diff --git a/hugegraph-pd/hg-pd-core/src/main/java/org/apache/hugegraph/pd/raft/auth/IpAuthHandler.java b/hugegraph-pd/hg-pd-core/src/main/java/org/apache/hugegraph/pd/raft/auth/IpAuthHandler.java index 2ac384541d..38ab3e9cf3 100644 --- a/hugegraph-pd/hg-pd-core/src/main/java/org/apache/hugegraph/pd/raft/auth/IpAuthHandler.java +++ b/hugegraph-pd/hg-pd-core/src/main/java/org/apache/hugegraph/pd/raft/auth/IpAuthHandler.java @@ -18,7 +18,10 @@ package org.apache.hugegraph.pd.raft.auth; import java.net.InetSocketAddress; +import java.net.InetAddress; +import java.net.UnknownHostException; import java.util.Collections; +import java.util.HashSet; import java.util.Set; import io.netty.channel.ChannelDuplexHandler; @@ -30,11 +33,14 @@ @ChannelHandler.Sharable public class IpAuthHandler extends ChannelDuplexHandler { + // Retained for potential refresh of resolvedIps on membership changes private final Set allowedIps; + private volatile Set resolvedIps; private static volatile IpAuthHandler instance; private IpAuthHandler(Set allowedIps) { this.allowedIps = Collections.unmodifiableSet(allowedIps); + this.resolvedIps = resolveAll(allowedIps); } public static IpAuthHandler getInstance(Set allowedIps) { @@ -65,7 +71,24 @@ private static String getClientIp(ChannelHandlerContext ctx) { } private boolean isIpAllowed(String ip) { - return allowedIps.isEmpty() || allowedIps.contains(ip); + Set resolved = this.resolvedIps; + return resolved.isEmpty() || resolved.contains(ip); + } + + private static Set resolveAll(Set entries) { + Set result = new HashSet<>(entries); + + for (String entry : entries) { + try { + for (InetAddress addr : InetAddress.getAllByName(entry)) { + result.add(addr.getHostAddress()); + } + } catch (UnknownHostException e) { + log.warn("Could not resolve allowlist entry '{}': {}", entry, e.getMessage()); + } + } + + return Collections.unmodifiableSet(result); } @Override