You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2017/03/06 23:19:33 UTC

[jira] [Commented] (ZOOKEEPER-236) SSL Support for Atomic Broadcast protocol

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15898359#comment-15898359 ] 

ASF GitHub Bot commented on ZOOKEEPER-236:
------------------------------------------

GitHub user afine opened a pull request:

    https://github.com/apache/zookeeper/pull/184

    ZOOKEEPER-236: SSL Support for Atomic Broadcast protocol [DO NOT MERGE]

    This is a work in progress, I wanted to get some feedback from the community while I worked on this. Please do not merge yet. Tests, documentation, and some cleanup still coming. 
    
    This is a first pass at ssl support for the zookeeper quorum. It supports encrypting both leader election and normal operation.
    
    Rolling upgrades are supported via port unification (`portUnification=true`). This should only be used while performing a rolling upgrade.
    
    Some open questions:
    - Anyone have any ideas for better names for the configuration options (`sslQuorum` and `portUnification` currently).
    - I am using the same configuration that points to the truststore/keystore used for server <-> client ssl. Do they need to be separate?
    - Is port unification the correct approach for rolling upgrades? Is the impact from the use of `BufferedSocket`s during the upgrade acceptable? See: http://stackoverflow.com/questions/25637039/detecting-ssl-connection-and-converting-socket-to-sslsocket http://stackoverflow.com/questions/6559859/is-it-possible-to-change-plain-socket-to-sslsocket
    - server <-> client ssl is implemented with netty. I did not feel that rewriting our server <-> server logic with netty was necessary given how easy ssl was to implement with standard java `SSLSocket`s. Any arguments to the contrary?
    
    Thanks,
    Abe

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/afine/zookeeper ZOOKEEPER-236

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/zookeeper/pull/184.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #184
    
----
commit db33552046dea7e8e850945da4f18d18644d8ee5
Author: Abraham Fine <af...@apache.org>
Date:   2017-03-06T23:12:59Z

    ZOOKEEPER-236: SSL Support for Atomic Broadcast protocol

----


> SSL Support for Atomic Broadcast protocol
> -----------------------------------------
>
>                 Key: ZOOKEEPER-236
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-236
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: quorum, server
>            Reporter: Benjamin Reed
>            Assignee: Abraham Fine
>            Priority: Minor
>
> We should have the ability to use SSL to authenticate and encrypt the traffic between ZooKeeper servers. For the most part this is a very easy change. We would probably only want to support this for TCP based leader elections.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)