zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Abraham Fine (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-236) SSL Support for Atomic Broadcast protocol
Date Thu, 09 Mar 2017 03:46:38 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15902431#comment-15902431
] 

Abraham Fine commented on ZOOKEEPER-236:
----------------------------------------

[~geek101]-
bq. but also should work nicely/easily with most probable next thing an admin would do i.e
issue a reconfig() command
I agree that doing it through reconfig() does provide a more integrated user experience. But
I am not sure that it is what an "admin" would expect as the rest of the hadoop ecosystem
handles it the other way.

bq. Providing a Truststore and asking admins to manage them on their own for the entire quorum
will mean that this operation is not fault-tolerant i.e we are expecting them to first set
all members of the quorum to a consistent SSL config state and then issue reconfig() command.
I'm not sure that requiring proper ssl configuration for nodes before they join a cluster
is unreasonable to expect of an admin. I think this is a decision better left to the community.
 

bq. There are bugs like ZOOKEEPER-2164, ZOOKEEPER-1678 to consider along with ZOOKEEPER-901.
Netty or NIO will work but considering SSL will mean Netty will make it easier to implement.
I agree that there are some reasons to discuss using netty for server<->server but I
think it is outside the scope of this JIRA.

bq. Doing this in phases is better,
I agree. What do you think about [~phunt]'s recommendation? Implement SSL in this JIRA in
the old fashioned way (we could even backport to 3.4) here and open another JIRA for reconfig()
support.






> SSL Support for Atomic Broadcast protocol
> -----------------------------------------
>
>                 Key: ZOOKEEPER-236
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-236
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: quorum, server
>            Reporter: Benjamin Reed
>            Assignee: Abraham Fine
>            Priority: Minor
>
> We should have the ability to use SSL to authenticate and encrypt the traffic between
ZooKeeper servers. For the most part this is a very easy change. We would probably only want
to support this for TCP based leader elections.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message