zookeeper-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-3388) Allow client port to support plaintext and encrypted connections simultaneously
Date Tue, 04 Jun 2019 23:41:00 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-3388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16856196#comment-16856196

Hudson commented on ZOOKEEPER-3388:

FAILURE: Integrated in Jenkins build ZooKeeper-trunk #555 (See [https://builds.apache.org/job/ZooKeeper-trunk/555/])
ZOOKEEPER-3388: Allow client port to support plaintext and encrypted … (hanm: rev d98a692ff4482f1d97774f25a158ca5473c455e0)
* (edit) zookeeper-server/src/main/java/org/apache/zookeeper/server/NettyServerCnxnFactory.java
* (edit) pom.xml
* (edit) zookeeper-server/src/main/java/org/apache/zookeeper/common/SSLContextAndOptions.java
* (edit) zookeeper-server/src/test/java/org/apache/zookeeper/test/ClientSSLTest.java
* (edit) build.xml
* (edit) zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md
* (edit) zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java
* (edit) zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/QuorumPeerConfig.java

> Allow client port to support plaintext and encrypted connections simultaneously
> -------------------------------------------------------------------------------
>                 Key: ZOOKEEPER-3388
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3388
>             Project: ZooKeeper
>          Issue Type: Improvement
>          Components: server
>    Affects Versions: 3.6.0
>            Reporter: Brian Nixon
>            Priority: Minor
>              Labels: pull-request-available
>             Fix For: 3.6.0
>          Time Spent: 2h 20m
>  Remaining Estimate: 0h
> ZOOKEEPER-2125 extended the ZooKeeper server-side to handle encrypted client connections
by allowing the server to open a second client port (the secure client port) to manage this
new style of traffic. A server is able to handle plaintext and encrypted clients simultaneously
by managing each on their respective ports. 
> When it comes time to get all clients connecting to your system to start using encryption,
this approach requires that they make two changes simultaneously: altering their client properties
to start use the secure settings and altering the routing information that they provide in
order to know where to connect with the ensemble. If either is misconfigured then the client
is cut off from the ensemble. With a large deployment of clients that are owned by a different
teams and different tools, this presents a danger in activating the feature. Ideally, the
two changes could be staggered so that first the encryption feature is activated and then
the routing information is changed in a subsequent phase.
> Allow the server connection factory managing the regular client port to handle both plaintext
and encrypted connections. This will be independent of the operation of the server connection
factory managing the secure client port but similar settings ought to apply to both (e.g.
cipher suites) to maintain inter compatibility.

This message was sent by Atlassian JIRA

View raw message