[
https://issues.apache.org/jira/browse/HADOOP-18709?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17724943#comment-17724943
]
ASF GitHub Bot commented on HADOOP-18709:
-----------------------------------------
ferdelyi commented on code in PR #5638:
URL: https://github.com/apache/hadoop/pull/5638#discussion_r1200468351
##########
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/util/curator/ZKCuratorManager.java:
##########
@@ -503,4 +644,50 @@ private void setJaasConfiguration(ZKClientConfig
zkClientConfig) throws IOExcept
zkClientConfig.setProperty(ZKClientConfig.LOGIN_CONTEXT_NAME_KEY,
JAAS_CLIENT_ENTRY);
}
}
-}
\ No newline at end of file
+
+ /**
+ * Helper class to contain the Truststore/Keystore paths for the ZK client
connection over
+ * SSL/TLS.
+ */
+ public static class TruststoreKeystore{
+ private static String keystoreLocation;
+ private static String keystorePassword;
+ private static String truststoreLocation;
+ private static String truststorePassword;
+ /** Configuration for the ZooKeeper connection when SSL/TLS is enabled.
+ * When a value is not configured, ensure that empty string is set instead
of null.
+ * @param conf ZooKeeper Client configuration
+ */
+ public TruststoreKeystore(Configuration conf){
+
+ keystoreLocation =
+
StringUtils.defaultString(conf.get(CommonConfigurationKeys.ZK_SSL_KEYSTORE_LOCATION,
Review Comment:
I was getting some NPE exception based on my recollection without this, but
can't reproduce it now, so removing it and will see during the build if it
comes up again.
> Add curator based ZooKeeper communication support over SSL/TLS into the
> common library
> --------------------------------------------------------------------------------------
>
> Key: HADOOP-18709
> URL: https://issues.apache.org/jira/browse/HADOOP-18709
> Project: Hadoop Common
> Issue Type: Improvement
> Reporter: Ferenc Erdelyi
> Assignee: Ferenc Erdelyi
> Priority: Major
> Labels: pull-request-available
>
> With HADOOP-16579 the ZooKeeper client is capable of securing communication
> with SSL.
> To follow the convention introduced in HADOOP-14741, proposing to add to the
> core-default.xml the following configurations, as the groundwork for the
> components to enable encrypted communication between the individual
> components and ZooKeeper:
> * hadoop.zk.ssl.keystore.location
> * hadoop.zk.ssl.keystore.password
> * hadoop.zk.ssl.truststore.location
> * hadoop.zk.ssl.truststore.password
> These parameters along with the component-specific ssl.client.enable option
> (e.g. yarn.zookeeper.ssl.client.enable) should be passed to the
> ZKCuratorManager to build the CuratorFramework. The ZKCuratorManager needs a
> new overloaded start() method to build the encrypted communication.
> * The secured ZK Client uses Netty, hence the dependency is included in the
> pom.xml. Added netty-handler and netty-transport-native-epoll dependency to
> the pom.xml based on ZOOKEEPER-3494 - "No need to depend on netty-all (SSL)".
> * The change was exclusively tested with the unit test, which is a kind of
> integration test, as a ZK Server was brought up and the communication tested
> between the client and the server.
> * This code change is in the common code base and there is no component
> calling it yet. Once YARN-11468 - "Zookeeper SSL/TLS support" is implemented,
> we can test it in a real cluster environment.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
