zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From anmolnar <...@git.apache.org>
Subject [GitHub] zookeeper pull request #184: ZOOKEEPER-236: SSL Support for Atomic Broadcast...
Date Fri, 15 Jun 2018 13:00:21 GMT
Github user anmolnar commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/184#discussion_r195724314
  
    --- Diff: src/java/main/org/apache/zookeeper/server/quorum/Leader.java ---
    @@ -227,19 +229,36 @@ public boolean isQuorumSynced(QuorumVerifier qv) {
         
         private final ServerSocket ss;
     
    -    Leader(QuorumPeer self,LeaderZooKeeperServer zk) throws IOException {
    +    Leader(QuorumPeer self,LeaderZooKeeperServer zk) throws IOException, X509Exception
{
             this.self = self;
             this.proposalStats = new ProposalStats();
             try {
    -            if (self.getQuorumListenOnAllIPs()) {
    -                ss = new ServerSocket(self.getQuorumAddress().getPort());
    +            if (self.shouldUsePortUnification()) {
    +                if (self.getQuorumListenOnAllIPs()) {
    +                    ss = new UnifiedServerSocket(new QuorumX509Util(), self.getQuorumAddress().getPort());
    +                } else {
    +                    ss = new UnifiedServerSocket(new QuorumX509Util());
    +                }
    +            } else if (self.isSslQuorum()) {
    --- End diff --
    
    I just tried to change it in the way you suggested and it got broken. The idea is the
following:
    
    - when you turn on `sslQuorum`, it means that the peer initiates SSL connection when trying
to connect other quorum members and at the same time accepts SSL connections *only*,
    - when you turn on `portUnification` it means that peer *accepts* both SSL and non-SSL
connections, but still tries to initiate non-SSL connections,
    - if both of them false, peer initiates and accepts non-SSL connection only.
    
    Upgrade path is the following:
    1. Quorum runs with non-SSL connections,
    2. Rolling upgrade nodes by adding `portUnification=true`: peers still communicate without
SSL, but able to accept SSL connections as well,
    3. Rolling upgrade nodes by adding `sslQuorum=true`: peers accept both connections, but
initiates with SSL,
    4. Rolling upgrade nodes by removing `portUnification`: peers accept and initiate SSL
connections only.
    
    `QuorumSSLTest.testRollingUpgrade` covers the scenario.


---

Mime
View raw message