL support with automatic JKS and PEM certificate format detection. Configure using ``mongodb.tls.enabled``, ``mongodb.tls.keystore-path``, 
  ``mongodb.tls.keystore-password``, ``mongodb.tls.truststore-path``, and ``mongodb.tls.truststore-password`` properties.
* Upgrade MongoDB Java Driver to 3.12.14.

[prestodb-ci]

@ethanyzhang imported this issue as lakehouse/presto #25374

[agrawalreetika]

Please add required documentation entries with the new configs in Mongo connector documentation.

[agrawalreetika]

Would it be better to enhance Security Protocol to TLS?

[agrawalreetika]

Same here use static import

[agrawalreetika]

Suggested change

	public boolean getTlsEnabled()
	public boolean isTlsEnabled()

[agrawalreetika]

Little confused, What backward compatibility is being enforced with this method now if you are already pointing @LegacyConfig("mongodb.ssl.enabled")? Do we still need this?

[imsayari404]

You're absolutely right. Since we're using @LegacyConfig("mongodb.ssl.enabled") on the setTlsEnabled() method, the old SSL configuration will automatically be routed to the new TLS configuration. I will remove the deprecated methods.

[agrawalreetika]

Same as above?

[agrawalreetika]

Make it private?

[agrawalreetika]

Can be private?

[agrawalreetika]

Suggested change

	Optional<SSLContext> sslContext = sslContextProvider.buildSslContext();
	if (sslContext.isPresent()) {
	options.sslContext(sslContext.get());
	options.sslEnabled(true);
	log.debug("SSL enabled for MongoDB client with TLS protocol");
	}
	sslContextProvider.buildSslContext()
	.ifPresent(sslContext -> {
	options.sslContext(sslContext);
	options.sslEnabled(true);
	});

[agrawalreetika]

Why do we need this? and below pom changes?

[agrawalreetika]

Why are we marking this and below as scope provided?

[imsayari404]

The presto-spi pom changes are required because I've moved SslContextProvider to the spi package to make it reusable across connectors. The presto-mongodb dependency was added to resolve compilation issues when using SslContextProvider but I have removed them now with the new changes.

[imsayari404]

I added the presto-spi pom changes because SslContextProvider directly imports and uses Logger from airlift.log and PemReader from airlift.security.pem , without these dependencies, the code won't compile as shown in the compilation errors.

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.8.0:compile (default-compile) on project presto-spi: Compilation failure: Compilation failure: 
[ERROR] /Users/sayarimukherjee/Desktop/os-presto/presto/presto-spi/src/main/java/com/facebook/presto/spi/security/SslContextProvider.java:[16,32] package com.facebook.airlift.log does not exist
[ERROR] /Users/sayarimukherjee/Desktop/os-presto/presto/presto-spi/src/main/java/com/facebook/presto/spi/security/SslContextProvider.java:[17,41] package com.facebook.airlift.security.pem does not exist
[ERROR] /Users/sayarimukherjee/Desktop/os-presto/presto/presto-spi/src/main/java/com/facebook/presto/spi/security/SslContextProvider.java:[54,26] cannot find symbol
[ERROR]   symbol:   class Logger
[ERROR]   location: class com.facebook.presto.spi.security.SslContextProvider
[ERROR] /Users/sayarimukherjee/Desktop/os-presto/presto/presto-spi/src/main/java/com/facebook/presto/spi/security/SslContextProvider.java:[54,39] cannot find symbol
[ERROR]   symbol:   variable Logger
[ERROR]   location: class com.facebook.presto.spi.security.SslContextProvider
[ERROR] /Users/sayarimukherjee/Desktop/os-presto/presto/presto-spi/src/main/java/com/facebook/presto/spi/security/SslContextProvider.java:[132,24] cannot find symbol
[ERROR]   symbol:   variable PemReader
[ERROR]   location: class com.facebook.presto.spi.security.SslContextProvider
[ERROR] /Users/sayarimukherjee/Desktop/os-presto/presto/presto-spi/src/main/java/com/facebook/presto/spi/security/SslContextProvider.java:[177,54] cannot find symbol
[ERROR]   symbol:   variable PemReader
[ERROR]   location: class com.facebook.presto.spi.security.SslContextProvider
[ERROR] -> [Help 1]

[steveburnett]

Does https://github.com/prestodb/presto/blob/master/presto-docs/src/main/sphinx/connector/mongodb.rst need any documentation update for this?

[imsayari404]

Does https://github.com/prestodb/presto/blob/master/presto-docs/src/main/sphinx/connector/mongodb.rst need any documentation update for this?

@steveburnett , yes the documentation will need to be updated. I'm currently working on addressing the review feedback from @agrawalreetika and will include the necessary documentation updates for all the new TLS configuration properties in the next commit. This will include proper documentation for the new mongodb.tls.* configs and deprecation notices for the old SSL setting. I'll make sure to get these changes pushed soon.

[agrawalreetika]

Thanks for making the changes. Overall LGTM.

Please add the documentation & squash all your commits into one.

[agrawalreetika]

Why are we checking these here?

[imsayari404]

This was added to handle cases where users provide TLS-related configurations like mongodb.tls.keystore-path but forget to explicitly enable mongodb.tls.enabled=true. Automatically enabling TLS in such cases helps prevent common configuration mistakes. However, I'm happy to remove or adjust this logic if you think it’s unnecessary.

[agrawalreetika]

But whenever mongodb.tls.enabled=false then anyways SSL wouldn't be configured right? https://github.com/prestodb/presto/pull/25374/files#diff-5461194df57bf18a7c80e310cc21d80dc5e078b9707226b0d5f49728c02ae12eR87

[imsayari404]

You're right. I see the issue now. The current logic in isTlsEnabled() is problematic because it automatically enables TLS whenever any TLS-related properties are set, regardless of the mongodb.tls.enabled flag. This could lead to unexpected behavior.
I'll simplify this to just return this.tlsEnabled and remove the automatic detection logic.

[agrawalreetika]

@imsayari404 There are compilation failures, please fix those, add the documentation & squash all your commits into one.

[imsayari404]

@imsayari404 There are compilation failures, please fix those, add the documentation & squash all your commits into one.

@agrawalreetika The updated changes are now pushed to the branch.

[tdcmeehan]

I just want to make sure that this will expire very far into the future?

[imjalpreet]

or we could generate it programmatically? I just remembered we were trying it for HMS SSL tests: #25313. Looks like I forgot to review it further but that could be one alternative.

[imsayari404]

Updated to use programmatic certificate generation similar to the Hive SSL tests (#25313).

[imsayari404]

@tdcmeehan, could you please review this PR at your convenience?

Needs squash

[tdcmeehan]

@imjalpreet PTAL.

@imsayari404 please squash commits.

[imsayari404]

Thanks @tdcmeehan , I've squashed the commits
@imjalpreet, could you please review this PR at your convenience?

[imjalpreet]

Since we are using the same implementation, I will finish the review of #25313 and get it added to a common module so that we can re-use across plugins.

[imsayari404]

okay @imjalpreet, thank you!

[imjalpreet]

@imsayari404, I don't see the new test for TLS I was reviewing earlier. Can you please take a look?

[imjalpreet]

Thanks, @imsayari404. I did another pass. One question: Is it possible to add a test for TLS specifically for the MongoDB connector?

[agrawalreetika]

Let's create a method for creating this object and reuse

[imsayari404]

I've updated

[agrawalreetika]

use static imports

[imsayari404]

I've updated

[agrawalreetika]

Mostly lgtm, just few nits

[agrawalreetika]

lgtm

[imjalpreet]

Thanks, @imsayari404. LGTM now.