zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Szalay-Bekő Máté <szalay.beko.m...@gmail.com>
Subject Re: Disable non-secured client port
Date Thu, 12 Dec 2019 14:52:48 GMT
Hi Chris,

The short answer is yes, all you need to do is don't specify the clientPort
in the zoo.cfg.

An example for the zoo.cfg in this case:

tickTime=3000
initLimit=10
syncLimit=5
dataDir=/data/zkdata

secureClientPort=2191
serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
ssl.keyStore.location=/etc/zookeeper/ssl/server.jks
ssl.keyStore.password=password
ssl.trustStore.location=/etc/zookeeper/ssl/servertrust.jks
ssl.trustStore.password=password

These are the main options you can choose from, when configuring client SSL:

- option 1: only unsecure (this is when you specify only the clientPort in
the zoo.cfg)
- option 2: only SSL (I think this is what you want... this happens if you
don't specify clientPort in the zoo.cfg, but you specify the
secureClientPort. Of course in this case you also have to set a few other
parameters, like setting the serverCnxnFactory to netty and defining the
ssl.keyStore / ssl.trustStore locations and passwords - see the example
above)
- option 3: both secure and unsecure client connections on different server
ports (this happens when you set both the clientPort and
the secureClientPort in the zoo.cfg to different ports)
- option 4: both secure and unsecure client connections using the same
server port (this happens when you set the 'client.portUnification=true' in
the config file and set the clientPort in the zoo.cfg. In this case the
clientPort will be able to serve both unsecure and SSL connections. Of
course, in this case you still have to set the other SSL related
parameters, like the serverCnxnFactory and the ssl.keyStore /
ssl.trustStore locations and passwords)

AFAIK, the option 4 is not available yet in any released 3.5 version. It
will be part of the first 3.6 release candidate soon. Also there is a
backport PR for it just under review (
https://github.com/apache/zookeeper/pull/1174) so it's likely to be in the
next 3.5.7 release, if / whenever that will happen.

Regards,
Mate

On Thu, Dec 12, 2019 at 2:31 PM Chris T. <c.turksema@gmail.com> wrote:

> Hi,
>
> we're working on securing our clusters. For quorum, once we set
> sslQuorum=true, there is no more unsecured quorum port.
> Is such an option available or in the works for the client port as well ?
> Or is ssl client port always in addition to unsecured client port ?
>
> Regards,
>
> Chris
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message