zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-236) SSL Support for Atomic Broadcast protocol
Date Mon, 01 May 2017 18:08:04 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15991205#comment-15991205
] 

ASF GitHub Bot commented on ZOOKEEPER-236:
------------------------------------------

Github user hanm commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/184#discussion_r114167558
  
    --- Diff: src/java/main/org/apache/zookeeper/server/quorum/QuorumCnxManager.java ---
    @@ -438,9 +447,18 @@ synchronized private boolean connectOne(long sid, InetSocketAddress
electionAddr
             Socket sock = null;
             try {
                  LOG.debug("Opening channel to server " + sid);
    -             sock = new Socket();
    -             setSockOpts(sock);
    -             sock.connect(electionAddr, cnxTO);
    +             if (self.isSslQuorum()) {
    +                 SSLSocket sslSock = x509Util.createSSLSocket();
    +                 setSockOpts(sslSock);
    +                 sslSock.connect(electionAddr, cnxTO);
    +                 sslSock.startHandshake();
    --- End diff --
    
    This is a synchronous call and will block connectOne until the hand shake finishes. Current
cnx manager does blocking IO when handling connections so while hand shake is going on other
peers will not be able to connect to this server. This might not be a big problem with carefully
tuned initLimit / syncLimit, but I thought we might want mention this somewhere in doc or
wiki.
    
    An alternative would be making hand shake async so cnx manager does not block, but I am
currently leaning towards not do this and instead use ZOOKEEPER-900/901 to fix the root cause.


> SSL Support for Atomic Broadcast protocol
> -----------------------------------------
>
>                 Key: ZOOKEEPER-236
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-236
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: quorum, security, server
>            Reporter: Benjamin Reed
>            Assignee: Abraham Fine
>              Labels: ssl
>
> We should have the ability to use SSL to authenticate and encrypt the traffic between
ZooKeeper servers. For the most part this is a very easy change. We would probably only want
to support this for TCP based leader elections.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message