You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@zookeeper.apache.org by Matt Wise <ma...@nextdoor.com> on 2013/03/09 00:13:35 UTC
Zookeeper and SSL...
Currently we run Zookeeper out on the big bad scary internet using Stunnel as an encryption and authentication system for our clients. Our single 5-node Zookeeper quorum is in a single datacenter where we can control network access and feel reasonably safe.
I've been thinking about scale recently, and I would love to be able to put Zookeeper Observer nodes in each of our regions. We don't use VPC or any other network-to-network tunneling technology. Stunnel is simple when you have one client, and one endpoint, but it sucks when you have multiple servers all trying to talk to each other.
Are there any plans to add SSL support to Zookeeper? Specifically to its own private cluster communication ports? If not, what about running a Zookeeper Observer in a "client" mode where I can point it to any of our 5 quorum servers, and it acts as a kind of proxy for data -- without really "joining" the cluster?
--Matt
Re: Zookeeper and SSL...
Posted by Edward Ribeiro <ed...@gmail.com>.
Hi,
My two cents: the ZooKeeper's support to encryption between servers and
between client-server has not progressed until now:
https://issues.apache.org/jira/browse/ZOOKEEPER-236
https://issues.apache.org/jira/browse/ZOOKEEPER-235
https://issues.apache.org/jira/browse/ZOOKEEPER-1000
Plus, you can find an interesting discussion here:
http://zookeeper-user.578899.n2.nabble.com/Linking-two-sites-via-two-Zookeeper-instances-td7578441.html
Edward
On Sat, Mar 16, 2013 at 1:38 PM, Matt Wise <ma...@nextdoor.com> wrote:
> No thoughts on encrypting and authenticating zookeeper-to-zookeeper
> communication?
>
> On Mar 8, 2013, at 3:13 PM, Matt Wise <ma...@nextdoor.com> wrote:
>
> > Currently we run Zookeeper out on the big bad scary internet using
> Stunnel as an encryption and authentication system for our clients. Our
> single 5-node Zookeeper quorum is in a single datacenter where we can
> control network access and feel reasonably safe.
> >
> > I've been thinking about scale recently, and I would love to be able to
> put Zookeeper Observer nodes in each of our regions. We don't use VPC or
> any other network-to-network tunneling technology. Stunnel is simple when
> you have one client, and one endpoint, but it sucks when you have multiple
> servers all trying to talk to each other.
> >
> > Are there any plans to add SSL support to Zookeeper? Specifically to its
> own private cluster communication ports? If not, what about running a
> Zookeeper Observer in a "client" mode where I can point it to any of our 5
> quorum servers, and it acts as a kind of proxy for data -- without really
> "joining" the cluster?
> >
> > --Matt
> >
>
>
Re: Zookeeper and SSL...
Posted by Matt Wise <ma...@nextdoor.com>.
No thoughts on encrypting and authenticating zookeeper-to-zookeeper communication?
On Mar 8, 2013, at 3:13 PM, Matt Wise <ma...@nextdoor.com> wrote:
> Currently we run Zookeeper out on the big bad scary internet using Stunnel as an encryption and authentication system for our clients. Our single 5-node Zookeeper quorum is in a single datacenter where we can control network access and feel reasonably safe.
>
> I've been thinking about scale recently, and I would love to be able to put Zookeeper Observer nodes in each of our regions. We don't use VPC or any other network-to-network tunneling technology. Stunnel is simple when you have one client, and one endpoint, but it sucks when you have multiple servers all trying to talk to each other.
>
> Are there any plans to add SSL support to Zookeeper? Specifically to its own private cluster communication ports? If not, what about running a Zookeeper Observer in a "client" mode where I can point it to any of our 5 quorum servers, and it acts as a kind of proxy for data -- without really "joining" the cluster?
>
> --Matt
>