zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Abraham Fine <af...@apache.org>
Subject Requesting reviews for ZOOKEEPER-236: SSL Support for Atomic Broadcast protocol
Date Thu, 20 Apr 2017 21:22:51 GMT
Hello-

I have been continuing work on ZOOKEEPER-236 and it would be great to
get feedback from the community on the patch. The pull request can be
found here: https://github.com/apache/zookeeper/pull/184

ZOOKEEPER-236 provides the ability to use SSL/TLS to secure
communication within the ZooKeeper quorum.

Documentation will be handled in another pull request but the usage is
very similar to our existing Client <-> Quorum functionality, here is an
overview of the basic configuration. 

System properties are set on each member of the quorum, for example:
-Dzookeeper.ssl.quorum.keyStore.location=keystore.jks
-Dzookeeper.ssl.quorum.keyStore.password=password
-Dzookeeper.ssl.quorum.trustStore.location=truststore.jks

A flag is set in the cfg files:
sslQuorum=true

The best way to see all the functionality provided by this patch is to
take a look at the integration tests:
https://github.com/afine/zookeeper/blob/3c6c81b69b7105fa7c5235a0f27718a7eae195de/src/java/test/org/apache/zookeeper/test/QuorumSSLTest.java.
The integration tests contain examples showing how hostname
verification, rolling upgrades, cipher configuration, protocol
configuration, and certificate revocation are handled.

There is a current outstanding question regarding hostname verification,
please provide input here:
https://github.com/apache/zookeeper/pull/184#discussion_r111485824

Looking forward to hearing everyone's thoughts.

Thanks,
Abraham Fine



Mime
View raw message