[
https://issues.apache.org/jira/browse/HADOOP-18956?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17784665#comment-17784665
]
ASF GitHub Bot commented on HADOOP-18956:
-----------------------------------------
fapifta opened a new pull request, #6263:
URL: https://github.com/apache/hadoop/pull/6263
### Description of PR
Zookeeper based delegation token and Zookeeper based signer secret provider
is not able to use an SSL/TLS based communication even if Zookeeper is able to
handle such connections.
The pull request standardizes how ZKDelegationTokenSecretManager, and
ZKSignerSecretProvider creates their respective CuratorFramework instance (as
they are anyway interconnected).
In the new code, they both utilize
o.a.h.security.authentication.util.ZookeeperClient class to configure the
client based on their respective configuration values.
The change also introduces a new property in CommonConfigurationKeys, that
affects YARN as well.
The new key is `hadoop.zk.ssl.enabled`. With this new configuration the
following dynamics are true:
- if `hadoop.zk.ssl.enabled` is set then YARN will respect that and won't
use the value in `yarn.resourcemanager.zk-client-ssl.enabled` to decide if SSL
is enabled.
- if `hadoop.zk.ssl.enabled` is set then the ZKDelegationTokenSecretManager
will respect that and won't use the value in `zk-dt-secret-manager.ssl.enabled`
to decide if SSL is enabled.
- ZKSignerSecretProvider can not respect hadoop-common configurations, as it
is in hadoop-auth, and common depends on auth not vice versa, so it will
independently use the configured `signer.secret.provider.zookeeper.ssl.enabled`
property wich defaults to false.
- DFSZKFailoverController will also respect `hadoop.zk.ssl.enabled` prior to
evaluating `dfs.ha.zkfc.client.ssl.enabled`.
`hadoop.zk.ssl.enabled` does not have a default value set.
The intent is to make it possible to enable SSL/TLS towards Zookeeper at
once, or for all 4 places separately if one wish to do so.
ZkDelegationTokenSecretManager, and ZKSignerSecretProvider has their own
Truststore and Keystore overrides, those take precedence over the related
hadoop.zk.* properties, so custom keystores and truststores can be configured
even if the common setup is already set. (DFSZKFailoverController and YARN uses
the hadoop.zk.* properties and does not have custom properties to set the
truststore and keystore as it was implemented earlier).
### How was this patch tested?
Added a JUnit test that checks how the new class introduced to create the
CuratorFramework instance sets up the builder. From that point on it is
Curator's responsibility to use the configuration as expected.
Additionally some other tests should cover the functionality that should be
provided exactly the same way as before.
> Zookeeper SSL/TLS support in ZKDelegationTokenSecretManager and
> ZKSignerSecretProvider
> --------------------------------------------------------------------------------------
>
> Key: HADOOP-18956
> URL: https://issues.apache.org/jira/browse/HADOOP-18956
> Project: Hadoop Common
> Issue Type: Improvement
> Reporter: Zita Dombi
> Assignee: István Fajth
> Priority: Major
>
> HADOOP-18709 added support for Zookeeper to communicate with SSL/TLS enabled
> in hadoop-common. With those changes we have the necessary parameters, that
> we need to set to enable SSL/TLS in a ZK Client. That change also did changes
> in ZKCuratorManager, so with that it is easy to set the SSL/TLS, for Yarn it
> was done in YARN-11468.
> In DelegationTokenAuthenticationFilter currently we are using
> CuratorFrameworkFactory, it'd be good to change it to use ZKCuratorManager
> and with that we should support SSL/TLS enablement.
> *UPDATE*
> So as I investigated this a bit more, it wouldn't be so easy to move to using
> ZKCuratorManager.
> DelegationTokenAuthenticationFilter uses ZK from two places: in
> ZKDelegationTokenSecretManager and in ZKSignerSecretProvider. In both places
> it uses CuratorFrameworkFactory, but the attributes and creation
> differentiates from ZKCuratorManager.
> In ZKDelegationTokenSecretManager it would be easy to add the new config and
> based on that create ZK with CuratorFrameworkFactory. But
> ZKSignerSecretProvider is in hadoop-auth module and with my change it would
> need hadoop-common, so it would introduce circular dependency between modules
> 'hadoop-auth' and 'hadoop-common'. I'm still working on a straightforward
> solution.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
