zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jürgen Wagner (DVT)" <juergen.wag...@devoteam.com>
Subject Re: Does ZooKeeper support node-to-node encrypt communication?
Date Thu, 25 Sep 2014 13:15:00 GMT
Hi,
  Zookeeper today is purely TCP, so it may be tunnelled transparently
through, e.g., stunnel connections. However, the configuration of this
is a bit cumbersome if not generated automatically. My approach to this
is as follows:

- Each Zookeeper x has a unique set of ports, e.g., 2000+x (client),
2100+x (quorum), 2200+x (election).
- Each Zookeeper is configured to listen only on localhost
(clientPortAddress=127.0.0.1)
- Each Zookeeper instance has server= lines with only localhost entries.
- Each Zookeeper host has a receiving end of an stunnel on localhost
substituting for the respective Zookeeper. This stunnel is connected to
an stunnel on the remote machine running the actual Zookeeper (on the
non-localhost IP address), terminating again on localhost (the
respective port of the actual Zookeeper).
- On each client machine not running Zookeeper, each localhost port for
a Zookeeper is forwarded using the  same mechanism.

This zoo of stunnels can be generated automatically with a simple
script. I know it is not exactly beautiful, but it works.

The task of making Zookeeper itself secure is rather easy. Each client
will get a client certificate. Each ensemble will get a ensemble
certificate. The ensemble certificate may be used as a server
certificate (receiving end) and client certificate (sending end) inside
the ensemble. The individual clients will need to trust the ensemble
certificate and provide their certificates for the ensemble keystore.
Actually, in cases where my clients are also part of the overall
application, they would reuse the ensemble certificate, so in fact,
there is only one single certificate to deal with. This can be nicely
packages, including the key generation with Java keytool.

I am already running other services with this type of instrumentation
(e.g., secure logging, access to a SolrCloud, crawler services), so
apart from the slight overhead of using SSL, this works quite
transparently and efficiently. Not too many changes are necesssary to
the respective services.

At this point, I'm kind of busy with projects, but if nobody should
tackle the issue in one of the next the official releases, I might
consider putting that in myself :-)

Best regards,
--Jürgen

On 25.09.2014 14:52, Flavio Junqueira wrote:
> I believe the use of UDP for leader election has been deprecated, so it should be all
over TCP. We have talked about supporting ssl (see ZOOKEEPER-1000), but it isn't an implemented
feature yet.
>
> -Flavio  
>
>
> On 24 Sep 2014, at 06:09, Lu, Boying <Boying.Lu@emc.com> wrote:
>
>> Hi, All,
>>
>> I want to know if the ZooKeeper supports  node-to-node encrypt communication?
>> I read some codes of ZooKeeper 3.4.6 and found that ZooKeeper uses both UDP (e.g.
in QuorumPeer.java)  and TCP protocols
>> Is it possible to support encryption above UDP and TCP at the same time?
>>
>> Thanks
>>
>> Boying


-- 

Mit freundlichen Grüßen/Kind regards/Cordialement vôtre/Atentamente/С
уважением
*i.A. Jürgen Wagner*
Head of Competence Center "Intelligence"
& Senior Cloud Consultant

Devoteam GmbH, Industriestr. 3, 70565 Stuttgart, Germany
Phone: +49 6151 868-8725, Fax: +49 711 13353-53, Mobile: +49 171 864 1543
E-Mail: juergen.wagner@devoteam.com
<mailto:juergen.wagner@devoteam.com>, URL: www.devoteam.de
<http://www.devoteam.de/>

------------------------------------------------------------------------
Managing Board: Jürgen Hatzipantelis (CEO)
Address of Record: 64331 Weiterstadt, Germany; Commercial Register:
Amtsgericht Darmstadt HRB 6450; Tax Number: DE 172 993 071



Mime
  • Unnamed multipart/mixed (inline, None, 0 bytes)
View raw message