[
https://issues.apache.org/jira/browse/ZOOKEEPER-236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15904591#comment-15904591
]
ASF GitHub Bot commented on ZOOKEEPER-236:
------------------------------------------
GitHub user geek101 opened a pull request:
https://github.com/apache/zookeeper/pull/188
ZOOKEEPER-236: SSL support for ZAB and FLE [DO NOT MERGE]
# Zookeeper FLE & ZAB SSL
Provides SSL for Leader Election and ZAB i.e ports 3888 and 2888.
Goal of this patch is to build on top of SSL changes for
[branch-3.4](https://github.com/geek101/zookeeper/blob/branch-3.4/README_SSL.md)
### Some details
*
[X509Util](https://github.com/geek101/zookeeper/blob/branch-3.5-ssl-review5/src/java/main/org/apache/zookeeper/common/X509Util.java)
becomes first class citizen and
[QuorumX509Util](https://github.com/geek101/zookeeper/blob/branch-3.5-ssl-review5/src/java/main/org/apache/zookeeper/server/quorum/util/QuorumX509Util.java)
and
[ServerX509Util](https://github.com/geek101/zookeeper/blob/branch-3.5-ssl-review5/src/java/main/org/apache/zookeeper/server/util/ServerX509Util.java)
extend it.
*
[ZKConfig](https://github.com/geek101/zookeeper/blob/branch-3.5-ssl-review5/src/java/main/org/apache/zookeeper/common/ZKConfig.java)
becomes an abstract class and
[QuorumSslConfig](https://github.com/geek101/zookeeper/blob/branch-3.5-ssl-review5/src/java/main/org/apache/zookeeper/server/quorum/QuorumPeerConfig.java)
and
[ZookeeperServerConfig](https://github.com/geek101/zookeeper/blob/branch-3.5-ssl-review5/src/java/main/org/apache/zookeeper/server/ZookeeperServerConfig.java)
implement it.
* Support for a Quorum peer to also be authenticated as a [ZK
client](https://github.com/geek101/zookeeper/blob/branch-3.5-ssl-review5/src/java/main/org/apache/zookeeper/server/util/ServerX509Util.java#L62)
(this
will be removed if it breaks security and or is not needed)
##### Building
```
git checkout branch-3.5-ssl-review5
ant jar
```
Args to enable SSL:
```
-Dquorum.ssl.enabled="true"
-Dquorum.ssl.keyStore.location="<Private key and signed cert, key store
file>"
-Dquorum.ssl.keyStore.password="<Password for the above>"
-Dquorum.ssl.trustStore.location="<Root CA cert, key store file>"
-Dquorum.ssl.trustStore.password="<Password for the above>"
```
Example run command:
```
java -Dquorum.ssl.enabled="true" -Dquorum.ssl.keyStore.location="node1.ks"
-Dquorum.ssl.keyStore.password="CertPassword1"
-Dquorum.ssl.trustStore.location="truststore.ks"
-Dquorum.ssl.trustStore.password="StorePass" -cp zookeeper.jar:lib/*
org.apache.zookeeper.server.quorum.QuorumPeerMain zoo1.cfg
```
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/geek101/zookeeper branch-3.5-ssl-review6
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/zookeeper/pull/188.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #188
----
commit 2fe3e971839dfa9d3a5040990e50b5cb657502e3
Author: Powell Molleti <[email protected]>
Date: 2016-08-14T02:27:03Z
SSL support for ZAB and FLE.
Pass ZKConfig() around to make things work.
Seperate SSL config for client and quorum
Quorum servers will have different properties for
SSL config, example:
-Dquorum.ssl.enabled=true
-Dquorum.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks
-Dquorum.ssl.keyStore.password=testpass
-Dquorum.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks
-Dquorum.ssl.trustStore.password=testpass
Enable each zookeeper node will be able to also allowed to be authenticated
as a client using dynamic reconfig.
Basic algorithm for various SSL connections.
Client:
1. Use the given truststore if available
Server:
1. Use the given truststore if available
Quorum:
1. Use the given truststore if available
Add README to help explain what this code tries to accomplish.
----
> SSL Support for Atomic Broadcast protocol
> -----------------------------------------
>
> Key: ZOOKEEPER-236
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-236
> Project: ZooKeeper
> Issue Type: New Feature
> Components: quorum, server
> Reporter: Benjamin Reed
> Assignee: Abraham Fine
> Priority: Minor
>
> We should have the ability to use SSL to authenticate and encrypt the traffic
> between ZooKeeper servers. For the most part this is a very easy change. We
> would probably only want to support this for TCP based leader elections.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
