diff --git a/.github/workflows/object_store.yml b/.github/workflows/object_store.yml index 1b991e33c097..42b4694c2489 100644 --- a/.github/workflows/object_store.yml +++ b/.github/workflows/object_store.yml @@ -55,13 +55,13 @@ jobs: - name: Run clippy with default features run: cargo clippy -- -D warnings - name: Run clippy with aws feature - run: cargo clippy --features aws -- -D warnings + run: cargo clippy --features aws,tls-webpki-roots -- -D warnings - name: Run clippy with gcp feature - run: cargo clippy --features gcp -- -D warnings + run: cargo clippy --features gcp,tls-webpki-roots -- -D warnings - name: Run clippy with azure feature - run: cargo clippy --features azure -- -D warnings + run: cargo clippy --features azure,tls-webpki-roots -- -D warnings - name: Run clippy with http feature - run: cargo clippy --features http -- -D warnings + run: cargo clippy --features http,tls-webpki-roots -- -D warnings - name: Run clippy with all features run: cargo clippy --all-features -- -D warnings - name: Run clippy with all features and all targets @@ -150,7 +150,7 @@ jobs: rustup default stable - name: Run object_store tests - run: cargo test --features=aws,azure,gcp,http + run: cargo test --features=aws,azure,gcp,http,tls-webpki-roots # test the object_store crate builds against wasm32 in stable rust wasm32-build: diff --git a/object_store/Cargo.toml b/object_store/Cargo.toml index 7fcb6ce9e3f1..53d5955aa0ee 100644 --- a/object_store/Cargo.toml +++ b/object_store/Cargo.toml @@ -50,7 +50,7 @@ quick-xml = { version = "0.31.0", features = ["serialize", "overlapped-lists"], serde = { version = "1.0", default-features = false, features = ["derive"], optional = true } serde_json = { version = "1.0", default-features = false, optional = true } rand = { version = "0.8", default-features = false, features = ["std", "std_rng"], optional = true } -reqwest = { version = "0.11", default-features = false, features = ["rustls-tls"], optional = true } +reqwest = { version = "0.11", default-features = false, features = ["rustls-tls-manual-roots"], optional = true } ring = { version = "0.17", default-features = false, features = ["std"], optional = true } rustls-pemfile = { version = "1.0", default-features = false, optional = true } tokio = { version = "1.25.0", features = ["sync", "macros", "rt", "time", "io-util"] } @@ -64,6 +64,8 @@ azure = ["cloud"] gcp = ["cloud", "rustls-pemfile"] aws = ["cloud"] http = ["cloud"] +tls-native-roots = ["reqwest?/rustls-tls-native-roots"] +tls-webpki-roots = ["reqwest?/rustls-tls-webpki-roots"] [dev-dependencies] # In alphabetical order tempfile = "3.1.0" diff --git a/object_store/src/lib.rs b/object_store/src/lib.rs index cdd572dd9b3a..71ba1d554a42 100644 --- a/object_store/src/lib.rs +++ b/object_store/src/lib.rs @@ -86,6 +86,13 @@ doc = "* [`http`]: [HTTP/WebDAV Storage](https://datatracker.ietf.org/doc/html/rfc2518). See [`HttpBuilder`](http::HttpBuilder)" )] //! +//! Stores that use HTTPS/TLS (this is true for most cloud stores) can use the source of their [CA] +//! certificates. This is controlled by a feature switch: +//! +//! - `tls-native-roots`: use certificates bundled with the operating system, see [`rustls-native-certs`] +//! - `tls-webpki-roots`: use Mozilla's root certificates bundled with the library/application, see +//! [`webpki-roots`] +//! //! # Why not a Filesystem Interface? //! //! Whilst this crate does provide a [`BufReader`], the [`ObjectStore`] interface mirrors the APIs @@ -434,7 +441,10 @@ //! //! [Optimistic Concurrency Control]: https://en.wikipedia.org/wiki/Optimistic_concurrency_control //! [Apache Iceberg]: https://iceberg.apache.org/ +//! [CA]: https://en.wikipedia.org/wiki/Certificate_authority //! [Delta Lake]: https://delta.io/ +//! [`rustls-native-certs`]: https://crates.io/crates/rustls-native-certs/ +//! [`webpki-roots`]: https://crates.io/crates/webpki-roots //! #[cfg(all( @@ -443,6 +453,13 @@ ))] compile_error!("Features 'gcp', 'aws', 'azure', 'http' are not supported on wasm."); +#[cfg(all( + feature = "cloud", + not(feature = "tls-native-roots"), + not(feature = "tls-webpki-roots"), +))] +compile_error!("Feature 'cloud' needs at a CA root feature, use either 'tls-native-roots' or 'tls-webpki-roots'."); + #[cfg(feature = "aws")] pub mod aws; #[cfg(feature = "azure")]