apache · bitflicker64 · Mar 5, 2026 · Mar 11, 2026
diff --git a/hugegraph-pd/hg-pd-core/src/main/java/org/apache/hugegraph/pd/raft/RaftEngine.java b/hugegraph-pd/hg-pd-core/src/main/java/org/apache/hugegraph/pd/raft/RaftEngine.java
@@ -23,6 +23,7 @@
 import java.util.HashSet;
 import java.util.List;
 import java.util.Objects;
+import java.util.Set;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.ExecutionException;
@@ -40,7 +41,6 @@
 import com.alipay.sofa.jraft.JRaftUtils;
 import com.alipay.sofa.jraft.Node;
 import com.alipay.sofa.jraft.RaftGroupService;
-import com.alipay.sofa.jraft.ReplicatorGroup;
 import com.alipay.sofa.jraft.Status;
 import com.alipay.sofa.jraft.conf.Configuration;
 import com.alipay.sofa.jraft.core.Replicator;
@@ -54,7 +54,6 @@
 import com.alipay.sofa.jraft.rpc.RpcServer;
 import com.alipay.sofa.jraft.rpc.impl.BoltRpcServer;
 import com.alipay.sofa.jraft.util.Endpoint;
-import com.alipay.sofa.jraft.util.ThreadId;
 import com.alipay.sofa.jraft.util.internal.ThrowUtil;
 
 import io.netty.channel.ChannelHandler;
@@ -326,6 +325,23 @@ public Status changePeerList(String peerList) {
                 latch.countDown();
             });
             latch.await();
+
+            // Refresh IpAuthHandler so newly added peers are not blocked
+            if (result.get() != null && result.get().isOk()) {
+                IpAuthHandler handler = IpAuthHandler.getInstance();
+                if (handler != null) {
+                    Set<String> newIps = newPeers.getPeers()
+                                                 .stream()
+                                                 .map(PeerId::getIp)
+                                                 .collect(Collectors.toSet());
+                    handler.refresh(newIps);
+                    log.info("IpAuthHandler refreshed after peer list change to: {}", peerList);
+                } else {
+                    log.warn("IpAuthHandler not initialized, skipping refresh for peer list: {}",
+                             peerList);
+                }
+            }
+
         } catch (Exception e) {
             log.error("failed to changePeerList to {},{}", peerList, e);
             result.set(new Status(-1, e.getMessage()));

diff --git a/hugegraph-pd/hg-pd-core/src/main/java/org/apache/hugegraph/pd/raft/auth/IpAuthHandler.java b/hugegraph-pd/hg-pd-core/src/main/java/org/apache/hugegraph/pd/raft/auth/IpAuthHandler.java
@@ -17,8 +17,11 @@
 
 package org.apache.hugegraph.pd.raft.auth;
 
+import java.net.InetAddress;
 import java.net.InetSocketAddress;
+import java.net.UnknownHostException;
 import java.util.Collections;
+import java.util.HashSet;
 import java.util.Set;
 
 import io.netty.channel.ChannelDuplexHandler;
@@ -30,11 +33,11 @@
 @ChannelHandler.Sharable
 public class IpAuthHandler extends ChannelDuplexHandler {
 
-    private final Set<String> allowedIps;
+    private volatile Set<String> resolvedIps;
     private static volatile IpAuthHandler instance;
 
     private IpAuthHandler(Set<String> allowedIps) {
-        this.allowedIps = Collections.unmodifiableSet(allowedIps);
+        this.resolvedIps = resolveAll(allowedIps);
     }
 
     public static IpAuthHandler getInstance(Set<String> allowedIps) {
@@ -48,6 +51,25 @@ public static IpAuthHandler getInstance(Set<String> allowedIps) {
         return instance;
     }
 
+    /**
+     * Returns the existing singleton instance, or null if not yet initialized.
+     * Should only be called after getInstance(Set) has been called during startup.
+     */
+    public static IpAuthHandler getInstance() {
+        return instance;
+    }
+
+    /**
+     * Refreshes the resolved IP allowlist from a new set of hostnames or IPs.
+     * Should be called when the Raft peer list changes via RaftEngine#changePeerList().
+     * Note: DNS-only changes (e.g. container restart with new IP, same hostname)
+     * are not automatically detected and still require a process restart.
+     */
+    public void refresh(Set<String> newAllowedIps) {
+        this.resolvedIps = resolveAll(newAllowedIps);
+        log.info("IpAuthHandler allowlist refreshed, resolved {} entries", resolvedIps.size());
+    }
+
     @Override
     public void channelActive(ChannelHandlerContext ctx) throws Exception {
         String clientIp = getClientIp(ctx);
@@ -65,7 +87,25 @@ private static String getClientIp(ChannelHandlerContext ctx) {
     }
 
     private boolean isIpAllowed(String ip) {
-        return allowedIps.isEmpty() || allowedIps.contains(ip);
+        Set<String> resolved = this.resolvedIps;
+        // Empty allowlist means no restriction is configured — allow all
+        return resolved.isEmpty() || resolved.contains(ip);
+    }
+
+    private static Set<String> resolveAll(Set<String> entries) {
+        Set<String> result = new HashSet<>(entries);
+
+        for (String entry : entries) {
+            try {
+                for (InetAddress addr : InetAddress.getAllByName(entry)) {
+                    result.add(addr.getHostAddress());
+                }
+            } catch (UnknownHostException e) {
+                log.warn("Could not resolve allowlist entry '{}': {}", entry, e.getMessage());
+            }
+        }
+
+        return Collections.unmodifiableSet(result);
     }
 
     @Override

diff --git a/hugegraph-pd/hg-pd-test/src/main/java/org/apache/hugegraph/pd/core/PDCoreSuiteTest.java b/hugegraph-pd/hg-pd-test/src/main/java/org/apache/hugegraph/pd/core/PDCoreSuiteTest.java
@@ -19,6 +19,7 @@
 
 import org.apache.hugegraph.pd.core.meta.MetadataKeyHelperTest;
 import org.apache.hugegraph.pd.core.store.HgKVStoreImplTest;
+import org.apache.hugegraph.pd.raft.IpAuthHandlerTest;
 import org.junit.runner.RunWith;
 import org.junit.runners.Suite;
 
@@ -36,6 +37,7 @@
         StoreMonitorDataServiceTest.class,
         StoreServiceTest.class,
         TaskScheduleServiceTest.class,
+        IpAuthHandlerTest.class,
         // StoreNodeServiceTest.class,
 })
 @Slf4j

diff --git a/hugegraph-pd/hg-pd-test/src/main/java/org/apache/hugegraph/pd/raft/IpAuthHandlerTest.java b/hugegraph-pd/hg-pd-test/src/main/java/org/apache/hugegraph/pd/raft/IpAuthHandlerTest.java
@@ -0,0 +1,90 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hugegraph.pd.raft;
+
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+
+import org.apache.hugegraph.pd.raft.auth.IpAuthHandler;
+import org.apache.hugegraph.testutil.Whitebox;
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class IpAuthHandlerTest {
+
+    @After
+    public void tearDown() {
+        Whitebox.setInternalState(IpAuthHandler.class, "instance", null);
+    }
+
+    private boolean isIpAllowed(IpAuthHandler handler, String ip) {
+        return Whitebox.invoke(IpAuthHandler.class,
+                               new Class[]{String.class},
+                               "isIpAllowed", handler, ip);
+    }
+
+    @Test
+    public void testHostnameResolvesToIp() {
+        // "localhost" should resolve to "127.0.0.1"
+        IpAuthHandler handler = IpAuthHandler.getInstance(
+                Collections.singleton("localhost"));
+        Assert.assertTrue(isIpAllowed(handler, "127.0.0.1"));
+    }
+
+    @Test
+    public void testUnresolvableHostnameDoesNotCrash() {
+        // Should log a warning and skip — no exception thrown
+        IpAuthHandler handler = IpAuthHandler.getInstance(
+                Collections.singleton("nonexistent.invalid.hostname"));
+        // unresolvable entry is skipped so 127.0.0.1 should not be allowed
+        Assert.assertFalse(isIpAllowed(handler, "127.0.0.1"));
+    }
+
+    @Test
+    public void testRefreshUpdatesResolvedIps() {
+        // Start with 127.0.0.1
+        IpAuthHandler handler = IpAuthHandler.getInstance(
+                Collections.singleton("127.0.0.1"));
+        Assert.assertTrue(isIpAllowed(handler, "127.0.0.1"));
+
+        // Refresh with a different IP
+        Set<String> newIps = new HashSet<>();
+        newIps.add("192.168.0.1");
+        handler.refresh(newIps);
+
+        Assert.assertFalse(isIpAllowed(handler, "127.0.0.1"));
+        Assert.assertTrue(isIpAllowed(handler, "192.168.0.1"));
+    }
+
+    @Test
+    public void testEmptyAllowlistAllowsAll() {
+        // Empty allowlist = no restriction = allow all
+        IpAuthHandler handler = IpAuthHandler.getInstance(
+                Collections.emptySet());
+        Assert.assertTrue(isIpAllowed(handler, "1.2.3.4"));
+        Assert.assertTrue(isIpAllowed(handler, "192.168.99.99"));
+    }
+
+    @Test
+    public void testGetInstanceReturnsNullBeforeInit() {
+        // After tearDown resets singleton, no-arg getInstance returns null
+        Assert.assertNull(IpAuthHandler.getInstance());
+    }
+}