ZOOKEEPER-3174: Quorum TLS - support reloading trust/key store #680
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Refer to this link for build results (access rights to CI server needed): |
ivmaykov
force-pushed
the
ZOOKEEPER-3174
branch
from
65edf69
to
c37855a
Compare
|
Refer to this link for build results (access rights to CI server needed): |
eolivelli
approved these changes
Oct 26, 2018
ivmaykov
force-pushed
the
ZOOKEEPER-3174
branch
2 times, most recently
from
35045e8
to
2d3a6bb
Compare
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
ivmaykov
commented
Oct 27, 2018
zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java
Outdated
Show resolved
Hide resolved
ivmaykov
force-pushed
the
ZOOKEEPER-3174
branch
from
2d3a6bb
to
352fc3c
Compare
|
I should mention that this code has been internally reviewed at Facebook, has been landed on our internal fork, and has been running in production for weeks. |
|
Refer to this link for build results (access rights to CI server needed): |
ivmaykov
force-pushed
the
ZOOKEEPER-3174
branch
2 times, most recently
from
aea9fd4
to
213af71
Compare
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
ivmaykov
force-pushed
the
ZOOKEEPER-3174
branch
2 times, most recently
from
464501f
to
bb868d7
Compare
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
ivmaykov
force-pushed
the
ZOOKEEPER-3174
branch
2 times, most recently
from
1f02993
to
232232e
Compare
|
Refer to this link for build results (access rights to CI server needed): |
|
Refer to this link for build results (access rights to CI server needed): |
ivmaykov
force-pushed
the
ZOOKEEPER-3174
branch
2 times, most recently
from
bb06dc8
to
76317e4
Compare
|
@eolivelli switched to lambdas, kept the finalizer in for now but added a TODO to remove it. |
|
Refer to this link for build results (access rights to CI server needed): |
|
@ivmaykov For the future, I think it's more convenient for reviewers if you submit your commits separately instead of squashing them. Especially if you provide some feedback on code review, it's hard to locate new changes if everything is in a single patch. Commit script will squash all them eventually, so it doesn't really matter in PRs. |
ivmaykov
force-pushed
the
ZOOKEEPER-3174
branch
from
49194a6
to
cc72c08
Compare
|
@anmolnar is there anything blocking this from being merged at this point? |
|
Committed to master branch. Thanks @ivmaykov ! |
|
@anmolnar will do |
asfgit
pushed a commit
that referenced
this pull request
Dec 19, 2018
Allow reloading SSL trust stores and key stores from disk when the files on disk change. ## Added support for reloading key/trust stores when the file on disk changes - new property sslQuorumReloadCertFiles which controls the behavior for reloading the key and trust store files for QuorumX509Util. Reloading of key and trust store for ClientX509Util is not in this PR but could be added easily - this allows a ZK server to keep running on a machine that uses short-lived certs that refresh frequently without having to restart the ZK process. This is the branch-3.5 version of #680 Author: Ilya Maykov <ilyam@fb.com> Reviewers: fangmin@apache.org, andor@apache.org Closes #737 from ivmaykov/ZOOKEEPER-3174-branch3.5 and squashes the following commits: 6cc1d62 [Ilya Maykov] ZOOKEEPER-3219: Fix flaky FileChangeWatcherTest df72944 [Ilya Maykov] ZOOKEEPER-3174: Quorum TLS - support reloading trust/key store
|
@ivmaykov Appreciate commiting this PR.
I need the Does that mean, I can just add a new client config property (say something like this.. my initial testing seems to be working fine. `--- a/zookeeper-server/src/main/java/org/apache/zookeeper/server/NettyServerCnxnFactory.java I would appreciate if you could take a look and direct me to have this implemented. |
|
@MathewManu did you get ClientX509Util reload functionality working? |
asfgit
pushed a commit
that referenced
this pull request
May 6, 2022
ZooKeer currently has support for reloading the Quorum Truststore & Keystore automatically when the certificate files change in the filesystem without server restart (#680) However, Reloading of key and trust store for **ClientX509Util** is not present; i.e., the server presented certs to the clients will not get reloaded automatically if the certificates in the filesystem change, short-lived certs requires the process restart. Changes: - A new config property "zookeeper.client.certReload" is added, if it's true - ClientX509Util is reloaded automatically. - ZK uses an _X509AuthenticationProvider_ which is backed by an X509TrustManager and an X509KeyManager to perform _remote host certificate authentication_. We need to update the X509AuthenticationProvider's TrustStore as part of the X509Util file-watcher. - Junit test case to verify the cert reload. Author: Manu Mathew <manu.mathew@netapp.com> Author: mathewmanu <manmathew@cs.stonybrook.edu> Author: Manu Mathew <101424654+mathew-manu@users.noreply.github.com> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes #1839 from mathew-manu/ZOOKEEPER-3806
li4wang
pushed a commit
to li4wang/zookeeper
that referenced
this pull request
May 23, 2022
ZooKeer currently has support for reloading the Quorum Truststore & Keystore automatically when the certificate files change in the filesystem without server restart (apache#680) However, Reloading of key and trust store for **ClientX509Util** is not present; i.e., the server presented certs to the clients will not get reloaded automatically if the certificates in the filesystem change, short-lived certs requires the process restart. Changes: - A new config property "zookeeper.client.certReload" is added, if it's true - ClientX509Util is reloaded automatically. - ZK uses an _X509AuthenticationProvider_ which is backed by an X509TrustManager and an X509KeyManager to perform _remote host certificate authentication_. We need to update the X509AuthenticationProvider's TrustStore as part of the X509Util file-watcher. - Junit test case to verify the cert reload. Author: Manu Mathew <manu.mathew@netapp.com> Author: mathewmanu <manmathew@cs.stonybrook.edu> Author: Manu Mathew <101424654+mathew-manu@users.noreply.github.com> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes apache#1839 from mathew-manu/ZOOKEEPER-3806
li4wang
pushed a commit
to li4wang/zookeeper
that referenced
this pull request
May 23, 2022
ZooKeer currently has support for reloading the Quorum Truststore & Keystore automatically when the certificate files change in the filesystem without server restart (apache#680) However, Reloading of key and trust store for **ClientX509Util** is not present; i.e., the server presented certs to the clients will not get reloaded automatically if the certificates in the filesystem change, short-lived certs requires the process restart. Changes: - A new config property "zookeeper.client.certReload" is added, if it's true - ClientX509Util is reloaded automatically. - ZK uses an _X509AuthenticationProvider_ which is backed by an X509TrustManager and an X509KeyManager to perform _remote host certificate authentication_. We need to update the X509AuthenticationProvider's TrustStore as part of the X509Util file-watcher. - Junit test case to verify the cert reload. Author: Manu Mathew <manu.mathew@netapp.com> Author: mathewmanu <manmathew@cs.stonybrook.edu> Author: Manu Mathew <101424654+mathew-manu@users.noreply.github.com> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes apache#1839 from mathew-manu/ZOOKEEPER-3806
li4wang
pushed a commit
to li4wang/zookeeper
that referenced
this pull request
May 24, 2022
ZooKeer currently has support for reloading the Quorum Truststore & Keystore automatically when the certificate files change in the filesystem without server restart (apache#680) However, Reloading of key and trust store for **ClientX509Util** is not present; i.e., the server presented certs to the clients will not get reloaded automatically if the certificates in the filesystem change, short-lived certs requires the process restart. Changes: - A new config property "zookeeper.client.certReload" is added, if it's true - ClientX509Util is reloaded automatically. - ZK uses an _X509AuthenticationProvider_ which is backed by an X509TrustManager and an X509KeyManager to perform _remote host certificate authentication_. We need to update the X509AuthenticationProvider's TrustStore as part of the X509Util file-watcher. - Junit test case to verify the cert reload. Author: Manu Mathew <manu.mathew@netapp.com> Author: mathewmanu <manmathew@cs.stonybrook.edu> Author: Manu Mathew <101424654+mathew-manu@users.noreply.github.com> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes apache#1839 from mathew-manu/ZOOKEEPER-3806
li4wang
pushed a commit
to li4wang/zookeeper
that referenced
this pull request
May 24, 2022
Backporting ZOOKEEPER-4468 to branch-3.8 This is cherry-pick from apache#1839. This PR is the same as the apache#1839 on the master branch, only changing the documentation about the version numbers. ZooKeer currently has support for reloading the Quorum Truststore & Keystore automatically when the certificate files change in the filesystem without server restart (apache#680) However, Reloading of key and trust store for **ClientX509Util** is not present; i.e., the server presented certs to the clients will not get reloaded automatically if the certificates in the filesystem change, short-lived certs requires the process restart. Changes: - A new config property "zookeeper.client.certReload" is added, if it's true - ClientX509Util is reloaded automatically. - ZK uses an _X509AuthenticationProvider_ which is backed by an X509TrustManager and an X509KeyManager to perform _remote host certificate authentication_. We need to update the X509AuthenticationProvider's TrustStore as part of the X509Util file-watcher. - Junit test case to verify the cert reload.
li4wang
pushed a commit
to li4wang/zookeeper
that referenced
this pull request
May 24, 2022
ZooKeer currently has support for reloading the Quorum Truststore & Keystore automatically when the certificate files change in the filesystem without server restart (apache#680) However, Reloading of key and trust store for **ClientX509Util** is not present; i.e., the server presented certs to the clients will not get reloaded automatically if the certificates in the filesystem change, short-lived certs requires the process restart. Changes: - A new config property "zookeeper.client.certReload" is added, if it's true - ClientX509Util is reloaded automatically. - ZK uses an _X509AuthenticationProvider_ which is backed by an X509TrustManager and an X509KeyManager to perform _remote host certificate authentication_. We need to update the X509AuthenticationProvider's TrustStore as part of the X509Util file-watcher. - Junit test case to verify the cert reload. Author: Manu Mathew <manu.mathew@netapp.com> Author: mathewmanu <manmathew@cs.stonybrook.edu> Author: Manu Mathew <101424654+mathew-manu@users.noreply.github.com> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes apache#1839 from mathew-manu/ZOOKEEPER-3806
li4wang
pushed a commit
to li4wang/zookeeper
that referenced
this pull request
May 24, 2022
ZooKeer currently has support for reloading the Quorum Truststore & Keystore automatically when the certificate files change in the filesystem without server restart (apache#680) However, Reloading of key and trust store for **ClientX509Util** is not present; i.e., the server presented certs to the clients will not get reloaded automatically if the certificates in the filesystem change, short-lived certs requires the process restart. Changes: - A new config property "zookeeper.client.certReload" is added, if it's true - ClientX509Util is reloaded automatically. - ZK uses an _X509AuthenticationProvider_ which is backed by an X509TrustManager and an X509KeyManager to perform _remote host certificate authentication_. We need to update the X509AuthenticationProvider's TrustStore as part of the X509Util file-watcher. - Junit test case to verify the cert reload. Author: Manu Mathew <manu.mathew@netapp.com> Author: mathewmanu <manmathew@cs.stonybrook.edu> Author: Manu Mathew <101424654+mathew-manu@users.noreply.github.com> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes apache#1839 from mathew-manu/ZOOKEEPER-3806
RokLenarcic
pushed a commit
to RokLenarcic/zookeeper
that referenced
this pull request
Sep 3, 2022
Allow reloading SSL trust stores and key stores from disk when the files on disk change. ## Added support for reloading key/trust stores when the file on disk changes - new property `sslQuorumReloadCertFiles` which controls the behavior for reloading the key and trust store files for `QuorumX509Util`. Reloading of key and trust store for `ClientX509Util` is not in this PR but could be added easily - this allows a ZK server to keep running on a machine that uses short-lived certs that refresh frequently without having to restart the ZK process. Author: Ilya Maykov <ilyam@fb.com> Reviewers: andor@apache.org Closes apache#680 from ivmaykov/ZOOKEEPER-3174
anuragmadnawat1
pushed a commit
to anuragmadnawat1/zookeeper
that referenced
this pull request
Nov 2, 2022
ZooKeer currently has support for reloading the Quorum Truststore & Keystore automatically when the certificate files change in the filesystem without server restart (apache#680) However, Reloading of key and trust store for **ClientX509Util** is not present; i.e., the server presented certs to the clients will not get reloaded automatically if the certificates in the filesystem change, short-lived certs requires the process restart. Changes: - A new config property "zookeeper.client.certReload" is added, if it's true - ClientX509Util is reloaded automatically. - ZK uses an _X509AuthenticationProvider_ which is backed by an X509TrustManager and an X509KeyManager to perform _remote host certificate authentication_. We need to update the X509AuthenticationProvider's TrustStore as part of the X509Util file-watcher. - Junit test case to verify the cert reload. Author: Manu Mathew <manu.mathew@netapp.com> Author: mathewmanu <manmathew@cs.stonybrook.edu> Author: Manu Mathew <101424654+mathew-manu@users.noreply.github.com> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes apache#1839 from mathew-manu/ZOOKEEPER-3806
anuragmadnawat1
added a commit
to anuragmadnawat1/zookeeper
that referenced
this pull request
Nov 2, 2022
ZooKeer currently has support for reloading the Quorum Truststore & Keystore automatically when the certificate files change in the filesystem without server restart (apache#680) However, Reloading of key and trust store for **ClientX509Util** is not present; i.e., the server presented certs to the clients will not get reloaded automatically if the certificates in the filesystem change, short-lived certs requires the process restart. Changes: - A new config property "zookeeper.client.certReload" is added, if it's true - ClientX509Util is reloaded automatically. - ZK uses an _X509AuthenticationProvider_ which is backed by an X509TrustManager and an X509KeyManager to perform _remote host certificate authentication_. We need to update the X509AuthenticationProvider's TrustStore as part of the X509Util file-watcher. - Junit test case to verify the cert reload. Author: Manu Mathew <manu.mathew@netapp.com> Author: mathewmanu <manmathew@cs.stonybrook.edu> Author: Manu Mathew <101424654+mathew-manu@users.noreply.github.com> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes apache#1839 from mathew-manu/ZOOKEEPER-3806 Co-authored-by: Manu Mathew <manu.mathew@netapp.com>
anurag-harness
pushed a commit
to anurag-harness/zookeeper
that referenced
this pull request
Jan 13, 2023
ZooKeer currently has support for reloading the Quorum Truststore & Keystore automatically when the certificate files change in the filesystem without server restart (apache#680) However, Reloading of key and trust store for **ClientX509Util** is not present; i.e., the server presented certs to the clients will not get reloaded automatically if the certificates in the filesystem change, short-lived certs requires the process restart. Changes: - A new config property "zookeeper.client.certReload" is added, if it's true - ClientX509Util is reloaded automatically. - ZK uses an _X509AuthenticationProvider_ which is backed by an X509TrustManager and an X509KeyManager to perform _remote host certificate authentication_. We need to update the X509AuthenticationProvider's TrustStore as part of the X509Util file-watcher. - Junit test case to verify the cert reload. Author: Manu Mathew <manu.mathew@netapp.com> Author: mathewmanu <manmathew@cs.stonybrook.edu> Author: Manu Mathew <101424654+mathew-manu@users.noreply.github.com> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes apache#1839 from mathew-manu/ZOOKEEPER-3806
anurag-harness
added a commit
to anurag-harness/zookeeper
that referenced
this pull request
Jan 13, 2023
ZooKeer currently has support for reloading the Quorum Truststore & Keystore automatically when the certificate files change in the filesystem without server restart (apache#680) However, Reloading of key and trust store for **ClientX509Util** is not present; i.e., the server presented certs to the clients will not get reloaded automatically if the certificates in the filesystem change, short-lived certs requires the process restart. Changes: - A new config property "zookeeper.client.certReload" is added, if it's true - ClientX509Util is reloaded automatically. - ZK uses an _X509AuthenticationProvider_ which is backed by an X509TrustManager and an X509KeyManager to perform _remote host certificate authentication_. We need to update the X509AuthenticationProvider's TrustStore as part of the X509Util file-watcher. - Junit test case to verify the cert reload. Author: Manu Mathew <manu.mathew@netapp.com> Author: mathewmanu <manmathew@cs.stonybrook.edu> Author: Manu Mathew <101424654+mathew-manu@users.noreply.github.com> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes apache#1839 from mathew-manu/ZOOKEEPER-3806 Co-authored-by: Manu Mathew <manu.mathew@netapp.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Allow reloading SSL trust stores and key stores from disk when the files on disk change.
Added support for reloading key/trust stores when the file on disk changes
sslQuorumReloadCertFileswhich controls the behavior for reloading the key and trust store files forQuorumX509Util. Reloading of key and trust store forClientX509Utilis not in this PR but could be added easily