purushah commented on code in PR #3692:
URL: https://github.com/apache/storm/pull/3692#discussion_r1777536771
##########
storm-client/src/jvm/org/apache/storm/utils/CuratorUtils.java:
##########
@@ -84,6 +89,120 @@ protected static void
setupBuilder(CuratorFrameworkFactory.Builder builder, fina
if (auth != null && auth.scheme != null && auth.payload != null) {
builder.authorization(auth.scheme, auth.payload);
}
+ boolean sslEnabled =
ObjectReader.getBoolean(conf.get(Config.ZK_SSL_ENABLE), false);
+ if (sslEnabled) {
+ TruststoreKeystore truststoreKeystore = new
TruststoreKeystore(conf);
+ ZKClientConfig zkClientConfig = new ZKClientConfig();
+ try {
+ setSslConfiguration(zkClientConfig, truststoreKeystore);
+ } catch (ConfigurationException e) {
+ throw new RuntimeException(e);
+ }
+ builder.zkClientConfig(zkClientConfig);
+ }
+ }
+
+ /**
+ * Configure ZooKeeper Client with SSL/TLS connection.
+ * @param zkClientConfig ZooKeeper Client configuration
+ * @param truststoreKeystore The truststore and keystore configs
+ */
+ private static void setSslConfiguration(ZKClientConfig zkClientConfig,
+ TruststoreKeystore
truststoreKeystore) throws ConfigurationException {
+ setSslConfiguration(zkClientConfig, new ClientX509Util(),
truststoreKeystore);
+ }
+
+ private static void setSslConfiguration(ZKClientConfig zkClientConfig,
+ ClientX509Util x509Util,
TruststoreKeystore truststoreKeystore)
+ throws ConfigurationException {
+ validateSslConfiguration(truststoreKeystore);
+ LOG.info("Configuring the ZooKeeper client to use SSL/TLS encryption
for connecting to the "
+ + "ZooKeeper server.");
+ LOG.debug("Configuring the ZooKeeper client with {} location: {}.",
+ truststoreKeystore.keystoreLocation,
+ Config.ZK_SSL_KEYSTORE_LOCATION);
+ LOG.debug("Configuring the ZooKeeper client with {} location: {}.",
+ truststoreKeystore.truststoreLocation,
+ Config.ZK_SSL_TRUSTSTORE_LOCATION);
+
+ zkClientConfig.setProperty(ZKClientConfig.SECURE_CLIENT, "true");
+ zkClientConfig.setProperty(ZKClientConfig.ZOOKEEPER_CLIENT_CNXN_SOCKET,
+ CLIENT_CNXN);
+ zkClientConfig.setProperty(x509Util.getSslKeystoreLocationProperty(),
+ truststoreKeystore.keystoreLocation);
+ zkClientConfig.setProperty(x509Util.getSslKeystorePasswdProperty(),
+ truststoreKeystore.keystorePassword);
+ zkClientConfig.setProperty(x509Util.getSslTruststoreLocationProperty(),
+ truststoreKeystore.truststoreLocation);
+ zkClientConfig.setProperty(x509Util.getSslTruststorePasswdProperty(),
+ truststoreKeystore.truststorePassword);
+
zkClientConfig.setProperty(x509Util.getSslHostnameVerificationEnabledProperty(),
+ truststoreKeystore.hostnameVerification.toString());
+ }
+
+ private static void validateSslConfiguration(TruststoreKeystore
truststoreKeystore) throws ConfigurationException {
+ if (StringUtils.isEmpty(truststoreKeystore.keystoreLocation)) {
+ throw new ConfigurationException(
+ "The keystore location parameter is empty for the
ZooKeeper client connection.");
+ }
+ if (StringUtils.isEmpty(truststoreKeystore.keystorePassword)) {
+ throw new ConfigurationException(
+ "The keystore password parameter is empty for the
ZooKeeper client connection.");
+ }
+ if (StringUtils.isEmpty(truststoreKeystore.truststoreLocation)) {
+ throw new ConfigurationException(
+ "The truststore location parameter is empty for the
ZooKeeper client connection" + ".");
+ }
+ if (StringUtils.isEmpty(truststoreKeystore.truststorePassword)) {
+ throw new ConfigurationException(
+ "The truststore password parameter is empty for the
ZooKeeper client connection" + ".");
+ }
+ }
+
+
+ /**
+ * Helper class to contain the Truststore/Keystore paths for the ZK client
connection over
+ * SSL/TLS.
+ */
+ public static class TruststoreKeystore {
Review Comment:
We can't make it private as it is used by test cases. Will make it package
private.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@storm.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
