YARN-11468. Zookeeper SSL/TLS support

ferdelyi · Sep 25, 2023 · 8002a47 · 8002a47
1 parent bf9975a
commit 8002a47
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 2 deletions.
diff --git a/...oop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java b/...oop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java
@@ -857,6 +857,10 @@ public static boolean isAclEnabled(Configuration conf) {
   /** Zookeeper interaction configs */
   public static final String RM_ZK_PREFIX = RM_PREFIX + "zk-";
 
+  /** Enable Zookeeper SSL/TLS communication */
+  public static final String RM_ZK_CLIENT_SSL_ENABLED = RM_ZK_PREFIX + "client-ssl.enabled";
+  public static final boolean DEFAULT_RM_ZK_CLIENT_SSL_ENABLED = false;
+
   public static final String RM_ZK_ADDRESS = RM_ZK_PREFIX + "address";
 
   public static final String RM_ZK_NUM_RETRIES = RM_ZK_PREFIX + "num-retries";

diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml
@@ -741,6 +741,12 @@
     <value>1048576</value>
   </property>
 
+  <property>
+    <description>Enable SSL/TLS encryption for the ZooKeeper communication.</description>
+    <name>yarn.resourcemanager.zk-client-ssl.enabled</name>
+    <value>false</value>
+  </property>
+
   <property>
     <description>Name of the cluster. In a HA setting,
       this is used to ensure the RM participates in leader

diff --git a/...emanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java b/...emanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java
@@ -427,7 +427,8 @@ public ZKCuratorManager createAndStartZKManager(Configuration
       authInfos.add(authInfo);
     }
 
-    manager.start(authInfos);
+    manager.start(authInfos, config.getBoolean(YarnConfiguration.RM_ZK_CLIENT_SSL_ENABLED,
+        YarnConfiguration.DEFAULT_RM_ZK_CLIENT_SSL_ENABLED));
     return manager;
   }
 

diff --git a/...ager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMStoreCommands.java b/...ager/src/test/java/org/apache/hadoop/yarn/server/resourcemanager/TestRMStoreCommands.java
@@ -100,7 +100,6 @@ public void testFormatConfStoreCmdForZK() throws Exception {
           curatorFramework.checkExists().forPath(confStorePath));
     }
   }
-
   @Test
   public void testRemoveApplicationFromStateStoreCmdForZK() throws Exception {
     StateChangeRequestInfo req = new StateChangeRequestInfo(
@@ -111,6 +110,7 @@ public void testRemoveApplicationFromStateStoreCmdForZK() throws Exception {
             setupCuratorFramework(curatorTestingServer)) {
       Configuration conf = TestZKRMStateStore.createHARMConf("rm1,rm2", "rm1",
           1234, false, curatorTestingServer);
+
       ResourceManager rm = new MockRM(conf);
       rm.start();
       rm.getRMContext().getRMAdminService().transitionToActive(req);