ZOOKEEPER-3160: Custom User SSLContext #654
Conversation
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
Branch 3.5
# Conflicts: # src/java/main/org/apache/zookeeper/common/X509Util.java # zookeeper-common/src/main/java/org/apache/zookeeper/common/ZKConfig.java
|
Merged the latest 3.5 branch in - looks like there was a significant structure rework, along with some changes to the ZKConfig properties - moved the additional property in with the others in X509Util, and updated the tests, javadocs, etc. Just curious - what would be the average timeline to get this merged in? |
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
Branch 3.5
# Conflicts: # zookeeper-common/src/test/java/org/apache/zookeeper/common/X509UtilTest.java # zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java
|
Updated again to resolve merge conflicts. |
|
@eolivelli - looks like the Jenkins build is failing due to the audit warnings, but I get a 404 when attempting to view the audit findings file. |
|
Unfortunately the link at the Jenkins build are wrong in some cases. Just navigate manually from build artifacts in the jenkins build. Oh, you need release audit. Same thing though, need to navigate manually :( You are missing the apache license headers in ZKClientSSLContext.java and in the test. Thanks! |
zookeeper-server/src/test/java/org/apache/zookeeper/common/ZKTestClientSSLContext.java
Show resolved
Hide resolved
zookeeper-server/src/main/java/org/apache/zookeeper/common/ZKClientSSLContext.java
Show resolved
Hide resolved
|
Thanks @nkalmar - found the audit problems file and resolved the missing license headers. |
Branch 3.5
# Conflicts: # zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java # zookeeper-server/src/test/java/org/apache/zookeeper/common/X509UtilTest.java
|
Addressed merge conflicts. @nkalmar - Just wondering if there's anything else I can do to help this get merged? |
|
I just realized this is for 3.5. Did you create a PR for the master branch? 3.5 is pretty much closed for new features, in order to stabilize it for the stable release. |
|
Ah, I hadn't realised that 3.5 was closed for stabilisation. So I should recreate this PR for the master branch then? |
|
Yes please. But it should be fairly easy, most of the time 3.5 and master are compatible. So just cherry-picking your commits on master should work, hopefully without merge conflicts. If you need any help, let me know! |
|
That's grand then. I'll close this PR and reopen a new one for master then 👍 |
This is a master branch version of: #654 The previous PR was for branch 3.5, and couldn't be merged as that branch is closed for new features. The Zookeeper libraries currently allow you to set up your SSL Context via system properties such as "zookeeper.ssl.keyStore.location" in the X509Util. This covers most simple use cases, where users have software keystores on their harddrive. There are, however, a few additional scenarios that this doesn't cover. Two possible ones would be: 1. The user has a hardware keystore, loaded in using PKCS11 or something similar. 2. The user has no access to the software keystore, but can retrieve an already-constructed SSLContext from their container. For this, I would propose that the X509Util be extended to allow a user to set a property "zookeeper.ssl.client.context" to provide a class which supplies a custom SSL context. This gives a lot more flexibility to the ZK client, and allows the user to construct the SSLContext in whatever way they please (which also future proofs the implementation somewhat). I added a few simple tests to this class around setting the SSLContext, and setting an invalid one. I'm not testing the actual functionality of the SSLContext, etc. Author: Alex Rankin <[email protected]> Author: Alex Rankin <[email protected]> Reviewers: [email protected] Closes #728 from arankin-irl/ZOOKEEPER-3160 and squashes the following commits: a20c62f [Alex Rankin] Merge branch 'master' into ZOOKEEPER-3160 5a9b8fc [Alex Rankin] Merge pull request #7 from apache/master 3c3dfdd [Alex Rankin] Re-ordering imports. 69e0b6c [Alex Rankin] Updating custom SSLContext supplier with review comments 874529b [Alex Rankin] Using supplier interface instead of custom interface, and renaming property ec27260 [Alex Rankin] Merge branch 'master' into ZOOKEEPER-3160 75a010e [Alex Rankin] Merge pull request #6 from apache/master 838f61c [Alex Rankin] Merge branch 'master' into ZOOKEEPER-3160 f85d7e5 [Alex Rankin] Merge pull request #5 from apache/master 31d8dd5 [Alex Rankin] Extracting SSLContext creation from config to new method. 400839a [Alex Rankin] Adding ability to specify custom SSLContext for client 7ae7485 [Alex Rankin] Merge pull request #4 from apache/master
This is a master branch version of: apache#654 The previous PR was for branch 3.5, and couldn't be merged as that branch is closed for new features. The Zookeeper libraries currently allow you to set up your SSL Context via system properties such as "zookeeper.ssl.keyStore.location" in the X509Util. This covers most simple use cases, where users have software keystores on their harddrive. There are, however, a few additional scenarios that this doesn't cover. Two possible ones would be: 1. The user has a hardware keystore, loaded in using PKCS11 or something similar. 2. The user has no access to the software keystore, but can retrieve an already-constructed SSLContext from their container. For this, I would propose that the X509Util be extended to allow a user to set a property "zookeeper.ssl.client.context" to provide a class which supplies a custom SSL context. This gives a lot more flexibility to the ZK client, and allows the user to construct the SSLContext in whatever way they please (which also future proofs the implementation somewhat). I added a few simple tests to this class around setting the SSLContext, and setting an invalid one. I'm not testing the actual functionality of the SSLContext, etc. Author: Alex Rankin <[email protected]> Author: Alex Rankin <[email protected]> Reviewers: [email protected] Closes apache#728 from arankin-irl/ZOOKEEPER-3160 and squashes the following commits: a20c62f [Alex Rankin] Merge branch 'master' into ZOOKEEPER-3160 5a9b8fc [Alex Rankin] Merge pull request #7 from apache/master 3c3dfdd [Alex Rankin] Re-ordering imports. 69e0b6c [Alex Rankin] Updating custom SSLContext supplier with review comments 874529b [Alex Rankin] Using supplier interface instead of custom interface, and renaming property ec27260 [Alex Rankin] Merge branch 'master' into ZOOKEEPER-3160 75a010e [Alex Rankin] Merge pull request #6 from apache/master 838f61c [Alex Rankin] Merge branch 'master' into ZOOKEEPER-3160 f85d7e5 [Alex Rankin] Merge pull request #5 from apache/master 31d8dd5 [Alex Rankin] Extracting SSLContext creation from config to new method. 400839a [Alex Rankin] Adding ability to specify custom SSLContext for client 7ae7485 [Alex Rankin] Merge pull request #4 from apache/master
The Zookeeper libraries currently allow you to set up your SSL Context via system properties such as "zookeeper.ssl.keyStore.location" in the X509Util. This covers most simple use cases, where users have software keystores on their harddrive.
There are, however, a few additional scenarios that this doesn't cover. Two possible ones would be:
For this, I would propose that the X509Util be extended to allow a user to set a property "zookeeper.ssl.client.context" to provide a class which supplies a custom SSL context. This gives a lot more flexibility to the ZK client, and allows the user to construct the SSLContext in whatever way they please (which also future proofs the implementation somewhat).
I added a few simple tests to this class around setting the SSLContext, and setting an invalid one. I'm not testing the actual functionality of the SSLContext, etc.