zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From geek101 <...@git.apache.org>
Subject [GitHub] zookeeper pull request #188: ZOOKEEPER-236: SSL support for ZAB and FLE [DO ...
Date Fri, 10 Mar 2017 07:04:41 GMT
GitHub user geek101 opened a pull request:


    ZOOKEEPER-236: SSL support for ZAB and FLE [DO NOT MERGE]

    # Zookeeper FLE & ZAB SSL
    Provides SSL for Leader Election and ZAB i.e ports 3888 and 2888.
    Goal of this patch is to build on top of SSL changes for [branch-3.4](https://github.com/geek101/zookeeper/blob/branch-3.4/README_SSL.md)
    ### Some details
    * [X509Util](https://github.com/geek101/zookeeper/blob/branch-3.5-ssl-review5/src/java/main/org/apache/zookeeper/common/X509Util.java)

    becomes first class citizen and [QuorumX509Util](https://github.com/geek101/zookeeper/blob/branch-3.5-ssl-review5/src/java/main/org/apache/zookeeper/server/quorum/util/QuorumX509Util.java)
and [ServerX509Util](https://github.com/geek101/zookeeper/blob/branch-3.5-ssl-review5/src/java/main/org/apache/zookeeper/server/util/ServerX509Util.java)
    extend it.
    * [ZKConfig](https://github.com/geek101/zookeeper/blob/branch-3.5-ssl-review5/src/java/main/org/apache/zookeeper/common/ZKConfig.java)

    becomes an abstract class and [QuorumSslConfig](https://github.com/geek101/zookeeper/blob/branch-3.5-ssl-review5/src/java/main/org/apache/zookeeper/server/quorum/QuorumPeerConfig.java)
implement it.
    * Support for a Quorum peer to also be authenticated as a [ZK client](https://github.com/geek101/zookeeper/blob/branch-3.5-ssl-review5/src/java/main/org/apache/zookeeper/server/util/ServerX509Util.java#L62)
    will be removed if it breaks security and or is not needed)
    ##### Building
    git checkout branch-3.5-ssl-review5
    ant jar
    Args to enable SSL:
    -Dquorum.ssl.keyStore.location="<Private key and signed cert, key store file>"
    -Dquorum.ssl.keyStore.password="<Password for the above>"
    -Dquorum.ssl.trustStore.location="<Root CA cert, key store file>"
    -Dquorum.ssl.trustStore.password="<Password for the above>"
    Example run command:
    java -Dquorum.ssl.enabled="true" -Dquorum.ssl.keyStore.location="node1.ks" 
    -Dquorum.ssl.keyStore.password="CertPassword1" -Dquorum.ssl.trustStore.location="truststore.ks"
-Dquorum.ssl.trustStore.password="StorePass" -cp zookeeper.jar:lib/* org.apache.zookeeper.server.quorum.QuorumPeerMain

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/geek101/zookeeper branch-3.5-ssl-review6

Alternatively you can review and apply these changes as the patch at:


To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #188
commit 2fe3e971839dfa9d3a5040990e50b5cb657502e3
Author: Powell Molleti <powellm79@yahoo.com>
Date:   2016-08-14T02:27:03Z

    SSL support for ZAB and FLE.
    Pass ZKConfig() around to make things work.
    Seperate SSL config for client and quorum
    Quorum servers will have different properties for
    SSL config, example:
    Enable each zookeeper node will be able to also allowed to be authenticated
    as a client using dynamic reconfig.
    Basic algorithm for various SSL connections.
      1. Use the given truststore if available
      1. Use the given truststore if available
      1. Use the given truststore if available
    Add README to help explain what this code tries to accomplish.


If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.

View raw message