Files
ray-project--ray/python/ray/_common/tls_utils.py
T
2026-07-13 13:17:40 +08:00

102 lines
3.4 KiB
Python

"""TLS utilities shared across Ray libraries (e.g. Serve)."""
import datetime
import os
import socket
from typing import Tuple
from ray._common.network_utils import (
get_localhost_ip,
node_ip_address_from_perspective,
)
def generate_self_signed_tls_certs() -> Tuple[str, str]:
"""Create self-signed key/cert pair for testing.
Returns:
Tuple of (cert_pem_contents, key_pem_contents).
Raises:
ImportError: If the ``cryptography`` library is not installed.
"""
try:
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.x509.oid import NameOID
except ImportError as e:
raise ImportError(
"Using self-signed TLS certs requires `cryptography`. "
"Install it with: pip install cryptography"
) from e
key = rsa.generate_private_key(
public_exponent=65537, key_size=2048, backend=default_backend()
)
key_contents = key.private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.PKCS8,
encryption_algorithm=serialization.NoEncryption(),
).decode()
subject = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, "ray-internal")])
altnames = x509.SubjectAlternativeName(
[
x509.DNSName(socket.gethostbyname(socket.gethostname())),
x509.DNSName(get_localhost_ip()),
x509.DNSName(node_ip_address_from_perspective()),
x509.DNSName("localhost"),
]
)
now = datetime.datetime.utcnow()
cert = (
x509.CertificateBuilder()
.subject_name(subject)
.issuer_name(subject)
.add_extension(altnames, critical=False)
.public_key(key.public_key())
.serial_number(x509.random_serial_number())
.not_valid_before(now)
.not_valid_after(now + datetime.timedelta(days=365))
.sign(key, hashes.SHA256(), default_backend())
)
cert_contents = cert.public_bytes(serialization.Encoding.PEM).decode()
return cert_contents, key_contents
def add_port_to_grpc_server(server, address):
import grpc
if os.environ.get("RAY_USE_TLS", "0").lower() in ("1", "true"):
server_cert_chain, private_key, ca_cert = load_certs_from_env()
credentials = grpc.ssl_server_credentials(
[(private_key, server_cert_chain)],
root_certificates=ca_cert,
require_client_auth=ca_cert is not None,
)
return server.add_secure_port(address, credentials)
else:
return server.add_insecure_port(address)
def load_certs_from_env():
tls_env_vars = ["RAY_TLS_SERVER_CERT", "RAY_TLS_SERVER_KEY", "RAY_TLS_CA_CERT"]
if any(v not in os.environ for v in tls_env_vars):
raise RuntimeError(
"If the environment variable RAY_USE_TLS is set to true "
"then RAY_TLS_SERVER_CERT, RAY_TLS_SERVER_KEY and "
"RAY_TLS_CA_CERT must also be set."
)
with open(os.environ["RAY_TLS_SERVER_CERT"], "rb") as f:
server_cert_chain = f.read()
with open(os.environ["RAY_TLS_SERVER_KEY"], "rb") as f:
private_key = f.read()
with open(os.environ["RAY_TLS_CA_CERT"], "rb") as f:
ca_cert = f.read()
return server_cert_chain, private_key, ca_cert