You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@zookeeper.apache.org by "Sankalp Bhatia (Jira)" <ji...@apache.org> on 2020/02/27 18:52:00 UTC

[jira] [Commented] (ZOOKEEPER-3689) zkCli/ZooKeeperMain relies on system properties for TLS config

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-3689?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17046889#comment-17046889 ] 

Sankalp Bhatia commented on ZOOKEEPER-3689:
-------------------------------------------

Hi [~eolivelli] , [~rndgstn]

Instead of setting system properties, how about we add a simple constructor to the ZookeeperAdmin class like 



 
{code:java}
public ZooKeeperAdmin(String connectString, int sessionTimeout, Watcher watcher, ZKClientConfig clientConfig, boolean canBeReadOnly) throws IOException {
super(connectString, sessionTimeout, watcher, canBeReadOnly, clientConfig);
}
{code}
 

and then create the ZookeeperAdmin instance with something like 

 

 

 
{code:java}
zk = new ZooKeeperAdmin(host, Integer.parseInt(cl.getOption("timeout")), new MyWatcher(), new ZKClientConfig(cl.getOption("client-configuration-file")), readOnly);
{code}
 

 

I saw an instance where a client had to choose between having the readOnly flag and setting clientConfig because of not having a constructor with both fields; clientConfig and canBeReadOnly. Ref: [https://tiny.amazon.com/k989fzab/githapackafkblob342fcoresrc]

 

Also, this looks like a good first contribution opportunity for a newbie. Do you mind if i assign it to myself? 

 

Thanks,

Sankalp

> zkCli/ZooKeeperMain relies on system properties for TLS config
> --------------------------------------------------------------
>
>                 Key: ZOOKEEPER-3689
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3689
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: security, server
>    Affects Versions: 3.6.0, 3.5.5, 3.5.6
>            Reporter: Ron Dagostino
>            Priority: Major
>
> The command line client to ZooKeeper (org.apache.zookeeper.ZooKeeperMain, invoked via bin/zkCli.{bat,sh}) has no facility for accepting TLS client configuration (e.g. keystore/truststore location and password) except via system properties.  System properties must be passed on the command line as "-D" arguments and are inherently not secure.  There should be a way to pass the client TLS configuration to org.apache.zookeeper.ZooKeeperMain in a more secure way (e.g. via a file).



--
This message was sent by Atlassian Jira
(v8.3.4#803005)