zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Abraham Fine (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-236) SSL Support for Atomic Broadcast protocol
Date Wed, 08 Mar 2017 00:05:38 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15900423#comment-15900423

Abraham Fine commented on ZOOKEEPER-236:

Hi [~geek101]-

bq. if I understand correctly, both the operations of managing the certs (add/remove of certs)
and reconfig() API to change members of a quorum have to be fault-tolerant. 
Would you mind clarifying what you mean by "fault-tolerant" here? Can you give an example
of how a fault would break my patch?

bq. CA seems like the best way and simple way to go till such a time arrises when the CA has
to be changed.
You are correct in that there is certainly additional complexity involved here. But these
are "solved" problems that I don't feel we need to write a custom solution for.

bq. Also prevalent security considerations recommend revoking the cert of the Quorum member
that is removed. Again how do we accomplish this in a fault-tolerant way. Hence there is some
work still left to do in CA case.
Good point. I forgot to include a note on this with my patch. I was thinking supporting OCSP
(or even CRL's) would be a fine solution to that. What do you think?

bq. Also regarding the path forward do you think we should aim for a Trunk patch or patch
to 3.5?
I think we should aim for both.

bq. Let me know if I got something wrong and what do you think about bringing in Netty support
for Quorum communication.
What are your motivations for bringing in Netty?


> SSL Support for Atomic Broadcast protocol
> -----------------------------------------
>                 Key: ZOOKEEPER-236
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-236
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: quorum, server
>            Reporter: Benjamin Reed
>            Assignee: Abraham Fine
>            Priority: Minor
> We should have the ability to use SSL to authenticate and encrypt the traffic between
ZooKeeper servers. For the most part this is a very easy change. We would probably only want
to support this for TCP based leader elections.

This message was sent by Atlassian JIRA

View raw message