New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ZOOKEEPER-3806: TLS - dynamic loading for client trust/key store #1839
Conversation
2 workflows awaiting approval (First-time contributor) |
@symat Could you pls review this PR? |
Agreed. This is a great feature to have. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
Nice work
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thank you for the contribution!
this is a very nice feature, I like the test too!!
Can you please add documentation for this new configuration near to the other ssl configs on our admin page? https://github.com/apache/zookeeper/blob/master/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md
using "new in 3.5.9"
@symat Updated the documentation with the new configuration. |
|
||
* *client.certReload* : | ||
(Java system property: **zookeeper.client.certReload**) | ||
**New in 3.5.9:** |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sorry @mathew-manu , I asked you to document this as "new in 3.5.9", it should be 3.9.0. Can you change it? I can merge after that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated the version to 3.9.0
} | ||
} | ||
} | ||
|
||
public static ServerAuthenticationProvider getServerProvider(String scheme) { | ||
return WrappedAuthenticationProvider.wrap(getProvider(scheme)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
THREAD_SAFETY_VIOLATION: Read/Write race. Non-private method ProviderRegistry.getServerProvider(...)
indirectly reads without synchronization from auth.ProviderRegistry.initialized
. Potentially races with write in method ProviderRegistry.reset()
.
Reporting because another access to the same memory occurs on a background thread, although this access may not.
(at-me in a reply with help
or ignore
)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ProviderRegistry.reset() is only called from test.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks!! merging it now to master
@eolivelli @symat can we get this merged into 3.7 and 3.8 too? We are on 3.7 and it would be great if this can be supported in 3.7. Do we need to open a new JIRA? Please let me know if anything I can help. Thanks. |
Hello @li4wang ! If we would do that, then I think no new Jira is necessary, but we would need two new github PRs targeting branch-3.7 and branch-3.8. Also we would need a small PR on master, fixing the documentation about the version numbers (since when this feature is available... like "New in 3.7.2, 3.8.1, 3.9.0") Just for your info: it is perfectly normal and legal (many of us actually do this) to build your own ZooKeeper version, based on a branch you are familiar with / tested before, adding only a few commits from later branches. Then use this in production. Building ZooKeeper is quite simple (use jdk8 and a relatively recent maven, then simply |
I am +1 to port this to 3.8 and to 3.7.
Every Apache product is meant to be consumed from the Source code, but ONLY using the Source Tarballs that have been approved with a formal and official VOTE. |
That's great! Thanks @symat and @eolivelli. I will open a JIRA and create PRs for 3.7 and 3.8. |
ZooKeer currently has support for reloading the Quorum Truststore & Keystore automatically when the certificate files change in the filesystem without server restart (apache#680) However, Reloading of key and trust store for **ClientX509Util** is not present; i.e., the server presented certs to the clients will not get reloaded automatically if the certificates in the filesystem change, short-lived certs requires the process restart. Changes: - A new config property "zookeeper.client.certReload" is added, if it's true - ClientX509Util is reloaded automatically. - ZK uses an _X509AuthenticationProvider_ which is backed by an X509TrustManager and an X509KeyManager to perform _remote host certificate authentication_. We need to update the X509AuthenticationProvider's TrustStore as part of the X509Util file-watcher. - Junit test case to verify the cert reload. Author: Manu Mathew <manu.mathew@netapp.com> Author: mathewmanu <manmathew@cs.stonybrook.edu> Author: Manu Mathew <101424654+mathew-manu@users.noreply.github.com> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes apache#1839 from mathew-manu/ZOOKEEPER-3806
ZooKeer currently has support for reloading the Quorum Truststore & Keystore automatically when the certificate files change in the filesystem without server restart (apache#680) However, Reloading of key and trust store for **ClientX509Util** is not present; i.e., the server presented certs to the clients will not get reloaded automatically if the certificates in the filesystem change, short-lived certs requires the process restart. Changes: - A new config property "zookeeper.client.certReload" is added, if it's true - ClientX509Util is reloaded automatically. - ZK uses an _X509AuthenticationProvider_ which is backed by an X509TrustManager and an X509KeyManager to perform _remote host certificate authentication_. We need to update the X509AuthenticationProvider's TrustStore as part of the X509Util file-watcher. - Junit test case to verify the cert reload. Author: Manu Mathew <manu.mathew@netapp.com> Author: mathewmanu <manmathew@cs.stonybrook.edu> Author: Manu Mathew <101424654+mathew-manu@users.noreply.github.com> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes apache#1839 from mathew-manu/ZOOKEEPER-3806
ZooKeer currently has support for reloading the Quorum Truststore & Keystore automatically when the certificate files change in the filesystem without server restart (apache#680) However, Reloading of key and trust store for **ClientX509Util** is not present; i.e., the server presented certs to the clients will not get reloaded automatically if the certificates in the filesystem change, short-lived certs requires the process restart. Changes: - A new config property "zookeeper.client.certReload" is added, if it's true - ClientX509Util is reloaded automatically. - ZK uses an _X509AuthenticationProvider_ which is backed by an X509TrustManager and an X509KeyManager to perform _remote host certificate authentication_. We need to update the X509AuthenticationProvider's TrustStore as part of the X509Util file-watcher. - Junit test case to verify the cert reload. Author: Manu Mathew <manu.mathew@netapp.com> Author: mathewmanu <manmathew@cs.stonybrook.edu> Author: Manu Mathew <101424654+mathew-manu@users.noreply.github.com> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes apache#1839 from mathew-manu/ZOOKEEPER-3806
Backporting ZOOKEEPER-4468 to branch-3.8 This is cherry-pick from apache#1839. This PR is the same as the apache#1839 on the master branch, only changing the documentation about the version numbers. ZooKeer currently has support for reloading the Quorum Truststore & Keystore automatically when the certificate files change in the filesystem without server restart (apache#680) However, Reloading of key and trust store for **ClientX509Util** is not present; i.e., the server presented certs to the clients will not get reloaded automatically if the certificates in the filesystem change, short-lived certs requires the process restart. Changes: - A new config property "zookeeper.client.certReload" is added, if it's true - ClientX509Util is reloaded automatically. - ZK uses an _X509AuthenticationProvider_ which is backed by an X509TrustManager and an X509KeyManager to perform _remote host certificate authentication_. We need to update the X509AuthenticationProvider's TrustStore as part of the X509Util file-watcher. - Junit test case to verify the cert reload.
ZooKeer currently has support for reloading the Quorum Truststore & Keystore automatically when the certificate files change in the filesystem without server restart (apache#680) However, Reloading of key and trust store for **ClientX509Util** is not present; i.e., the server presented certs to the clients will not get reloaded automatically if the certificates in the filesystem change, short-lived certs requires the process restart. Changes: - A new config property "zookeeper.client.certReload" is added, if it's true - ClientX509Util is reloaded automatically. - ZK uses an _X509AuthenticationProvider_ which is backed by an X509TrustManager and an X509KeyManager to perform _remote host certificate authentication_. We need to update the X509AuthenticationProvider's TrustStore as part of the X509Util file-watcher. - Junit test case to verify the cert reload. Author: Manu Mathew <manu.mathew@netapp.com> Author: mathewmanu <manmathew@cs.stonybrook.edu> Author: Manu Mathew <101424654+mathew-manu@users.noreply.github.com> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes apache#1839 from mathew-manu/ZOOKEEPER-3806
This is cherry-pick from apache#1839. This PR is the same as the apache#1839 on the master branch, only changing the documentation about the version numbers. Signed-off-by: Li Wang <li4wang@gmail.com>
ZooKeer currently has support for reloading the Quorum Truststore & Keystore automatically when the certificate files change in the filesystem without server restart (apache#680) However, Reloading of key and trust store for **ClientX509Util** is not present; i.e., the server presented certs to the clients will not get reloaded automatically if the certificates in the filesystem change, short-lived certs requires the process restart. Changes: - A new config property "zookeeper.client.certReload" is added, if it's true - ClientX509Util is reloaded automatically. - ZK uses an _X509AuthenticationProvider_ which is backed by an X509TrustManager and an X509KeyManager to perform _remote host certificate authentication_. We need to update the X509AuthenticationProvider's TrustStore as part of the X509Util file-watcher. - Junit test case to verify the cert reload. Author: Manu Mathew <manu.mathew@netapp.com> Author: mathewmanu <manmathew@cs.stonybrook.edu> Author: Manu Mathew <101424654+mathew-manu@users.noreply.github.com> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes apache#1839 from mathew-manu/ZOOKEEPER-3806
This is cherry-pick from apache#1839. This PR is the same as the apache#1839 on the master branch, only changing the documentation about the version numbers. Signed-off-by: Li Wang <li4wang@gmail.com>
This is cherry-pick from apache#1839. This PR is the same as the apache#1839 on the master branch, only changing the documentation about the version numbers. Signed-off-by: Li Wang <li4wang@gmail.com> ZOOKEEPER-4546 Backport auto reloading client key/trust store to 3.8 This is cherry-pick from apache#1839. This PR is the same as the apache#1839 on the master branch, only changing the documentation about the version numbers. Signed-off-by: Li Wang <li4wang@gmail.com>
This is cherry-pick from apache#1839. This PR is the same as the apache#1839 on the master branch, only changing the documentation about the version numbers. Signed-off-by: Li Wang <li4wang@gmail.com>
This is cherry-pick from apache#1839. This PR is the same as the apache#1839 on the master branch, only changing the documentation about the version numbers. Signed-off-by: Li Wang <li4wang@gmail.com> ZOOKEEPER-4546 Backport auto reloading client key/trust store to 3.8 This is cherry-pick from apache#1839. This PR is the same as the apache#1839 on the master branch, only changing the documentation about the version numbers. Signed-off-by: Li Wang <li4wang@gmail.com>
This is cherry-pick from apache#1839. This PR is the same as the apache#1839 on the master branch, only changing the documentation about the version numbers. Signed-off-by: Li Wang <li4wang@gmail.com> ZOOKEEPER-4546 Backport auto reloading client key/trust store to 3.8 This is cherry-pick from apache#1839. This PR is the same as the apache#1839 on the master branch, only changing the documentation about the version numbers. Signed-off-by: Li Wang <li4wang@gmail.com>
ZOOKEEPER-4545 Backport auto reloading client key/trust store to 3.7 This is cherry-pick from #1839. This PR is the same as the #1839 on the master branch, only changing the documentation about the version numbers. Signed-off-by: Li Wang <li4wanggmail.com> Author: Manu Mathew <manu.mathew@netapp.com> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes #1884 from li4wang/ZOOKEEPER-4545
ZooKeer currently has support for reloading the Quorum Truststore & Keystore automatically when the certificate files change in the filesystem without server restart (apache#680) However, Reloading of key and trust store for **ClientX509Util** is not present; i.e., the server presented certs to the clients will not get reloaded automatically if the certificates in the filesystem change, short-lived certs requires the process restart. Changes: - A new config property "zookeeper.client.certReload" is added, if it's true - ClientX509Util is reloaded automatically. - ZK uses an _X509AuthenticationProvider_ which is backed by an X509TrustManager and an X509KeyManager to perform _remote host certificate authentication_. We need to update the X509AuthenticationProvider's TrustStore as part of the X509Util file-watcher. - Junit test case to verify the cert reload. Author: Manu Mathew <manu.mathew@netapp.com> Author: mathewmanu <manmathew@cs.stonybrook.edu> Author: Manu Mathew <101424654+mathew-manu@users.noreply.github.com> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes apache#1839 from mathew-manu/ZOOKEEPER-3806
ZooKeer currently has support for reloading the Quorum Truststore & Keystore automatically when the certificate files change in the filesystem without server restart (apache#680) However, Reloading of key and trust store for **ClientX509Util** is not present; i.e., the server presented certs to the clients will not get reloaded automatically if the certificates in the filesystem change, short-lived certs requires the process restart. Changes: - A new config property "zookeeper.client.certReload" is added, if it's true - ClientX509Util is reloaded automatically. - ZK uses an _X509AuthenticationProvider_ which is backed by an X509TrustManager and an X509KeyManager to perform _remote host certificate authentication_. We need to update the X509AuthenticationProvider's TrustStore as part of the X509Util file-watcher. - Junit test case to verify the cert reload. Author: Manu Mathew <manu.mathew@netapp.com> Author: mathewmanu <manmathew@cs.stonybrook.edu> Author: Manu Mathew <101424654+mathew-manu@users.noreply.github.com> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes apache#1839 from mathew-manu/ZOOKEEPER-3806 Co-authored-by: Manu Mathew <manu.mathew@netapp.com>
ZooKeer currently has support for reloading the Quorum Truststore & Keystore automatically when the certificate files change in the filesystem without server restart (apache#680) However, Reloading of key and trust store for **ClientX509Util** is not present; i.e., the server presented certs to the clients will not get reloaded automatically if the certificates in the filesystem change, short-lived certs requires the process restart. Changes: - A new config property "zookeeper.client.certReload" is added, if it's true - ClientX509Util is reloaded automatically. - ZK uses an _X509AuthenticationProvider_ which is backed by an X509TrustManager and an X509KeyManager to perform _remote host certificate authentication_. We need to update the X509AuthenticationProvider's TrustStore as part of the X509Util file-watcher. - Junit test case to verify the cert reload. Author: Manu Mathew <manu.mathew@netapp.com> Author: mathewmanu <manmathew@cs.stonybrook.edu> Author: Manu Mathew <101424654+mathew-manu@users.noreply.github.com> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes apache#1839 from mathew-manu/ZOOKEEPER-3806
ZooKeer currently has support for reloading the Quorum Truststore & Keystore automatically when the certificate files change in the filesystem without server restart (apache#680) However, Reloading of key and trust store for **ClientX509Util** is not present; i.e., the server presented certs to the clients will not get reloaded automatically if the certificates in the filesystem change, short-lived certs requires the process restart. Changes: - A new config property "zookeeper.client.certReload" is added, if it's true - ClientX509Util is reloaded automatically. - ZK uses an _X509AuthenticationProvider_ which is backed by an X509TrustManager and an X509KeyManager to perform _remote host certificate authentication_. We need to update the X509AuthenticationProvider's TrustStore as part of the X509Util file-watcher. - Junit test case to verify the cert reload. Author: Manu Mathew <manu.mathew@netapp.com> Author: mathewmanu <manmathew@cs.stonybrook.edu> Author: Manu Mathew <101424654+mathew-manu@users.noreply.github.com> Reviewers: Enrico Olivelli <eolivelli@apache.org>, Mate Szalay-Beko <symat@apache.org> Closes apache#1839 from mathew-manu/ZOOKEEPER-3806 Co-authored-by: Manu Mathew <manu.mathew@netapp.com>
ZooKeer currently has support for reloading the Quorum Truststore & Keystore automatically when the certificate files change in the filesystem without server restart (#680)
However, Reloading of key and trust store for ClientX509Util is not present; i.e., the server presented certs to the clients will not get reloaded automatically if the certificates in the filesystem change, short-lived certs requires the process restart.
Changes:
A new config property "zookeeper.client.certReload" is added, if it's true - ClientX509Util is reloaded automatically.
ZK uses an X509AuthenticationProvider which is backed by an X509TrustManager and an X509KeyManager to perform remote host certificate authentication. We need to update the X509AuthenticationProvider's TrustStore as part of the X509Util file-watcher.
Junit test case to verify the cert reload.