This is an automated email from the ASF dual-hosted git repository.
ddiederen pushed a commit to branch branch-3.7
in repository https://gitbox.apache.org/repos/asf/zookeeper.git
The following commit(s) were added to refs/heads/branch-3.7 by this push:
new 3a084f2 ZOOKEEPER-4259: Allow AdminServer to force https
3a084f2 is described below
commit 3a084f2f20dc771455c4825f4fbf4ff1f641793a
Author: Norbert Kalmar <[email protected]>
AuthorDate: Thu Mar 25 09:48:24 2021 +0000
ZOOKEEPER-4259: Allow AdminServer to force https
Initial commit to allow adminServer to only serve HTTPS requests
Questions:
-Is this fine that I stayed with portunification, or should we have a
seperate secure port?
Author: Norbert Kalmar <[email protected]>
Reviewers: Mate Szalay-Beko <[email protected]>, Enrico Olivelli
<[email protected]>
Closes #1652 from nkalmar/ZOOKEEPER-2512
(cherry picked from commit 0b6862e3aadbb8980a09a673c08c438ae5da2e81)
Signed-off-by: Damien Diederen <[email protected]>
---
.../src/main/resources/markdown/zookeeperAdmin.md | 9 ++++++
.../zookeeper/server/admin/JettyAdminServer.java | 23 ++++++++++-----
.../server/admin/JettyAdminServerTest.java | 33 ++++++++++++++++++++++
3 files changed, 58 insertions(+), 7 deletions(-)
diff --git a/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md
b/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md
index 83011a1..1c59ce0 100644
--- a/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md
+++ b/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md
@@ -2035,6 +2035,15 @@ Both subsystems need to have sufficient amount of
threads to achieve peak read t
#### AdminServer configuration
+**New in 3.7.1:** The following
+options are used to configure the [AdminServer](#sc_adminserver).
+
+* *admin.forceHttps* :
+ (Java system property: **zookeeper.admin.forceHttps**)
+ Force AdminServer to use SSL, thus allowing only HTTPS traffic.
+ Defaults to disabled.
+ Overwrites **admin.portUnification** settings.
+
**New in 3.6.0:** The following
options are used to configure the [AdminServer](#sc_adminserver).
diff --git
a/zookeeper-server/src/main/java/org/apache/zookeeper/server/admin/JettyAdminServer.java
b/zookeeper-server/src/main/java/org/apache/zookeeper/server/admin/JettyAdminServer.java
index aa18cfb..d2c7217 100644
---
a/zookeeper-server/src/main/java/org/apache/zookeeper/server/admin/JettyAdminServer.java
+++
b/zookeeper-server/src/main/java/org/apache/zookeeper/server/admin/JettyAdminServer.java
@@ -40,6 +40,7 @@ import org.eclipse.jetty.server.HttpConnectionFactory;
import org.eclipse.jetty.server.SecureRequestCustomizer;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
+import org.eclipse.jetty.server.SslConnectionFactory;
import org.eclipse.jetty.servlet.ServletContextHandler;
import org.eclipse.jetty.servlet.ServletHolder;
import org.eclipse.jetty.util.security.Constraint;
@@ -85,7 +86,8 @@ public class JettyAdminServer implements AdminServer {
Integer.getInteger("zookeeper.admin.idleTimeout",
DEFAULT_IDLE_TIMEOUT),
System.getProperty("zookeeper.admin.commandURL",
DEFAULT_COMMAND_URL),
Integer.getInteger("zookeeper.admin.httpVersion",
DEFAULT_HTTP_VERSION),
- Boolean.getBoolean("zookeeper.admin.portUnification"));
+ Boolean.getBoolean("zookeeper.admin.portUnification"),
+ Boolean.getBoolean("zookeeper.admin.forceHttps"));
}
public JettyAdminServer(
@@ -94,7 +96,8 @@ public class JettyAdminServer implements AdminServer {
int timeout,
String commandUrl,
int httpVersion,
- boolean portUnification) throws IOException, GeneralSecurityException {
+ boolean portUnification,
+ boolean forceHttps) throws IOException, GeneralSecurityException {
this.port = port;
this.idleTimeout = timeout;
@@ -104,7 +107,7 @@ public class JettyAdminServer implements AdminServer {
server = new Server();
ServerConnector connector = null;
- if (!portUnification) {
+ if (!portUnification && !forceHttps) {
connector = new ServerConnector(server);
} else {
SecureRequestCustomizer customizer = new SecureRequestCustomizer();
@@ -140,10 +143,16 @@ public class JettyAdminServer implements AdminServer {
sslContextFactory.setTrustStore(trustStore);
sslContextFactory.setTrustStorePassword(certAuthPassword);
- connector = new ServerConnector(
- server,
- new UnifiedConnectionFactory(sslContextFactory,
HttpVersion.fromVersion(httpVersion).asString()),
- new HttpConnectionFactory(config));
+ if (forceHttps) {
+ connector = new ServerConnector(server,
+ new SslConnectionFactory(sslContextFactory,
HttpVersion.fromVersion(httpVersion).asString()),
+ new HttpConnectionFactory(config));
+ } else {
+ connector = new ServerConnector(
+ server,
+ new UnifiedConnectionFactory(sslContextFactory,
HttpVersion.fromVersion(httpVersion).asString()),
+ new HttpConnectionFactory(config));
+ }
}
}
diff --git
a/zookeeper-server/src/test/java/org/apache/zookeeper/server/admin/JettyAdminServerTest.java
b/zookeeper-server/src/test/java/org/apache/zookeeper/server/admin/JettyAdminServerTest.java
index 7e7f049..9cafebb 100644
---
a/zookeeper-server/src/test/java/org/apache/zookeeper/server/admin/JettyAdminServerTest.java
+++
b/zookeeper-server/src/test/java/org/apache/zookeeper/server/admin/JettyAdminServerTest.java
@@ -20,11 +20,13 @@ package org.apache.zookeeper.server.admin;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.fail;
import java.io.BufferedReader;
import java.io.File;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
+import java.net.SocketException;
import java.net.URL;
import java.security.GeneralSecurityException;
import java.security.Security;
@@ -143,6 +145,7 @@ public class JettyAdminServerTest extends ZKTestCase {
System.clearProperty("zookeeper.ssl.quorum.trustStore.password");
System.clearProperty("zookeeper.ssl.quorum.trustStore.type");
System.clearProperty("zookeeper.admin.portUnification");
+ System.clearProperty("zookeeper.admin.forceHttps");
}
/**
@@ -234,6 +237,36 @@ public class JettyAdminServerTest extends ZKTestCase {
"waiting for server 2 down");
}
+ @Test
+ public void testForceHttpsPortUnificationEnabled() throws Exception {
+ testForceHttps(true);
+ }
+
+ @Test
+ public void testForceHttpsPortUnificationDisabled() throws Exception {
+ testForceHttps(false);
+ }
+
+ private void testForceHttps(boolean portUnification) throws Exception {
+ System.setProperty("zookeeper.admin.forceHttps", "true");
+ System.setProperty("zookeeper.admin.portUnification",
String.valueOf(portUnification));
+ boolean httpsPassed = false;
+
+ JettyAdminServer server = new JettyAdminServer();
+ try {
+ server.start();
+ queryAdminServer(String.format(HTTPS_URL_FORMAT, jettyAdminPort),
true);
+ httpsPassed = true;
+ queryAdminServer(String.format(URL_FORMAT, jettyAdminPort), false);
+ fail("http call should have failed since forceHttps=true");
+ } catch (SocketException se) {
+ //good
+ } finally {
+ server.shutdown();
+ }
+ assertTrue(httpsPassed);
+ }
+
/**
* Check that we can load the commands page of an AdminServer running at
* localhost:port. (Note that this should work even if no zk server is
set.)
