[Feature][Zeta] Support enable https protocol for rest-api v2 (#9010)

Author: zhangshenghang

docs/en/seatunnel-engine/rest-api-v1.md

@@ -1,7 +1,3 @@
----
-sidebar_position: 11
----
-
 # RESTful API V1
 
 :::caution warn

docs/en/seatunnel-engine/rest-api-v2.md

@@ -1,7 +1,3 @@
----
-sidebar_position: 12
----
-
 # RESTful API V2
 
 SeaTunnel has a monitoring API that can be used to query status and statistics of running jobs, as well as recent
@@ -37,6 +33,10 @@ seatunnel:
       context-path: /seatunnel
 ```
 
+## Enable HTTPS
+
+Please refer [security](security.md)
+
 ## API reference
 
 ### Returns an overview over the Zeta engine cluster.

docs/en/seatunnel-engine/security.md

@@ -0,0 +1,104 @@
+# Security
+
+## HTTPS Configuration
+
+You can secure your REST-API-V2 service by enabling HTTPS. Both HTTP and HTTPS can be enabled simultaneously, or only one of them can be enabled.
+
+| Parameter Name | Required | Description |
+|----------------|----------|-------------|
+| `enable-http` | No | Whether to enable HTTP service, default is `true` |
+| `port` | No | HTTP service port, default is `8080` |
+| `enable-https` | No | Whether to enable HTTPS service, default is `false` |
+| `https-port` | No | HTTPS service port, default is `8443` |
+| `key-store-path` | Required when `enable-https` is `true` | Path to the KeyStore file, used to store the server's private key and certificate |
+| `key-store-password` | Required when `enable-https` is `true` | KeyStore password |
+| `key-manager-password` | Required when `enable-https` is `true` | KeyManager password, usually the same as the KeyStore password |
+| `trust-store-path` | No | Path to the TrustStore file, used to verify client certificates |
+| `trust-store-password` | No | TrustStore password |
+
+**Note**: When `trust-store-path` and `trust-store-password` are not empty, mutual SSL authentication (client authentication) will be enabled, requiring the client to provide a valid certificate.
+
+```yaml
+seatunnel:
+  engine:
+    http:
+      enable-http: true
+      port: 8080
+      enable-https: true
+      https-port: 8443
+      key-store-path: "${YOUR_KEY_STORE_PATH}"
+      key-store-password: "${YOUR_KEY_STORE_PASSWORD}"
+      key-manager-password: "${YOUR_KEY_MANAGER_PASSWORD}"
+      # Optional: Mutual authentication
+      trust-store-path: "${YOUR_TRUST_STORE_PATH}"
+      trust-store-password: "${YOUR_TRUST_STORE_PASSWORD}"
+```
+
+### Example of Generating Keys
+
+```shell
+#!/bin/bash
+
+# Define the project root directory
+PROJECT_DIR="/Users/mac/IdeaProjects/data"
+
+# Define passwords
+SERVER_KEYSTORE_PASSWORD="server_keystore_password"
+SERVER_KEY_PASSWORD="server_keystore_password"
+CLIENT_KEYSTORE_PASSWORD="client_keystore_password"
+CLIENT_KEY_PASSWORD="client_keystore_password"
+SERVER_TRUSTSTORE_PASSWORD="server_truststore_password"
+CLIENT_TRUSTSTORE_PASSWORD="client_truststore_password"
+
+# Generate server keystore
+keytool -genkeypair \
+  -alias server \
+  -keyalg RSA \
+  -keysize 2048 \
+  -validity 365 \
+  -keystore "$PROJECT_DIR/server_keystore.jks" \
+  -storepass "$SERVER_KEYSTORE_PASSWORD" \
+  -keypass "$SERVER_KEY_PASSWORD" \
+  -dname "CN=localhost,OU=IT,O=MyCompany,L=Shanghai,ST=Shanghai,C=CN"
+
+# Export server certificate
+keytool -exportcert \
+  -alias server \
+  -keystore "$PROJECT_DIR/server_keystore.jks" \
+  -storepass "$SERVER_KEYSTORE_PASSWORD" \
+  -file "$PROJECT_DIR/server.crt"
+
+# Generate client keystore
+keytool -genkeypair \
+  -alias client \
+  -keyalg RSA \
+  -keysize 2048 \
+  -validity 365 \
+  -keystore "$PROJECT_DIR/client_keystore.jks" \
+  -storepass "$CLIENT_KEYSTORE_PASSWORD" \
+  -keypass "$CLIENT_KEY_PASSWORD" \
+  -dname "CN=client,OU=IT,O=MyCompany,L=Shanghai,ST=Shanghai,C=CN"
+
+# Export client certificate
+keytool -exportcert \
+  -alias client \
+  -keystore "$PROJECT_DIR/client_keystore.jks" \
+  -storepass "$CLIENT_KEYSTORE_PASSWORD" \
+  -file "$PROJECT_DIR/client.crt"
+
+# Create server truststore and import client certificate
+keytool -importcert \
+  -alias client \
+  -file "$PROJECT_DIR/client.crt" \
+  -keystore "$PROJECT_DIR/server_truststore.jks" \
+  -storepass "$SERVER_TRUSTSTORE_PASSWORD" \
+  -noprompt
+
+# Create client truststore and import server certificate
+keytool -importcert \
+  -alias server \
+  -file "$PROJECT_DIR/server.crt" \
+  -keystore "$PROJECT_DIR/client_truststore.jks" \
+  -storepass "$CLIENT_TRUSTSTORE_PASSWORD" \
+  -noprompt
+```

docs/sidebars.js

@@ -208,8 +208,15 @@ const sidebars = {
                 "seatunnel-engine/engine-jar-storage-mode",
                 "seatunnel-engine/tcp",
                 "seatunnel-engine/resource-isolation",
-                "seatunnel-engine/rest-api-v1",
-                "seatunnel-engine/rest-api-v2",
+                {
+                    "type": "category",
+                    "label": "RESTFul API",
+                    "items": [
+                        "seatunnel-engine/rest-api-v1",
+                        "seatunnel-engine/rest-api-v2",
+                        "seatunnel-engine/security"
+                    ]
+                },
                 "seatunnel-engine/user-command",
                 "seatunnel-engine/logging",
                 "seatunnel-engine/telemetry",

docs/zh/seatunnel-engine/rest-api-v1.md

@@ -1,7 +1,3 @@
----
-sidebar_position: 11
----
-
 # RESTful API V1
 
 :::caution warn

docs/zh/seatunnel-engine/rest-api-v2.md

@@ -1,7 +1,3 @@
----
-sidebar_position: 12
----
-
 # RESTful API V2
 
 SeaTunnel有一个用于监控的API，可用于查询运行作业的状态和统计信息，以及最近完成的作业。监控API是RESTful风格的，它接受HTTP请求并使用JSON数据格式进行响应。
@@ -35,6 +31,10 @@ seatunnel:
       context-path: /seatunnel
 ```
 
+## 开启 HTTPS
+
+请参考 [security](security.md)
+
 ## API参考
 
 ### 返回Zeta集群的概览

docs/zh/seatunnel-engine/security.md

@@ -0,0 +1,108 @@
+---
+sidebar_position: 16
+---
+
+# Security
+
+## HTTPS 配置
+
+您可以通过开启 HTTPS 来保护您的 API 服务。HTTP 和 HTTPS 可同时开启，也可以只开启其中一个。
+
+| 参数名称 | 是否必填 | 参数描述 |
+|--------|---------|--------|
+| `enable-http` | 否 | 是否开启 HTTP 服务，默认为 `true` |
+| `port` | 否 | HTTP 服务端口，默认为 `8080` |
+| `enable-https` | 否 | 是否开启 HTTPS 服务，默认为 `false` |
+| `https-port` | 否 | HTTPS 服务端口，默认为 `8443` |
+| `key-store-path` | 当 `enable-https` 为 `true` 时必填 | KeyStore 文件路径，用于存储服务器私钥和证书 |
+| `key-store-password` | 当 `enable-https` 为 `true` 时必填 | KeyStore 密码 |
+| `key-manager-password` | 当 `enable-https` 为 `true` 时必填 | KeyManager 密码，通常与 KeyStore 密码相同 |
+| `trust-store-path` | 否 | TrustStore 文件路径，用于验证客户端证书 |
+| `trust-store-password` | 否 | TrustStore 密码 |
+
+**注意**：当 `trust-store-path` 和 `trust-store-password` 配置项不为空时，将启用双向 SSL 认证（客户端认证），要求客户端提供有效证书。
+
+```yaml
+seatunnel:
+  engine:
+    http:
+      enable-http: true
+      port: 8080
+      enable-https: true
+      https-port: 8443
+      key-store-path: "${YOUR_KEY_STORE_PATH}"
+      key-store-password: "${YOUR_KEY_STORE_PASSWORD}"
+      key-manager-password: "${YOUR_KEY_MANAGER_PASSWORD}"
+      # 可选：双向认证
+      trust-store-path: "${YOUR_TRUST_STORE_PATH}"
+      trust-store-password: "${YOUR_TRUST_STORE_PASSWORD}"
+```
+
+### 生成密钥样例
+
+```shell
+#!/bin/bash
+
+# 定义项目根目录
+PROJECT_DIR="/Users/mac/IdeaProjects/data"
+
+# 定义密码
+SERVER_KEYSTORE_PASSWORD="server_keystore_password"
+SERVER_KEY_PASSWORD="server_keystore_password"
+CLIENT_KEYSTORE_PASSWORD="client_keystore_password"
+CLIENT_KEY_PASSWORD="client_keystore_password"
+SERVER_TRUSTSTORE_PASSWORD="server_truststore_password"
+CLIENT_TRUSTSTORE_PASSWORD="client_truststore_password"
+
+# 生成服务端密钥库
+keytool -genkeypair \
+  -alias server \
+  -keyalg RSA \
+  -keysize 2048 \
+  -validity 365 \
+  -keystore "$PROJECT_DIR/server_keystore.jks" \
+  -storepass "$SERVER_KEYSTORE_PASSWORD" \
+  -keypass "$SERVER_KEY_PASSWORD" \
+  -dname "CN=localhost,OU=IT,O=MyCompany,L=Shanghai,ST=Shanghai,C=CN"
+
+# 导出服务端证书
+keytool -exportcert \
+  -alias server \
+  -keystore "$PROJECT_DIR/server_keystore.jks" \
+  -storepass "$SERVER_KEYSTORE_PASSWORD" \
+  -file "$PROJECT_DIR/server.crt"
+
+# 生成客户端密钥库
+keytool -genkeypair \
+  -alias client \
+  -keyalg RSA \
+  -keysize 2048 \
+  -validity 365 \
+  -keystore "$PROJECT_DIR/client_keystore.jks" \
+  -storepass "$CLIENT_KEYSTORE_PASSWORD" \
+  -keypass "$CLIENT_KEY_PASSWORD" \
+  -dname "CN=client,OU=IT,O=MyCompany,L=Shanghai,ST=Shanghai,C=CN"
+
+# 导出客户端证书
+keytool -exportcert \
+  -alias client \
+  -keystore "$PROJECT_DIR/client_keystore.jks" \
+  -storepass "$CLIENT_KEYSTORE_PASSWORD" \
+  -file "$PROJECT_DIR/client.crt"
+
+# 创建服务端信任库并导入客户端证书
+keytool -importcert \
+  -alias client \
+  -file "$PROJECT_DIR/client.crt" \
+  -keystore "$PROJECT_DIR/server_truststore.jks" \
+  -storepass "$SERVER_TRUSTSTORE_PASSWORD" \
+  -noprompt
+
+# 创建客户端信任库并导入服务端证书
+keytool -importcert \
+  -alias server \
+  -file "$PROJECT_DIR/server.crt" \
+  -keystore "$PROJECT_DIR/client_truststore.jks" \
+  -storepass "$CLIENT_TRUSTSTORE_PASSWORD" \
+  -noprompt
+```

seatunnel-ci-tools/src/test/java/org/apache/seatunnel/api/file/AllFileSpecificationCheckTest.java

@@ -46,7 +46,8 @@ public class AllFileSpecificationCheckTest {
     @BeforeAll
     public static void beforeAll() throws IOException {
         List<String> fileTypesCanNotRead =
-                Arrays.asList("parquet", "orc", "xlsx", "xls", "png", "jar", "lzo", "zip", "ico");
+                Arrays.asList(
+                        "parquet", "orc", "xlsx", "xls", "png", "jar", "lzo", "zip", "ico", "jks");
         List<String> fileCanNotRead =
                 Arrays.asList(
                         "seatunnel-connectors-v2/connector-file/connector-file-base/src/test/resources/encoding/gbk.json",

seatunnel-engine/seatunnel-engine-common/src/main/java/org/apache/seatunnel/engine/common/config/YamlSeaTunnelDomConfigProcessor.java

@@ -518,6 +518,37 @@ private HttpConfig parseHttpConfig(Node httpNode) {
                         getIntegerValue(
                                 ServerConfigOptions.MasterServerConfigOptions.PORT_RANGE.key(),
                                 getTextContent(node)));
+            } else if (ServerConfigOptions.MasterServerConfigOptions.ENABLE_HTTPS
+                    .key()
+                    .equals(name)) {
+                httpConfig.setEnableHttps(getBooleanValue(getTextContent(node)));
+            } else if (ServerConfigOptions.MasterServerConfigOptions.HTTPS_PORT
+                    .key()
+                    .equals(name)) {
+                httpConfig.setHttpsPort(
+                        getIntegerValue(
+                                ServerConfigOptions.MasterServerConfigOptions.HTTPS_PORT.key(),
+                                getTextContent(node)));
+            } else if (ServerConfigOptions.MasterServerConfigOptions.KEY_STORE_PATH
+                    .key()
+                    .equals(name)) {
+                httpConfig.setKeyStorePath(getTextContent(node));
+            } else if (ServerConfigOptions.MasterServerConfigOptions.KEY_STORE_PASSWORD
+                    .key()
+                    .equals(name)) {
+                httpConfig.setKeyStorePassword(getTextContent(node));
+            } else if (ServerConfigOptions.MasterServerConfigOptions.KEY_MANAGER_PASSWORD
+                    .key()
+                    .equals(name)) {
+                httpConfig.setKeyManagerPassword(getTextContent(node));
+            } else if (ServerConfigOptions.MasterServerConfigOptions.TRUST_STORE_PATH
+                    .key()
+                    .equals(name)) {
+                httpConfig.setTrustStorePath(getTextContent(node));
+            } else if (ServerConfigOptions.MasterServerConfigOptions.TRUST_STORE_PASSWORD
+                    .key()
+                    .equals(name)) {
+                httpConfig.setTrustStorePassword(getTextContent(node));
             } else {
                 LOGGER.warning("Unrecognized element: " + name);
             }

seatunnel-engine/seatunnel-engine-common/src/main/java/org/apache/seatunnel/engine/common/config/server/HttpConfig.java

@@ -31,6 +31,33 @@ public class HttpConfig implements Serializable {
 
     private int port = ServerConfigOptions.MasterServerConfigOptions.PORT.defaultValue();
 
+    /** Whether to enable https. */
+    private boolean enableHttps =
+            ServerConfigOptions.MasterServerConfigOptions.ENABLE_HTTPS.defaultValue();
+
+    /** The port of https. */
+    private int httpsPort = ServerConfigOptions.MasterServerConfigOptions.HTTPS_PORT.defaultValue();
+
+    /** The path of keystore file. */
+    private String keyStorePath =
+            ServerConfigOptions.MasterServerConfigOptions.KEY_STORE_PATH.defaultValue();
+
+    /** The password of keystore file. */
+    private String keyStorePassword =
+            ServerConfigOptions.MasterServerConfigOptions.KEY_STORE_PASSWORD.defaultValue();
+
+    /** The password of key manager. */
+    private String keyManagerPassword =
+            ServerConfigOptions.MasterServerConfigOptions.KEY_MANAGER_PASSWORD.defaultValue();
+
+    /** The path of truststore file. */
+    private String trustStorePath =
+            ServerConfigOptions.MasterServerConfigOptions.TRUST_STORE_PATH.defaultValue();
+
+    /** The password of truststore file. */
+    private String trustStorePassword =
+            ServerConfigOptions.MasterServerConfigOptions.TRUST_STORE_PASSWORD.defaultValue();
+
     private String contextPath =
             ServerConfigOptions.MasterServerConfigOptions.CONTEXT_PATH.defaultValue();