ZooKeeper
  1. ZooKeeper
  2. ZOOKEEPER-1000

Provide SSL in zookeeper to be able to run cross colos.

    Details

    • Type: Improvement Improvement
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: 3.5.2, 3.6.0
    • Component/s: None
    • Labels:
      None

      Description

      This jira is to track SSL for zookeeper. The inter zookeeper server communication and the client to server communication should be over ssl so that zookeeper can be deployed over WAN's.

        Issue Links

          Activity

          Mahadev konar created issue -
          Mahadev konar made changes -
          Field Original Value New Value
          Fix Version/s 3.5.0 [ 12316644 ]
          Fix Version/s 3.4.0 [ 12314469 ]
          Patrick Hunt made changes -
          Fix Version/s 3.5.1 [ 12326786 ]
          Fix Version/s 3.5.0 [ 12316644 ]
          Hide
          Flavio Junqueira added a comment -

          +1

          Show
          Flavio Junqueira added a comment - +1
          Hide
          Hongchao Deng added a comment -

          Flavio Junqueira
          That sounds interesting!
          What about using SSLEngine

          Show
          Hongchao Deng added a comment - Flavio Junqueira That sounds interesting! What about using SSLEngine
          aname made changes -
          Link This issue depends upon ZOOKEEPER-236 [ ZOOKEEPER-236 ]
          aname made changes -
          Link This issue depends upon ZOOKEEPER-235 [ ZOOKEEPER-235 ]
          Hide
          aname added a comment -

          these are related issues which are quite old

          Show
          aname added a comment - these are related issues which are quite old
          Hide
          aname added a comment -

          I second the ssl-engine idea Hongchao Deng suggested.

          Show
          aname added a comment - I second the ssl-engine idea Hongchao Deng suggested.
          Hide
          Boying Lu added a comment -

          Is it possible to use Netty+SSL?

          Show
          Boying Lu added a comment - Is it possible to use Netty+SSL?
          Hide
          Rakesh R added a comment -

          Since netty support for client-to-server communication is already in place, adding netty ssl to it would be a nice idea.

          Show
          Rakesh R added a comment - Since netty support for client-to-server communication is already in place, adding netty ssl to it would be a nice idea.
          Hide
          Patrick Hunt added a comment -

          We added netty in the first place primarily to enable adding ssl support.

          Show
          Patrick Hunt added a comment - We added netty in the first place primarily to enable adding ssl support.
          Hide
          Hongchao Deng added a comment -

          Netty+SSL sounds a great idea. It might force people to start using netty. Good or bad though.

          ZK didn't have netty support for server-to-server communication. If anyone is interested, this might be a good chance to support that.

          Show
          Hongchao Deng added a comment - Netty+SSL sounds a great idea. It might force people to start using netty. Good or bad though. ZK didn't have netty support for server-to-server communication. If anyone is interested, this might be a good chance to support that.
          Hide
          Hongchao Deng added a comment -

          Hi Michi Mutsuzaki. Did you add SSL support on the zab project?? Might be a good case to borrow from.

          Show
          Hongchao Deng added a comment - Hi Michi Mutsuzaki . Did you add SSL support on the zab project?? Might be a good case to borrow from.
          Hide
          Michi Mutsuzaki added a comment -

          Yes, we used netty and added ssl support:

          https://github.com/zk1931/jzab/blob/master/src/main/java/com/github/zk1931/jzab/transport/NettyTransport.java
          https://github.com/zk1931/jzab/blob/0ab137d0650b03425df7840972eb9de4ba123030/src/test/java/com/github/zk1931/jzab/transport/NettyTransportTest.java#L519

          Right now ZooKeeper supports netty only for client-to-server communication on the server side (NettyServerCnxn.java). Server-to-server communication uses java.net.Socket in Leader.java, PeerHandler.java, Learner.java, and QuorumCnxManager.java. Maybe this issue can be broken into smaller subtasks:

          • implement a netty version of ClientCnxnSocket.
          • modify Leader.java/PeerHandler.java to use netty.
          • modify Learner.java to use netty.
          • modify QuorumCnxManager.java to use netty.

          Ideally we should have "netty client socket" and "netty server socket" classes that all of these classes can reuse so that we don't repeat logic for netty pipeline initialization and things.

          Show
          Michi Mutsuzaki added a comment - Yes, we used netty and added ssl support: https://github.com/zk1931/jzab/blob/master/src/main/java/com/github/zk1931/jzab/transport/NettyTransport.java https://github.com/zk1931/jzab/blob/0ab137d0650b03425df7840972eb9de4ba123030/src/test/java/com/github/zk1931/jzab/transport/NettyTransportTest.java#L519 Right now ZooKeeper supports netty only for client-to-server communication on the server side (NettyServerCnxn.java). Server-to-server communication uses java.net.Socket in Leader.java, PeerHandler.java, Learner.java, and QuorumCnxManager.java. Maybe this issue can be broken into smaller subtasks: implement a netty version of ClientCnxnSocket. modify Leader.java/PeerHandler.java to use netty. modify Learner.java to use netty. modify QuorumCnxManager.java to use netty. Ideally we should have "netty client socket" and "netty server socket" classes that all of these classes can reuse so that we don't repeat logic for netty pipeline initialization and things.
          Hide
          Boying Lu added a comment -

          In which version will the above change be available?

          Show
          Boying Lu added a comment - In which version will the above change be available?
          Hide
          Hongchao Deng added a comment -

          Looks like netty+ssl gains more votes here. It's a good place to start supporting SSL because it encapsulates those handshake details.

          I will work on netty+ssl since I have seen the needs of a couple of users and community. Anyone who's interested can ping me as well.

          Show
          Hongchao Deng added a comment - Looks like netty+ssl gains more votes here. It's a good place to start supporting SSL because it encapsulates those handshake details. I will work on netty+ssl since I have seen the needs of a couple of users and community. Anyone who's interested can ping me as well.
          Hide
          Boying Lu added a comment -

          Hi, Hongchao,

          Will this feature be available in 3.5.0 or 3.5.1 ?

          Show
          Boying Lu added a comment - Hi, Hongchao, Will this feature be available in 3.5.0 or 3.5.1 ?
          Hide
          Hongchao Deng added a comment -

          3.5.0 has been released. Hopefully in 3.5.1

          Show
          Hongchao Deng added a comment - 3.5.0 has been released. Hopefully in 3.5.1
          Hide
          Boying Lu added a comment -

          Got it, Thanks a lot

          Show
          Boying Lu added a comment - Got it, Thanks a lot
          Hide
          Bennie Kahler-Venter added a comment -

          I could use something like zookeeper. Without the needed SSL support on all communications, it is unusable to me.

          Show
          Bennie Kahler-Venter added a comment - I could use something like zookeeper. Without the needed SSL support on all communications, it is unusable to me.
          Michi Mutsuzaki made changes -
          Fix Version/s 3.5.2 [ 12331981 ]
          Fix Version/s 3.6.0 [ 12326518 ]
          Fix Version/s 3.5.1 [ 12326786 ]

            People

            • Assignee:
              Mahadev konar
              Reporter:
              Mahadev konar
            • Votes:
              17 Vote for this issue
              Watchers:
              27 Start watching this issue

              Dates

              • Created:
                Updated:

                Development