From d937310d091ca3cc6833d560f42e71f6e21d2d4c Mon Sep 17 00:00:00 2001
From: Fabio Buso <dev.siroibaf@gmail.com>
Date: Mon, 16 Dec 2024 09:49:21 +0100
Subject: [PATCH] =?UTF-8?q?[FSTORE-1644]=20FlinkEngine=20configures=20Kafk?=
 =?UTF-8?q?a=20producer=20pointing=20to=20the=20l=E2=80=A6=20(#438)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* [FSTORE-1644] FlinkEngine configures Kafka producer pointing to the local certificate path

* Add missing dependencies
---
 java/flink/pom.xml                            |  22 +++
 .../hsfs/flink/engine/FlinkEngine.java        | 129 ++++++++++++++----
 .../hsfs/flink/engine/TestFlinkEngine.java    |  87 ++++++++++++
 java/flink/src/test/resources/test_kstore.jks | Bin 0 -> 3961 bytes
 java/flink/src/test/resources/test_tstore.jks | Bin 0 -> 1460 bytes
 .../metadata/HopsworksInternalClient.java     |   1 -
 6 files changed, 211 insertions(+), 28 deletions(-)
 create mode 100644 java/flink/src/test/java/com/logicalclocks/hsfs/flink/engine/TestFlinkEngine.java
 create mode 100644 java/flink/src/test/resources/test_kstore.jks
 create mode 100644 java/flink/src/test/resources/test_tstore.jks

diff --git a/java/flink/pom.xml b/java/flink/pom.xml
index 11564004f..c50848325 100644
--- a/java/flink/pom.xml
+++ b/java/flink/pom.xml
@@ -14,6 +14,9 @@
   <properties>
     <flink.version>1.17.1.0</flink.version>
     <fasterxml.version>2.13.4.2</fasterxml.version>
+    <bouncycastle.version>1.79</bouncycastle.version>
+    <guava.version>14.0.1</guava.version>
+    <httpclient.version>4.5.6</httpclient.version>
   </properties>
 
   <dependencies>
@@ -88,5 +91,24 @@
       <version>${fasterxml.version}</version>
     </dependency>
 
+    <dependency>
+      <groupId>org.apache.httpcomponents</groupId>
+      <artifactId>httpclient</artifactId>
+      <version>${httpclient.version}</version>
+    </dependency>
+
+    <dependency>
+      <groupId>com.google.guava</groupId>
+      <artifactId>guava</artifactId>
+      <version>${guava.version}</version>
+    </dependency>
+
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcpkix-jdk18on</artifactId>
+      <scope>test</scope>
+      <version>${bouncycastle.version}</version>
+    </dependency>
+
   </dependencies>
 </project>
diff --git a/java/flink/src/main/java/com/logicalclocks/hsfs/flink/engine/FlinkEngine.java b/java/flink/src/main/java/com/logicalclocks/hsfs/flink/engine/FlinkEngine.java
index aa6b07537..b8e43908e 100644
--- a/java/flink/src/main/java/com/logicalclocks/hsfs/flink/engine/FlinkEngine.java
+++ b/java/flink/src/main/java/com/logicalclocks/hsfs/flink/engine/FlinkEngine.java
@@ -17,6 +17,7 @@
 
 package com.logicalclocks.hsfs.flink.engine;
 
+import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Strings;
 import com.logicalclocks.hsfs.FeatureGroupBase;
 import com.logicalclocks.hsfs.FeatureStoreException;
@@ -25,6 +26,8 @@
 import com.logicalclocks.hsfs.flink.StreamFeatureGroup;
 
 import com.logicalclocks.hsfs.metadata.HopsworksInternalClient;
+import com.logicalclocks.hsfs.metadata.StorageConnectorApi;
+import com.twitter.chill.Base64;
 import lombok.Getter;
 
 import org.apache.avro.generic.GenericRecord;
@@ -36,8 +39,16 @@
 import org.apache.flink.streaming.api.datastream.DataStreamSink;
 import org.apache.flink.streaming.api.environment.StreamExecutionEnvironment;
 import org.apache.flink.util.FileUtils;
+import org.apache.kafka.common.config.SslConfigs;
 
+import java.io.FileInputStream;
 import java.io.IOException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateEncodingException;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Properties;
@@ -45,7 +56,7 @@
 public class FlinkEngine extends EngineBase {
   private static FlinkEngine INSTANCE = null;
 
-  public static synchronized FlinkEngine getInstance() throws FeatureStoreException {
+  public static synchronized FlinkEngine getInstance() {
     if (INSTANCE == null) {
       INSTANCE = new FlinkEngine();
     }
@@ -55,38 +66,38 @@ public static synchronized FlinkEngine getInstance() throws FeatureStoreExceptio
   @Getter
   private StreamExecutionEnvironment streamExecutionEnvironment;
 
-  private FlinkEngine() throws FeatureStoreException {
+  private FlinkEngine() {
     streamExecutionEnvironment = StreamExecutionEnvironment.getExecutionEnvironment();
     // Configure the streamExecutionEnvironment
     streamExecutionEnvironment.getConfig().enableObjectReuse();
   }
 
   public DataStreamSink<?> writeDataStream(StreamFeatureGroup streamFeatureGroup, DataStream<?> dataStream,
-      Map<String, String> writeOptions) throws FeatureStoreException, IOException {
+                                           Map<String, String> writeOptions) throws FeatureStoreException, IOException {
 
     DataStream<Object> genericDataStream = (DataStream<Object>) dataStream;
     Properties properties = new Properties();
     properties.putAll(getKafkaConfig(streamFeatureGroup, writeOptions));
 
     KafkaSink<GenericRecord> sink = KafkaSink.<GenericRecord>builder()
-        .setBootstrapServers(properties.getProperty("bootstrap.servers"))
-        .setKafkaProducerConfig(properties)
-        .setRecordSerializer(new KafkaRecordSerializer(streamFeatureGroup))
-        .setDeliverGuarantee(DeliveryGuarantee.AT_LEAST_ONCE)
-        .build();
+            .setBootstrapServers(properties.getProperty("bootstrap.servers"))
+            .setKafkaProducerConfig(properties)
+            .setRecordSerializer(new KafkaRecordSerializer(streamFeatureGroup))
+            .setDeliverGuarantee(DeliveryGuarantee.AT_LEAST_ONCE)
+            .build();
     Map<String, String> complexFeatureSchemas = new HashMap<>();
-    for (String featureName: streamFeatureGroup.getComplexFeatures()) {
+    for (String featureName : streamFeatureGroup.getComplexFeatures()) {
       complexFeatureSchemas.put(featureName, streamFeatureGroup.getFeatureAvroSchema(featureName));
     }
 
     DataStream<GenericRecord> avroRecordDataStream =
-        genericDataStream.map(new PojoToAvroRecord(
-          streamFeatureGroup.getDeserializedAvroSchema(),
-          streamFeatureGroup.getDeserializedEncodedAvroSchema(),
-        complexFeatureSchemas))
-          .returns(
-            new GenericRecordAvroTypeInfo(streamFeatureGroup.getDeserializedEncodedAvroSchema())
-          );
+            genericDataStream.map(new PojoToAvroRecord(
+                            streamFeatureGroup.getDeserializedAvroSchema(),
+                            streamFeatureGroup.getDeserializedEncodedAvroSchema(),
+                            complexFeatureSchemas))
+                    .returns(
+                            new GenericRecordAvroTypeInfo(streamFeatureGroup.getDeserializedEncodedAvroSchema())
+                    );
 
     return avroRecordDataStream.sinkTo(sink);
   }
@@ -96,34 +107,98 @@ public String addFile(String filePath) throws IOException {
     if (Strings.isNullOrEmpty(filePath)) {
       return filePath;
     }
-    // this is used for unit testing
-    if (!filePath.startsWith("file://")) {
-      filePath = "hdfs://" + filePath;
+
+    if (filePath.startsWith("hdfs://")) {
+      String targetPath = FileUtils.getCurrentWorkingDirectory().toString()
+              + filePath.substring(filePath.lastIndexOf("/"));
+      FileUtils.copy(new Path(filePath), new Path(targetPath), false);
+
+      return targetPath;
     }
-    String targetPath = FileUtils.getCurrentWorkingDirectory().toString()
-        + filePath.substring(filePath.lastIndexOf("/"));
-    FileUtils.copy(new Path(filePath), new Path(targetPath), false);
-    return targetPath;
+
+    return filePath;
   }
 
   @Override
   public Map<String, String> getKafkaConfig(FeatureGroupBase featureGroup, Map<String, String> writeOptions)
-      throws FeatureStoreException, IOException {
+          throws FeatureStoreException, IOException {
     boolean external = !(System.getProperties().containsKey(HopsworksInternalClient.REST_ENDPOINT_SYS)
-        || (writeOptions != null
-        && Boolean.parseBoolean(writeOptions.getOrDefault("internal_kafka", "false"))));
+            || (writeOptions != null
+            && Boolean.parseBoolean(writeOptions.getOrDefault("internal_kafka", "false"))));
 
     StorageConnector.KafkaConnector storageConnector =
-        storageConnectorApi.getKafkaStorageConnector(featureGroup.getFeatureStore(), external);
+            storageConnectorApi.getKafkaStorageConnector(featureGroup.getFeatureStore(), external);
     storageConnector.setSslTruststoreLocation(addFile(storageConnector.getSslTruststoreLocation()));
     storageConnector.setSslKeystoreLocation(addFile(storageConnector.getSslKeystoreLocation()));
 
     Map<String, String> config = storageConnector.kafkaOptions();
 
+    // To avoid distribution issues of the certificates across multiple pods/nodes
+    // here we are extracting the key/certificates from the JKS keyStore/trustStore and
+    // pass them in the configuration as PEM content
+    try {
+      KeyStore keyStore = KeyStore.getInstance("JKS");
+      keyStore.load(new FileInputStream(storageConnector.getSslKeystoreLocation()),
+              storageConnector.getSslKeystorePassword().toCharArray());
+      config.put(SslConfigs.SSL_KEYSTORE_KEY_CONFIG, getKey(keyStore, storageConnector.getSslKeystorePassword()));
+      config.put(SslConfigs.SSL_KEYSTORE_CERTIFICATE_CHAIN_CONFIG, getCertificateChain(keyStore));
+      config.put(SslConfigs.SSL_KEYSTORE_TYPE_CONFIG, "PEM");
+
+      KeyStore trustStore = KeyStore.getInstance("JKS");
+      trustStore.load(new FileInputStream(storageConnector.getSslTruststoreLocation()),
+              storageConnector.getSslTruststorePassword().toCharArray());
+      config.put(SslConfigs.SSL_TRUSTSTORE_CERTIFICATES_CONFIG, getRootCA(trustStore));
+      config.put(SslConfigs.SSL_TRUSTSTORE_TYPE_CONFIG, "PEM");
+    } catch (Exception ex) {
+      throw new IOException(ex);
+    }
+
+    // Remove the keystore and truststore location from the properties otherwise
+    // the SSL engine will try to use them first.
+    config.remove(SslConfigs.SSL_KEYSTORE_LOCATION_CONFIG);
+    config.remove(SslConfigs.SSL_KEYSTORE_PASSWORD_CONFIG);
+    config.remove(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG);
+    config.remove(SslConfigs.SSL_TRUSTSTORE_PASSWORD_CONFIG);
+    config.remove(SslConfigs.SSL_KEY_PASSWORD_CONFIG);
+
     if (writeOptions != null) {
       config.putAll(writeOptions);
     }
     config.put("enable.idempotence", "false");
     return config;
   }
+
+  private String getKey(KeyStore keyStore, String password)
+          throws KeyStoreException, UnrecoverableKeyException, NoSuchAlgorithmException {
+    String keyAlias = keyStore.aliases().nextElement();
+    return "-----BEGIN PRIVATE KEY-----\n"
+            + Base64.encodeBytes(keyStore.getKey(keyAlias, password.toCharArray()).getEncoded())
+            + "\n-----END PRIVATE KEY-----";
+  }
+
+  private String getCertificateChain(KeyStore keyStore) throws KeyStoreException, CertificateEncodingException {
+    String certificateAlias = keyStore.aliases().nextElement();
+    Certificate[] certificateChain = keyStore.getCertificateChain(certificateAlias);
+
+    StringBuilder certificateChainBuilder = new StringBuilder();
+    for (Certificate certificate : certificateChain) {
+      certificateChainBuilder.append("-----BEGIN CERTIFICATE-----\n")
+              .append(Base64.encodeBytes(certificate.getEncoded()))
+              .append("\n-----END CERTIFICATE-----\n");
+    }
+
+    return certificateChainBuilder.toString();
+  }
+
+  private String getRootCA(KeyStore trustStore) throws KeyStoreException, CertificateEncodingException {
+    String rootCaAlias = trustStore.aliases().nextElement();
+    return "-----BEGIN CERTIFICATE-----\n"
+            + Base64.encodeBytes(trustStore.getCertificate(rootCaAlias).getEncoded())
+            + "\n-----END CERTIFICATE-----";
+  }
+
+  @VisibleForTesting
+  public void setStorageConnectorApi(StorageConnectorApi storageConnectorApi) {
+    this.storageConnectorApi = storageConnectorApi;
+  }
 }
diff --git a/java/flink/src/test/java/com/logicalclocks/hsfs/flink/engine/TestFlinkEngine.java b/java/flink/src/test/java/com/logicalclocks/hsfs/flink/engine/TestFlinkEngine.java
new file mode 100644
index 000000000..20540cbed
--- /dev/null
+++ b/java/flink/src/test/java/com/logicalclocks/hsfs/flink/engine/TestFlinkEngine.java
@@ -0,0 +1,87 @@
+/*
+ *  Copyright (c) 2024. Hopsworks AB
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *
+ *  See the License for the specific language governing permissions and limitations under the License.
+ *
+ */
+package com.logicalclocks.hsfs.flink.engine;
+
+import com.logicalclocks.hsfs.*;
+import com.logicalclocks.hsfs.flink.FeatureStore;
+import com.logicalclocks.hsfs.flink.StreamFeatureGroup;
+import com.logicalclocks.hsfs.metadata.HopsworksClient;
+import com.logicalclocks.hsfs.metadata.HopsworksHttpClient;
+import com.logicalclocks.hsfs.metadata.StorageConnectorApi;
+import org.apache.kafka.common.config.SslConfigs;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.junit.Assert;
+import org.junit.Test;
+import org.mockito.Mockito;
+import org.bouncycastle.openssl.PEMParser;
+
+import java.io.IOException;
+import java.io.StringReader;
+import java.security.cert.CertificateException;
+import java.util.HashMap;
+import java.util.Map;
+
+public class TestFlinkEngine {
+
+    @Test
+    public void testKafkaProperties_Certificates() throws IOException, FeatureStoreException, CertificateException {
+        // Arrange
+        HopsworksClient hopsworksClient = Mockito.mock(HopsworksClient.class);
+        hopsworksClient.setInstance(new HopsworksClient(Mockito.mock(HopsworksHttpClient.class), "host"));
+
+        StorageConnector.KafkaConnector kafkaConnector = new StorageConnector.KafkaConnector();
+        kafkaConnector.setSslKeystoreLocation(this.getClass().getResource("/test_kstore.jks").getPath());
+        kafkaConnector.setSslKeystorePassword("O74K016I5UTB7YYPC6K6RXIM9F7LVPFW23FNK8WF3JEOO7Y607VCU7E7691UQ3CA");
+        kafkaConnector.setSslTruststoreLocation(this.getClass().getResource("/test_tstore.jks").getPath());
+        kafkaConnector.setSslTruststorePassword("O74K016I5UTB7YYPC6K6RXIM9F7LVPFW23FNK8WF3JEOO7Y607VCU7E7691UQ3CA");
+        kafkaConnector.setSecurityProtocol(SecurityProtocol.SSL);
+        kafkaConnector.setSslEndpointIdentificationAlgorithm(SslEndpointIdentificationAlgorithm.EMPTY);
+        kafkaConnector.setExternalKafka(true);
+
+        StorageConnectorApi storageConnectorApi = Mockito.mock(StorageConnectorApi.class);
+        Mockito.when(storageConnectorApi.getKafkaStorageConnector(Mockito.any(), Mockito.anyBoolean()))
+                .thenReturn(kafkaConnector);
+        FlinkEngine flinkEngine = FlinkEngine.getInstance();
+        flinkEngine.setStorageConnectorApi(storageConnectorApi);
+
+        StreamFeatureGroup featureGroup = new StreamFeatureGroup();
+        featureGroup.setFeatureStore(new FeatureStore());
+
+        // Act
+        Map<String, String> kafkaOptions = flinkEngine.getKafkaConfig(featureGroup, new HashMap<>());
+
+        // Assert
+        Assert.assertEquals("PEM", kafkaOptions.get(SslConfigs.SSL_KEYSTORE_TYPE_CONFIG));
+        Assert.assertEquals("PEM", kafkaOptions.get(SslConfigs.SSL_TRUSTSTORE_TYPE_CONFIG));
+
+        String keystoreChainPem = kafkaOptions.get(SslConfigs.SSL_KEYSTORE_CERTIFICATE_CHAIN_CONFIG);
+        String trustStorePem = kafkaOptions.get(SslConfigs.SSL_TRUSTSTORE_CERTIFICATES_CONFIG);
+
+        try (PEMParser pemParser = new PEMParser(new StringReader(keystoreChainPem))) {
+            Assert.assertEquals("CN=FraudWorkshop__fabio000",
+                    ((X509CertificateHolder) pemParser.readObject()).getSubject().toString());
+
+            Assert.assertEquals("C=SE,O=Hopsworks,OU=core,CN=HopsRootCA",
+                    ((X509CertificateHolder) pemParser.readObject()).getIssuer().toString());
+        }
+
+        try (PEMParser pemParser = new PEMParser(new StringReader(trustStorePem))) {
+            Assert.assertEquals("C=SE,O=Hopsworks,OU=core,CN=HopsRootCA",
+                    ((X509CertificateHolder) pemParser.readObject()).getSubject().toString());
+        }
+    }
+}
diff --git a/java/flink/src/test/resources/test_kstore.jks b/java/flink/src/test/resources/test_kstore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..3f02a42ba97b4bc522dc9c1ce0f66336931a0022
GIT binary patch
literal 3961
zcmb`|c{o&m-v{v7D0`MrVeE<WJ7dk37!re0WX+a+8(|n*n6X4i*_SNIzKq>ivhT8l
z#AHd4U6C#8P5qwh`aSpk{PSGb{m1u@_c`BlopYVf=ll8`tsbp{Kp@D;0{>ntRxV~3
z3lFr5y{iq{*~G-k%-j|Y0Km!pXsX^7D-ehb1mIu?04+JC5IGnI7KG4)!DJv94z>_Z
zHUG_mk>Me6-^7T{>pdH{P^_s-t4)1wtF$>lR24S&ElrTpm`&&U5Jms<6+^m`qs5-u
z<tmMcBwvH2ZXtsTdLl>S9jj(f_deJ&8WLiKG_tGI(Za!&Rc424skY8aCE6pZ2PT`o
zKbZU=^NcUqL28SpJxG8jWJcQilSUvmecGGQ+BD7)Hc%18Gcp)0S2(o{`XnT!$||9+
z6%UfjY~v^ETvIvw&Ot&{5i3`a=dY$T^FH99<T9#U8?tnuI>-B-c&=wSX6PvY`m;@f
zJ!^1X;*>#R$I&-xwQ`b3Q~DKRW7*b(u<g~KhqG663G{x!R2B!@#;OOmuN-KJMIXNC
zz=jq!u@9|$;fzK)g(A^$JfZ83*Rx>v-FvFDa}OdnF2huN_!cESDoYb4W8Q{{y!NOy
z>Dhaf<zxwZ;|oH19DWhuN&>gZ3jUfo`pbK_u&MsD5^r(h)bo#ry{b0~l`uNzV+9_f
z_$kFJ&7b;4>=ldTk=@XefRkEKv+mh5T&=|q^4WJ@l?~1~5d<Cy%?ta-lb@siV0zB&
zYY(<fNWj|1bTZ;$|E42(euL7iWp0m*ehvQiGy;_28}ZXqYP%`6GvoM7z_zODZY8qM
zl%VL}BCeMivBh!jY(u8s0RE-C(GO$FBCUvKV%<FF<qyM?QS=v;bxh|dNp7`N5)~<V
z(PdQ!wX1{%(LVn`>tWaOKn3i0!L4P2Xl`kIB-O^}{z+NS90QH=&v6k5;`=a@EetHG
z7{%RhQ3vx|OTxPdxVfj}CRslzO7~9QER_nhi0bMsf%`wM9qYJP+}9ZB(U+-PRVix*
zr;1w?5n<i?s)h!i-EXCi#9UI#7bBxtW?zdR5L<J5TB>@kqFrveWSKX||1c)F@XI({
z=bn@9`d>zkOoD8$+iIj0xXuiG)QYCKl<m{x+8j3>6|3$Dj`S+KgBjD9Z@j_Nq%ORR
z@}3WEqX-g}%yX;)ql+lfmzh6a{20OifcZ!0{_Qs<A2^<Z_Oa3_N|RQXM~@z)9fW8C
znN9uA3OwEujRiZmp9+rG;2_-|<L<?tN8ipzV_YhbFPLBQ2C+TvY_CgjWmf@gMw_u2
zLj1&9oU+M#2}niuP~e>b_$)Kc%O<dLO7o)7JCeC(d^;1J#7g!MyPlFdKk1fiJLHWv
z;ujT(TgEn$jYwmg1Amt+Ynt-Byd-tgu4vkUe|DAE`l-P?g%6{TC!%LrX#2YeJsjzJ
zHIwrWCD1}fW^G-UxtY<>-R(OeDI0#;i@mQpdEO)9k=z+>)2=0kSS2sLLE)kE!Da;O
zfGXzI8y0e|<#q*HaVto$$Swt5IQ~%{e%EMHwL`4E?`2o|lYrbg4u<2PSP}LWs~hw?
z+U8r!AzY!+p1e(NvBT++ceApLYV&YDZ@ZBnGCx<NY#TMjJF}BTnE2E8SYm{(5V7(_
zD;F04?~mf1_K*Ob4$CBbf7vUv`4C%#DL$ST!Zjg-$#dTGH0beEFr}DD_@VA>8F?v1
z-qHjzwdu}t5vMsZH}6DULYB&1(SVIt*I^hj$j`Z*cB3eY*)73GLa~|Hu11Ras_pxl
zk*Q|RBb_O<Zh^jIcuA9%tHoFB!D@lj_r0XG&`T2Y^>6NTQvO^rtZ^9x#n-I2SFtQs
z4Cv|4iHUs<CvX1^CYheFI3NWA!O~7ROa^ced^!{YhCm>oP=JP<LNNGt@D2?aOm)Jg
z27(HpAcyL}$QdE`l@ScUxzj*NO>rCT?E0Hp1PwrSdX0)2_6Y4_iMRw@IE_$hhSM#o
zPHvVij+Pd-W^R^91%QKvMnnvO0InlMM5Pd-1}rq9r%~eX2yi1f0ggY9v)nq>T=zdT
z2XJ8Se}3f&;7}Zx?nHJlB?JcsgAxfqwAVBglvlRh<tH&L5ib13*i$5!W&m~GXl^9c
zZ~~&!P`)W1M?puI=jYI&&db?6tAobX-^%i|yssi6=e9qBlQ7F+Dw*hP0!xOucA|E(
zw+0Ec^?J{a4+m>j=8n>;cD1cjA7Z3qZCs`v-iwbKre($AM{6^$3h<(g8hQ2AsH}X7
zxrthB{^|quV^Xc|KLq;<$>y3pu2o8MZHO!S;9o~a5bkAjfBAepH39xw<0aOy45^M#
z`zCsoKS5urP;vzJ*tzwo<lGQe!Yo8(CmEi&Cez)8#~DL8k!^Oq#VrLi#;63dh4!KA
zsYU09i)Mn4@K&Mh#e6L~5GWV~&I}*`0fhkd$-iW01cQ%Z5CC*C_f8VsX@Wr^uoA%W
zH1oi$01JPn#WmB5qt1&YR-2&<ZE!Vy#pg$p8LDqo0OkL82QUKke@aMs+5z{_Xg8$7
zNnrr?)7R0$m|;wgv@0u{izJV(+%R~-ioBB|BirMD*7T(Fpg0H^bVX+NnFT$D=uX13
zKt`w6gf3**IF7X4({D_wI8--C(jQM3n@iQ@`;t<bPA<HWctF{DWPUe3tB0;U*?9F_
zwI%9(lMQ6zXYv=CUd@n1n#5)Q4XUiy=Jf0VU#X(Jp=UgkiQJ)S-+GM9vyT~F6&X|p
z&K|l(RV&f;&v0e-q{jz-b3{;@vi|TWFKk1rqu6m<IvpAC`f$ZG@t}d-m$^FndOa-%
z8x2x$$ePV3p*P<N)y*7SZ?O!jRPp)3zDrCrjCxDgxQy`=-vayJlJ)G4!3WQ(Kj&6r
z_cN>u8KuY>C0|d~ai8H;oY!u=_V_?{oAcYtB$a{2Mhj2nx))9hvIhc#N!nUY`8&QZ
zhN5R*qtEonT_-xZ_Ad&u#ZZp%woG9_y(Dd2FZzlb<n0@1o}{74CcO;1tWVuaj;<QZ
zzcl-(o#NVfJ36ojYQ+l-4%km(>2L*S^R9<=-Xr7BYGP@B!hz9khZv1$<GISTH$zs|
z0n<{A?Bi$X)dPDS269>9PwEGXC0z|viVUGc4naUG@6Pw_S+62(F4NY24%$x(4;d2-
zor9UZ8;;j_L_4DyZ#K8|oz)9asnW3Bf7_HyLd^(Bz6*%MVq`P3o^+vJPo>1VYrIf6
z{4ReG0xkFzVZ*<MnxFcT6J%hPG%Mac<=h5~(iBW`s4EBkk5ptH0FKNRz(EcFNOjUp
z{|426r%nF`3IL=;M8(9#{ssyFB>#^8Z4Ysf|FjHpY8m9jvXcW)Y3CnO8Kqkxu3dt8
zi=T6(kh3dUZf%y|NL&*DJLf-N@Cjdan{eB6b}QfR3{1Rg{6x8`Pf{{R?ZZNTrP6sX
z`pye=EU5j@7KU{D-F{+}L`>P?(zfHMZ@sh*gPPG$Fn8&K5=ONH9-taoTGamCID{5!
z_|~1bs`tkI8d<)EA*G60p1TaPHgmT~QsRD-Dq6w}xKLMrEA|0FvhB;rybZCWN9T>T
zzBVP_zFie4XQjM3^L4X5OHB8;a+L&fMr9m%?(VhV{CslpsE3nR-Xl3zuUQqa&N6kB
zOIkHfskc@X8Hc?Rlx+^vAo%|E1#Vq+X?`$Q|50Osi~|{s{;Gk@*g0oDf|-S8qtAG-
zddDJ5_HgD%##f$QO|$b+laKDqL~5J#75{~H;F;SptJr$$YR|hIQE}~<%*3p1n%-lp
zmBM~;)jvtgWA$l1>29V@{w=)Sg6NWC^%*Lp8q;C9VD+P8{b=tDI}`bZ-Y_JbL}<k3
zlF3T&^);#L2Byr6Ot89p?C~6DwyxK87%=NLM7hy7bG~@zc7^WVzMXhewwl{<KEXK2
zVGPrmk@ZVfn!4f6&QFGm^8IDD2Fcr7y>vx(OKn+K`ed$8<>F)IM!CYR)_N=W))lO%
z=%z)VL@4TnkBeo8UziLCCd3S<d3jG%;dDN;Pw6~3#FYNA`~>KK;Q4<^4Z#0U&I&O5
zGx0-BP@B;GJT_G&n0{eJo4|dN6~J)1;rAps3y`0T00@}uf6oJO@V_0Y-vYl9O7lq2
z%}b1<^aw#cr-w@C9OfrTFj(fX?IEA@4<A2hpiGq@QWy$uIjs=1i!KRrEkK}ZY)cX<
z!w}_{Rx9_{@bt1O%`b1tYmeN<3Y!N#m9cvY@tV84c(EYv(F$Lw1Dom#*p-4kvfQXh
zejEFg<d16wT+g0o(hjb682>P2KN^x5@4i3kd2{F3ULfX7Yi&GIxjxlXK2i}wHIi20
zpX!9BrX4|8x`r`PbZ3Q?sA!}t{$iUrmMH`JWn%;`@i6i|^rCCXJ!V=-v9Dhj@7QPI
zVz_f>H6Wx%uE&`;Z*r5RLq`L`kJkp`HZ3$_*op(Mh6LTa*`T;1mq>LOC`}~g-21N0
ztmYL?jkSK9<XVLNI`gT?YkDo12O9a7(<PG)<ahkb+5K6qe1E&MHpYxnDPm6aO4Qh8
z{fWag4yJwav4#3|sZN{4*PJv0f~3Lgx?*4Yf7Rt4t}+pCdcq4AcEnvka{3W&wKyl-
zzy@oAX8GuNUv>0YFB3(shH%voL-_f*GNf;?3PrHJEiYHf(5+-on=}WUD3{&h`Wu;#
zUGIoCn0N9%ZPP6yuMkEynffn4X!2K_Q7XwLf&J_K$@MG#?bd~Pk}_WQ7U>N1n?HIl
zw_Uxp5Ye5TSP*#&k}(dc37yh9YVFRg>C(bz*s{x6Bv3yt)wi`?H&tO%>(n9(4}&DS
N*9FpsZkZ|E`4@<s>&5^8

literal 0
HcmV?d00001

diff --git a/java/flink/src/test/resources/test_tstore.jks b/java/flink/src/test/resources/test_tstore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..c0e7effb621ce3a9be5a121de6222f4623c59922
GIT binary patch
literal 1460
zcmezO_TO6u1_mY|W(3nb8Tkdp@kROhCGp9LK*7n}r{AP8utw;a8dx$gu;v>yv1S`I
zF$XVTW@2PwVq`GjW#iOp^Jx3d%gD&h%3$DX$Zf#M#vIDRCd?G<YA9qN0OD}*aC!jE
zEzd8?E;i&f;0B3t^ROi67o{2s8wi59%sgBmB|$)&ogEG2#CeTO3=Iq{jf_o9O$?*N
zd5u9_b10Wu)-*9GA$x$4m4Ug5iJ!rsiHVD;3Fy0<r`IeG_K!-q{pOj{EP-!tuBpsS
zjGtZkQFLnD4^{58zrsIXulc83wJ?y&o1b&nc0n&Or`x+H|2yOm9s8O~mBo!YeyRDd
zY}tS1&$vFkJvh6<I5uSIVyUM>mz;On9i8~q_eA0Qi(%`Y|LwNb?GlZ<Q*$azsM%$6
z_LcVX8L!MI33s_JxjBXHt=BH=PYa(Uv79L4d3Eq5fB&hKEYqL8Qx!QOrg6Emw61w+
z#)X!hKVGu4xX)}e+bRFyYWvAB*+az_*2k&GA1JyPEVz*I?V9SF54>yktgH^cV77OQ
zjw}B%h4X9DTND;NJGe1lZ>!r(jvo@dGqgP{XZ!KR=xr0@_h^6H{d$U5<>ZrW7AA-D
zQ`Jj6=dA5MWx=;Wvo`WAe`P{`;GVcuyJw!6(RaS0!F^j}%$iRPQ$EGssG4Q_#_h84
z^;a*}uC_l?Gudv<lLKtoAO5MxuX16MoMvXLCiQ;T<7bDO19fv!OjTn-#b-^Zb9k&R
zKgFxry0b69jQh&drE~P1qBea<Q{JxgkWD>h_Hn*9c5Wt<R?J{Y;buE8Fz2nQ;cQM3
z8;17*Da$tgG3@VI?9lUc`zFC(zHYr&j-PjZar>c|N1q}`{a-KL#*JEPE108~&hF(~
z{C0KluG0&Z9<I&1_HDOOcEd-hc6S%oC#SVDZ-~kp+6&MBzpUf8&GSD`p7}HP^FA|Y
zVrFDuT%2Z*Vju)eqq4$`jQ?3U4A_7a6C;-aA4rTJB*p^F4Q&RpAU+?97>kG+bG-K#
z=HDx2JY85K*K9eW5qvAnKprHm%pzeR)_`3BYE}ZKL`DX+z~z3ETsj^rstCC*uRHxI
zSV>Kn|D&Z<sHd7%mP6U8bQysa;el(KB6@E)J*_rB8Txni-o9|JHvb1x-42~d6EQNe
z-KjZwA49~1;?q@GUSZo$U8!E8scUdFDb(hV<@$>^uikn8X@!D9)w$^(?5+xma<1yt
zo23~3w7TczLfr*<v-_MS?yBSl{Vpk7^Y7>H3fb3}_3s|mFkN|X?Ods(w~72!$1C)A
z=$m*=F9_J~H&v1=deQlY$$O;w)1T^H|LcCZm#b-RnAVq?b9-|qHEoJA;6B3Hdj0Y|
z^Pho2o5G9kJ&=+YZZTowI-g!Xai`J7?j46S%k{jwk4;T@l3Vy}OT${vTVMF*3D&p#
zt$DIA=K5BZxe_9E?pvDVj@SS2%F2KKIrBi4)z52Zg5SD{nN9fiP$E6k>7dD$ztUUP
z<!*?6Zn?R&gKyJv{jVB@>kAi3tbaEvr}>=e-Fy1ef=@c%udB`1;QbPowajVn<I}bi
z7H_UAtf`*%k6-J7UfSo#2j30e#>^198t-ZF$FW@2<WA*e-ia)YlalX!n!HVZ-)~me
z+eY*6MVXqtU2VR`VR7}#87|kteV)FT&`@^%SNYtqldYph#Bf%DvEwYp{JlAhcdT@@
zUU*-(WOiD3yP4T1%f4ib*Q<gxe)E1D-Fp6jnYqWwBp$wk2NPGd)_&SjvMgw&NlgXk
bHl=0X)OJYy+{NZsy}k96nPZ7we|R_m9t&L3

literal 0
HcmV?d00001

diff --git a/java/hsfs/src/main/java/com/logicalclocks/hsfs/metadata/HopsworksInternalClient.java b/java/hsfs/src/main/java/com/logicalclocks/hsfs/metadata/HopsworksInternalClient.java
index 0c370eb1b..047942a70 100644
--- a/java/hsfs/src/main/java/com/logicalclocks/hsfs/metadata/HopsworksInternalClient.java
+++ b/java/hsfs/src/main/java/com/logicalclocks/hsfs/metadata/HopsworksInternalClient.java
@@ -18,7 +18,6 @@
 package com.logicalclocks.hsfs.metadata;
 
 import com.logicalclocks.hsfs.FeatureStoreException;
-import jdk.nashorn.internal.runtime.regexp.joni.exception.InternalException;
 import lombok.Getter;
 import lombok.Setter;
 import org.apache.http.HttpHeaders;