ZOOKEEPER-3806: TLS - dynamic loading for client trust/key store

[mathew-manu]

ZooKeer currently has support for reloading the Quorum Truststore & Keystore automatically when the certificate files change in the filesystem without server restart (#680)

However, Reloading of key and trust store for ClientX509Util is not present; i.e., the server presented certs to the clients will not get reloaded automatically if the certificates in the filesystem change, short-lived certs requires the process restart.

Changes:

• A new config property "zookeeper.client.certReload" is added, if it's true - ClientX509Util is reloaded automatically.

• ZK uses an X509AuthenticationProvider which is backed by an X509TrustManager and an X509KeyManager to perform remote host certificate authentication. We need to update the X509AuthenticationProvider's TrustStore as part of the X509Util file-watcher.

• Junit test case to verify the cert reload.

[mathew-manu]

2 workflows awaiting approval (First-time contributor)
Can someone approve the workflows?

[mathew-manu]

@symat Could you pls review this PR?
If certificates are updated on running clusters, server presented certificates to the clients are not refreshed automatically and requires process restarts. I think it's valuable to have this merged.

[li4wang]

Agreed. This is a great feature to have.

[eolivelli]

+1

Nice work

[symat]

thank you for the contribution!
this is a very nice feature, I like the test too!!

Can you please add documentation for this new configuration near to the other ssl configs on our admin page? https://github.com/apache/zookeeper/blob/master/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md

using "new in 3.5.9"

[mathew-manu]

thank you for the contribution! this is a very nice feature, I like the test too!!

Can you please add documentation for this new configuration near to the other ssl configs on our admin page? https://github.com/apache/zookeeper/blob/master/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md

using "new in 3.5.9"

@symat Updated the documentation with the new configuration.

[symat]

sorry  @mathew-manu , I asked you to document this as "new in 3.5.9", it should be 3.9.0. Can you change it? I can merge after that.

[mathew-manu]

Updated the version to 3.9.0

[sonatype-lift]

THREAD_SAFETY_VIOLATION: Read/Write race. Non-private method ProviderRegistry.getServerProvider(...) indirectly reads without synchronization from auth.ProviderRegistry.initialized. Potentially races with write in method ProviderRegistry.reset().
Reporting because another access to the same memory occurs on a background thread, although this access may not.

(at-me in a reply with help or ignore)

---

Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]

[mathew-manu]

ProviderRegistry.reset() is only called from test.

[symat]

thanks!! merging it now to master

[li4wang]

@eolivelli @symat can we get this merged into 3.7 and 3.8 too? We are on 3.7 and it would be great if this can be supported in 3.7. Do we need to open a new JIRA? Please let me know if anything I can help. Thanks.

[symat]

Hello @li4wang !
Normally we merge new features (like this one) only to master and we cherry-pick only the security and bug fixes to older branches. However, I see this commit to be valuable for the community and it doesn't change the default behavior. Also, I don't know when 3.9.0 will happen... so I'm open to have it backported to branch-3.8 and branch-3.7. @eolivelli what do you think?

If we would do that, then I think no new Jira is necessary, but we would need two new github PRs targeting branch-3.7 and branch-3.8. Also we would need a small PR on master, fixing the documentation about the version numbers (since when this feature is available... like "New in 3.7.2, 3.8.1, 3.9.0")

Just for your info: it is perfectly normal and legal (many of us actually do this) to build your own ZooKeeper version, based on a branch you are familiar with / tested before, adding only a few commits from later branches. Then use this in production. Building ZooKeeper is quite simple (use jdk8 and a relatively recent maven, then simply mvn clean install -DskipTests)

[eolivelli]

I am +1 to port this to 3.8 and to 3.7.

Just for your info: it is perfectly normal and legal (many of us actually do this) to build your own ZooKeeper version, based on a branch you are familiar with / tested before, adding only a few commits from later branches. Then use this in production. Building ZooKeeper is quite simple (use jdk8 and a relatively recent maven, then simply mvn clean install -DskipTests)
This is "legal" but I must add that:

• if you do this then you are not guaranteed that the project (PMC) verified the goodness of the release, so you should really know what are you doing (sometimes patches break the code and add side effects, that are fixed before releases while the community validates and blesses the release candidate).
• if you go down this path, then ensure that all the tests are passing, especially using the JDK and OS that you are going to use in production

Every Apache product is meant to be consumed from the Source code, but ONLY using the Source Tarballs that have been approved with a formal and official VOTE.

[li4wang]

That's great! Thanks @symat and @eolivelli. I will open a JIRA and create PRs for 3.7 and 3.8.

[li4wang]

https://issues.apache.org/jira/browse/ZOOKEEPER-4545 (for 3.7)
https://issues.apache.org/jira/browse/ZOOKEEPER-4546 (for 3.8)