[HBASE-28038] Add TLS settings to ZooKeeper client - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.0.0-alpha-4, 2.4.17, 2.5.5
Fix Version/s: 2.6.0, 2.4.18, 2.5.6, 3.0.0-beta-1
Component/s: Zookeeper
Labels:
- ssl
- tls
- zookeeper

Description

ZooKeeper supports TLS connection from its clients. Currently the only way to set up HBase for this is to add the following Java properties to the HBase process:

        -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty 
        -Dzookeeper.client.secure=true 
        -Dzookeeper.ssl.keyStore.location=/path/to/keystore.jks 
        -Dzookeeper.ssl.keyStore.password=password 
        -Dzookeeper.ssl.trustStore.location=/path/to/truststore.jks 
        -Dzookeeper.ssl.trustStore.password=password

KeyStore is only needed if ZooKeeper server wants client certificate to be provided.

I'd like to add these options to hbase-site.xml in the following way:

hbase.zookeeper.property.clientCnxnSocket
hbase.zookeeper.property.client.secure
hbase.zookeeper.property.ssl.keyStore.location
hbase.zookeeper.property.ssl.keyStore.password or hbase.zookeeper.property.ssl.keyStore.passwordPath
...

It will follow the way that we already do for ZooKeeper clientPort and quorum settings. ("hbase.zookeeper.property.clientPort", "hbase.zookeeper.quorum")

Attachments

Issue Links

links to

GitHub Pull Request #5370

Sub-Tasks

1.	Add documentation to HBase book		Resolved	Andor Molnar
2.	Add trust/key store type to ZK TLS settings handled by HBase		Resolved	Andor Molnar

Activity

People

Assignee:: Andor Molnar

Reporter:: Andor Molnar

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 22/Aug/23 16:36

Updated:: 26/Dec/23 10:02

Resolved:: 05/Sep/23 09:44