[
https://issues.apache.org/jira/browse/ZOOKEEPER-236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15898359#comment-15898359
]
ASF GitHub Bot commented on ZOOKEEPER-236:
------------------------------------------
GitHub user afine opened a pull request:
https://github.com/apache/zookeeper/pull/184
ZOOKEEPER-236: SSL Support for Atomic Broadcast protocol [DO NOT MERGE]
This is a work in progress, I wanted to get some feedback from the
community while I worked on this. Please do not merge yet. Tests,
documentation, and some cleanup still coming.
This is a first pass at ssl support for the zookeeper quorum. It supports
encrypting both leader election and normal operation.
Rolling upgrades are supported via port unification
(`portUnification=true`). This should only be used while performing a rolling
upgrade.
Some open questions:
- Anyone have any ideas for better names for the configuration options
(`sslQuorum` and `portUnification` currently).
- I am using the same configuration that points to the truststore/keystore
used for server <-> client ssl. Do they need to be separate?
- Is port unification the correct approach for rolling upgrades? Is the
impact from the use of `BufferedSocket`s during the upgrade acceptable? See:
http://stackoverflow.com/questions/25637039/detecting-ssl-connection-and-converting-socket-to-sslsocket
http://stackoverflow.com/questions/6559859/is-it-possible-to-change-plain-socket-to-sslsocket
- server <-> client ssl is implemented with netty. I did not feel that
rewriting our server <-> server logic with netty was necessary given how easy
ssl was to implement with standard java `SSLSocket`s. Any arguments to the
contrary?
Thanks,
Abe
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/afine/zookeeper ZOOKEEPER-236
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/zookeeper/pull/184.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #184
----
commit db33552046dea7e8e850945da4f18d18644d8ee5
Author: Abraham Fine <[email protected]>
Date: 2017-03-06T23:12:59Z
ZOOKEEPER-236: SSL Support for Atomic Broadcast protocol
----
> SSL Support for Atomic Broadcast protocol
> -----------------------------------------
>
> Key: ZOOKEEPER-236
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-236
> Project: ZooKeeper
> Issue Type: New Feature
> Components: quorum, server
> Reporter: Benjamin Reed
> Assignee: Abraham Fine
> Priority: Minor
>
> We should have the ability to use SSL to authenticate and encrypt the traffic
> between ZooKeeper servers. For the most part this is a very easy change. We
> would probably only want to support this for TCP based leader elections.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
