Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ZOOKEEPER-3176: Quorum TLS - add SSL config options #681

Closed
wants to merge 1 commit into from
Closed

ZOOKEEPER-3176: Quorum TLS - add SSL config options #681

wants to merge 1 commit into from

Conversation

ivmaykov
Copy link
Contributor

@ivmaykov ivmaykov commented Oct 25, 2018
edited
Loading

Add SSL config options for enabled protocols and client auth mode.
Improve handling of SSL config options for protocols and cipher suites - previously these came from system properties, now they can come from ZKConfig which means they are easier to isolate in tests, and now we don't need to parse system properties every time we create a secure socket.

Added more options for ssl settings to X509Util and encapsulate them better

  • previously, some SSL settings came from a ZKConfig and others came from global System.getProperties(). This made it hard to isolate certain settings in tests.
  • now all SSL-related settings come from the ZKConfig object used to create the SSL context
  • new settings added:
  • zookeeper.ssl(.quorum).enabledProtocols - list of enabled protocols. If not set, defaults to a single-entry list with the value of zookeeper.ssl(.quorum).protocol.
  • zookeeper.ssl(.quorum).clientAuth - can be "NONE", "WANT", or "NEED". This controls whether the server doesn't want / allows / requires the client to present an X509 certificate.
  • zookeeper.ssl(.quorum).handshakeDetectionTimeoutMillis - timeout for the first read of 5 bytes to detect the transport mode (TLS or plaintext) of a client connection made to a UnifiedServerSocket

@ivmaykov ivmaykov mentioned this pull request Oct 25, 2018
Closed
@asfgit
Copy link

asfgit commented Oct 25, 2018

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/PreCommit-ZOOKEEPER-github-pr-build/2503/

@asfgit
Copy link

asfgit commented Oct 26, 2018

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/PreCommit-ZOOKEEPER-github-pr-build/2513/

@ivmaykov ivmaykov force-pushed the ZOOKEEPER-3176 branch 2 times, most recently from f1501e3 to 45ec833 Compare October 26, 2018 19:30
@asfgit
Copy link

asfgit commented Oct 27, 2018

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/PreCommit-ZOOKEEPER-github-pr-build/2524/

@asfgit
Copy link

asfgit commented Oct 27, 2018

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/PreCommit-ZOOKEEPER-github-pr-build/2527/

@ivmaykov
Copy link
Contributor Author

I should mention that this code has been internally reviewed at Facebook, has been landed on our internal fork, and has been running in production for weeks.

@asfgit
Copy link

asfgit commented Oct 27, 2018

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/PreCommit-ZOOKEEPER-github-pr-build/2531/

@ivmaykov ivmaykov force-pushed the ZOOKEEPER-3176 branch 2 times, most recently from 0e4c55a to 94ee042 Compare October 30, 2018 00:34
@asfgit
Copy link

asfgit commented Oct 30, 2018

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/PreCommit-ZOOKEEPER-github-pr-build/2535/

@asfgit
Copy link

asfgit commented Oct 30, 2018

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/PreCommit-ZOOKEEPER-github-pr-build/2539/

@ivmaykov ivmaykov force-pushed the ZOOKEEPER-3176 branch 2 times, most recently from d0d2943 to 3ddba01 Compare October 31, 2018 01:25
@asfgit
Copy link

asfgit commented Oct 31, 2018

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/PreCommit-ZOOKEEPER-github-pr-build/2541/

@asfgit
Copy link

asfgit commented Oct 31, 2018

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/PreCommit-ZOOKEEPER-github-pr-build/2545/

@ivmaykov ivmaykov force-pushed the ZOOKEEPER-3176 branch 2 times, most recently from 327ced4 to 4b9ee4e Compare November 1, 2018 17:59
@asfgit
Copy link

asfgit commented Nov 1, 2018

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/PreCommit-ZOOKEEPER-github-pr-build/2558/

@asfgit
Copy link

asfgit commented Nov 1, 2018

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/PreCommit-ZOOKEEPER-github-pr-build/2562/

@asfgit
Copy link

asfgit commented Nov 2, 2018

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/PreCommit-ZOOKEEPER-github-pr-build/2567/

@asfgit
Copy link

asfgit commented Nov 2, 2018

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/PreCommit-ZOOKEEPER-github-pr-build/2569/

@ivmaykov ivmaykov force-pushed the ZOOKEEPER-3176 branch 2 times, most recently from befadaf to 70051f9 Compare November 2, 2018 22:13
@asfgit
Copy link

asfgit commented Nov 2, 2018

Refer to this link for build results (access rights to CI server needed):
https://builds.apache.org/job/PreCommit-ZOOKEEPER-github-pr-build/2572/

@ivmaykov ivmaykov mentioned this pull request Nov 29, 2018
Closed
@ivmaykov ivmaykov force-pushed the ZOOKEEPER-3176 branch 2 times, most recently from 758873f to 618732b Compare December 6, 2018 22:38
@ivmaykov ivmaykov force-pushed the ZOOKEEPER-3176 branch 2 times, most recently from 90fd62e to 0eae6a0 Compare December 17, 2018 18:34
@ivmaykov ivmaykov closed this Dec 17, 2018
@ivmaykov ivmaykov reopened this Dec 17, 2018
@ivmaykov ivmaykov closed this Dec 17, 2018
@ivmaykov ivmaykov reopened this Dec 17, 2018
@ivmaykov ivmaykov closed this Dec 17, 2018
@ivmaykov ivmaykov reopened this Dec 17, 2018
@ivmaykov
Copy link
Contributor Author

It looks like a test I added in my last PR is flaky. @anmolnar let's get #739 landed then I will rebase this.

@ivmaykov ivmaykov closed this Dec 20, 2018
@ivmaykov ivmaykov reopened this Dec 20, 2018
@ivmaykov ivmaykov mentioned this pull request Jan 12, 2019
Closed
anmolnar
anmolnar approved these changes Jan 14, 2019
View reviewed changes
Copy link
Contributor

@anmolnar anmolnar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 Awesome patch.
Just a small nitpick.

zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java Outdated
* since we can create different X509Util instances with different configurations in a single test process, and
* unit test interactions between them.
*/
public class SSLContextAndOptions {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this class is big enough to live in a separate file.

@ivmaykov
Copy link
Contributor Author

@anmolnar done

anmolnar
anmolnar approved these changes Jan 17, 2019
View reviewed changes
Copy link
Contributor

@anmolnar anmolnar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 Great work!

@asfgit asfgit closed this in 0f44fd9 Jan 24, 2019
asfgit pushed a commit that referenced this pull request Jan 24, 2019
@ivmaykov @anmolnar
ZOOKEEPER-3176: Quorum TLS - add SSL config options
d451248 
Add  SSL config options for enabled protocols and client auth mode.
Improve handling of SSL config options for protocols and cipher suites - previously these came from system properties, now they can come from ZKConfig which means they are easier to isolate in tests, and now we don't need to parse system properties every time we create a secure socket.

## Added more options for ssl settings to X509Util and encapsulate them better
- previously, some SSL settings came from a `ZKConfig` and others came from global `System.getProperties()`. This made it hard to isolate certain settings in tests.
- now all SSL-related settings come from the `ZKConfig` object used to create the SSL context
- new settings added:
- `zookeeper.ssl(.quorum).enabledProtocols` - list of enabled protocols. If not set, defaults to a single-entry list with the value of `zookeeper.ssl(.quorum).protocol`.
- `zookeeper.ssl(.quorum).clientAuth` - can be "NONE", "WANT", or "NEED". This controls whether the server doesn't want / allows / requires the client to present an X509 certificate.
- `zookeeper.ssl(.quorum).handshakeDetectionTimeoutMillis` - timeout for the first read of 5 bytes to detect the transport mode (TLS or plaintext) of a client connection made to a `UnifiedServerSocket`

Author: Ilya Maykov <[email protected]>

Reviewers: [email protected]

Closes #681 from ivmaykov/ZOOKEEPER-3176

(cherry picked from commit 0f44fd9)
Signed-off-by: Andor Molnar <[email protected]>
@anmolnar
Copy link
Contributor

Merged to master and 3.5 branches.
Thanks @ivmaykov !

@ivmaykov ivmaykov mentioned this pull request Jan 24, 2019
Closed
RokLenarcic pushed a commit to RokLenarcic/zookeeper that referenced this pull request Sep 3, 2022
@ivmaykov @RokLenarcic
ZOOKEEPER-3176: Quorum TLS - add SSL config options
299f6f3 
Add  SSL config options for enabled protocols and client auth mode.
Improve handling of SSL config options for protocols and cipher suites - previously these came from system properties, now they can come from ZKConfig which means they are easier to isolate in tests, and now we don't need to parse system properties every time we create a secure socket.

## Added more options for ssl settings to X509Util and encapsulate them better
- previously, some SSL settings came from a `ZKConfig` and others came from global `System.getProperties()`. This made it hard to isolate certain settings in tests.
- now all SSL-related settings come from the `ZKConfig` object used to create the SSL context
- new settings added:
- `zookeeper.ssl(.quorum).enabledProtocols` - list of enabled protocols. If not set, defaults to a single-entry list with the value of `zookeeper.ssl(.quorum).protocol`.
- `zookeeper.ssl(.quorum).clientAuth` - can be "NONE", "WANT", or "NEED". This controls whether the server doesn't want / allows / requires the client to present an X509 certificate.
- `zookeeper.ssl(.quorum).handshakeDetectionTimeoutMillis` - timeout for the first read of 5 bytes to detect the transport mode (TLS or plaintext) of a client connection made to a `UnifiedServerSocket`

Author: Ilya Maykov <[email protected]>

Reviewers: [email protected]

Closes apache#681 from ivmaykov/ZOOKEEPER-3176
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anmolnar anmolnar anmolnar approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ivmaykov @asfgit @anmolnar