You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2017/03/06 23:19:33 UTC
[jira] [Commented] (ZOOKEEPER-236) SSL Support for Atomic Broadcast
protocol
[ https://issues.apache.org/jira/browse/ZOOKEEPER-236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15898359#comment-15898359 ]
ASF GitHub Bot commented on ZOOKEEPER-236:
------------------------------------------
GitHub user afine opened a pull request:
https://github.com/apache/zookeeper/pull/184
ZOOKEEPER-236: SSL Support for Atomic Broadcast protocol [DO NOT MERGE]
This is a work in progress, I wanted to get some feedback from the community while I worked on this. Please do not merge yet. Tests, documentation, and some cleanup still coming.
This is a first pass at ssl support for the zookeeper quorum. It supports encrypting both leader election and normal operation.
Rolling upgrades are supported via port unification (`portUnification=true`). This should only be used while performing a rolling upgrade.
Some open questions:
- Anyone have any ideas for better names for the configuration options (`sslQuorum` and `portUnification` currently).
- I am using the same configuration that points to the truststore/keystore used for server <-> client ssl. Do they need to be separate?
- Is port unification the correct approach for rolling upgrades? Is the impact from the use of `BufferedSocket`s during the upgrade acceptable? See: http://stackoverflow.com/questions/25637039/detecting-ssl-connection-and-converting-socket-to-sslsocket http://stackoverflow.com/questions/6559859/is-it-possible-to-change-plain-socket-to-sslsocket
- server <-> client ssl is implemented with netty. I did not feel that rewriting our server <-> server logic with netty was necessary given how easy ssl was to implement with standard java `SSLSocket`s. Any arguments to the contrary?
Thanks,
Abe
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/afine/zookeeper ZOOKEEPER-236
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/zookeeper/pull/184.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #184
----
commit db33552046dea7e8e850945da4f18d18644d8ee5
Author: Abraham Fine <af...@apache.org>
Date: 2017-03-06T23:12:59Z
ZOOKEEPER-236: SSL Support for Atomic Broadcast protocol
----
> SSL Support for Atomic Broadcast protocol
> -----------------------------------------
>
> Key: ZOOKEEPER-236
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-236
> Project: ZooKeeper
> Issue Type: New Feature
> Components: quorum, server
> Reporter: Benjamin Reed
> Assignee: Abraham Fine
> Priority: Minor
>
> We should have the ability to use SSL to authenticate and encrypt the traffic between ZooKeeper servers. For the most part this is a very easy change. We would probably only want to support this for TCP based leader elections.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)