This is an automated email from the ASF dual-hosted git repository.
anmolnar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/zookeeper.git
The following commit(s) were added to refs/heads/master by this push:
new ed28ce78b ZOOKEEPER-5047: Make PrometheusMetricsProvider KeyStore type
detection consistent
ed28ce78b is described below
commit ed28ce78ba36dffc4fe634862418d80895bfc242
Author: Dávid Paksy <[email protected]>
AuthorDate: Wed May 13 19:30:47 2026 +0200
ZOOKEEPER-5047: Make PrometheusMetricsProvider KeyStore type detection
consistent
Reviewers: meszibalu, anmolnar
Author: PDavid
Closes #2385 from
PDavid/ZOOKEEPER-5047-PrometheusMetricsProvider-KeyStore-type
---
.../src/main/resources/markdown/zookeeperAdmin.md | 4 +--
.../prometheus/PrometheusMetricsProvider.java | 30 ++++++++++++++--------
2 files changed, 21 insertions(+), 13 deletions(-)
diff --git a/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md
b/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md
index c87ce053e..1889faee3 100644
--- a/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md
+++ b/zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md
@@ -2326,7 +2326,7 @@ options are used to configure the
[AdminServer](#sc_adminserver).
* *metricsProvider.ssl.keyStore.type*:
**New in 3.10.0:**
- Specifies the file format of the PrometheusMetricsProvider keystore.
Values: JKS, PEM, PKCS12 or null (detect by filename).
+ Specifies the file format of the PrometheusMetricsProvider keystore.
Values: JKS, PEM, PKCS12, BCFKS or null (detect by filename).
Default: null.
* *metricsProvider.ssl.trustStore.location* and
*metricsProvider.ssl.trustStore.password*:
@@ -2337,7 +2337,7 @@ options are used to configure the
[AdminServer](#sc_adminserver).
* *metricsProvider.ssl.trustStore.type*:
**New in 3.10.0:**
- Specifies the file format of the PrometheusMetricsProvider truststore.
Values: JKS, PEM, PKCS12 or null (detect by filename).
+ Specifies the file format of the PrometheusMetricsProvider truststore.
Values: JKS, PEM, PKCS12, BCFKS or null (detect by filename).
Default: null.
* *metricsProvider.ssl.need.client.auth*:
diff --git
a/zookeeper-metrics-providers/zookeeper-prometheus-metrics/src/main/java/org/apache/zookeeper/metrics/prometheus/PrometheusMetricsProvider.java
b/zookeeper-metrics-providers/zookeeper-prometheus-metrics/src/main/java/org/apache/zookeeper/metrics/prometheus/PrometheusMetricsProvider.java
index dc7828ddb..85cacb686 100644
---
a/zookeeper-metrics-providers/zookeeper-prometheus-metrics/src/main/java/org/apache/zookeeper/metrics/prometheus/PrometheusMetricsProvider.java
+++
b/zookeeper-metrics-providers/zookeeper-prometheus-metrics/src/main/java/org/apache/zookeeper/metrics/prometheus/PrometheusMetricsProvider.java
@@ -23,6 +23,8 @@
import io.prometheus.metrics.instrumentation.jvm.JvmMetrics;
import io.prometheus.metrics.model.registry.PrometheusRegistry;
import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
import java.util.Map;
import java.util.Objects;
import java.util.Properties;
@@ -32,6 +34,7 @@
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
+import org.apache.zookeeper.common.X509Util;
import org.apache.zookeeper.metrics.Counter;
import org.apache.zookeeper.metrics.CounterSet;
import org.apache.zookeeper.metrics.Gauge;
@@ -50,6 +53,7 @@
import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.servlet.ServletContextHandler;
import org.eclipse.jetty.servlet.ServletHolder;
+import org.eclipse.jetty.util.resource.Resource;
import org.eclipse.jetty.util.ssl.KeyStoreScanner;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.eclipse.jetty.util.thread.QueuedThreadPool;
@@ -144,10 +148,10 @@ public void configure(Properties configuration) throws
MetricsProviderLifeCycleE
if (this.httpsPort != -1) {
this.keyStorePath =
configuration.getProperty(SSL_KEYSTORE_LOCATION);
this.keyStorePassword =
configuration.getProperty(SSL_KEYSTORE_PASSWORD);
- this.keyStoreType = configuration.getProperty(SSL_KEYSTORE_TYPE,
"PKCS12");
+ this.keyStoreType = configuration.getProperty(SSL_KEYSTORE_TYPE);
this.trustStorePath =
configuration.getProperty(SSL_TRUSTSTORE_LOCATION);
this.trustStorePassword =
configuration.getProperty(SSL_TRUSTSTORE_PASSWORD);
- this.trustStoreType =
configuration.getProperty(SSL_TRUSTSTORE_TYPE, "PKCS12");
+ this.trustStoreType =
configuration.getProperty(SSL_TRUSTSTORE_TYPE);
this.needClientAuth =
Boolean.parseBoolean(configuration.getProperty(SSL_NEED_CLIENT_AUTH, "true"));
this.wantClientAuth =
Boolean.parseBoolean(configuration.getProperty(SSL_WANT_CLIENT_AUTH, "true"));
this.enabledProtocols =
configuration.getProperty(SSL_ENABLED_PROTOCOLS);
@@ -258,18 +262,21 @@ private void setKeyStoreScanner(SslContextFactory.Server
sslContextFactory) {
*
* @return A configured SslContextFactory.Server instance.
*/
- private SslContextFactory.Server createSslContextFactory() {
+ private SslContextFactory.Server createSslContextFactory() throws
GeneralSecurityException, IOException {
SslContextFactory.Server sslContextFactory = new
SslContextFactory.Server();
// Validate and set KeyStore properties
if (this.keyStorePath == null || this.keyStorePath.isEmpty()) {
throw new IllegalArgumentException("SSL/TLS is enabled, but '" +
SSL_KEYSTORE_LOCATION + "' is not set.");
}
- sslContextFactory.setKeyStorePath(this.keyStorePath);
+ KeyStore keyStore = X509Util.loadKeyStore(this.keyStorePath,
this.keyStorePassword, this.keyStoreType);
+ LOG.debug("Successfully loaded private key from {}",
this.keyStorePath);
+
+ sslContextFactory.setKeyStore(keyStore);
sslContextFactory.setKeyStorePassword(this.keyStorePassword);
- if (this.keyStoreType != null) {
- sslContextFactory.setKeyStoreType(this.keyStoreType);
- }
+
+ // This is needed for KeyStoreScanner to work.
+
sslContextFactory.setKeyStoreResource(Resource.newResource(this.keyStorePath));
// Validate and set TrustStore properties (often needed for client
auth)
if (this.needClientAuth && (this.trustStorePath == null ||
this.trustStorePath.isEmpty())) {
@@ -277,11 +284,12 @@ private SslContextFactory.Server
createSslContextFactory() {
"'" + SSL_NEED_CLIENT_AUTH + "' is true, but '" +
SSL_TRUSTSTORE_LOCATION + "' is not set.");
}
if (this.trustStorePath != null) {
- sslContextFactory.setTrustStorePath(this.trustStorePath);
+ KeyStore trustStore = X509Util.loadTrustStore(this.trustStorePath,
this.trustStorePassword,
+ this.trustStoreType);
+ LOG.debug("Successfully loaded certificate authority from {}",
this.trustStorePath);
+
+ sslContextFactory.setTrustStore(trustStore);
sslContextFactory.setTrustStorePassword(this.trustStorePassword);
- if (this.trustStoreType != null) {
- sslContextFactory.setTrustStoreType(this.trustStoreType);
- }
}
sslContextFactory.setNeedClientAuth(this.needClientAuth);