Github user anmolnar commented on a diff in the pull request:
https://github.com/apache/zookeeper/pull/184#discussion_r195724314
--- Diff: src/java/main/org/apache/zookeeper/server/quorum/Leader.java ---
@@ -227,19 +229,36 @@ public boolean isQuorumSynced(QuorumVerifier qv) {
private final ServerSocket ss;
- Leader(QuorumPeer self,LeaderZooKeeperServer zk) throws IOException {
+ Leader(QuorumPeer self,LeaderZooKeeperServer zk) throws IOException,
X509Exception {
this.self = self;
this.proposalStats = new ProposalStats();
try {
- if (self.getQuorumListenOnAllIPs()) {
- ss = new ServerSocket(self.getQuorumAddress().getPort());
+ if (self.shouldUsePortUnification()) {
+ if (self.getQuorumListenOnAllIPs()) {
+ ss = new UnifiedServerSocket(new QuorumX509Util(),
self.getQuorumAddress().getPort());
+ } else {
+ ss = new UnifiedServerSocket(new QuorumX509Util());
+ }
+ } else if (self.isSslQuorum()) {
--- End diff --
I just tried to change it in the way you suggested and it got broken. The
idea is the following:
- when you turn on `sslQuorum`, it means that the peer initiates SSL
connection when trying to connect other quorum members and at the same time
accepts SSL connections *only*,
- when you turn on `portUnification` it means that peer *accepts* both SSL
and non-SSL connections, but still tries to initiate non-SSL connections,
- if both of them false, peer initiates and accepts non-SSL connection only.
Upgrade path is the following:
1. Quorum runs with non-SSL connections,
2. Rolling upgrade nodes by adding `portUnification=true`: peers still
communicate without SSL, but able to accept SSL connections as well,
3. Rolling upgrade nodes by adding `sslQuorum=true`: peers accept both
connections, but initiates with SSL,
4. Rolling upgrade nodes by removing `portUnification`: peers accept and
initiate SSL connections only.
`QuorumSSLTest.testRollingUpgrade` covers the scenario.
---
