fapifta opened a new pull request, #6263: URL: https://github.com/apache/hadoop/pull/6263
### Description of PR Zookeeper based delegation token and Zookeeper based signer secret provider is not able to use an SSL/TLS based communication even if Zookeeper is able to handle such connections. The pull request standardizes how ZKDelegationTokenSecretManager, and ZKSignerSecretProvider creates their respective CuratorFramework instance (as they are anyway interconnected). In the new code, they both utilize o.a.h.security.authentication.util.ZookeeperClient class to configure the client based on their respective configuration values. The change also introduces a new property in CommonConfigurationKeys, that affects YARN as well. The new key is `hadoop.zk.ssl.enabled`. With this new configuration the following dynamics are true: - if `hadoop.zk.ssl.enabled` is set then YARN will respect that and won't use the value in `yarn.resourcemanager.zk-client-ssl.enabled` to decide if SSL is enabled. - if `hadoop.zk.ssl.enabled` is set then the ZKDelegationTokenSecretManager will respect that and won't use the value in `zk-dt-secret-manager.ssl.enabled` to decide if SSL is enabled. - ZKSignerSecretProvider can not respect hadoop-common configurations, as it is in hadoop-auth, and common depends on auth not vice versa, so it will independently use the configured `signer.secret.provider.zookeeper.ssl.enabled` property wich defaults to false. - DFSZKFailoverController will also respect `hadoop.zk.ssl.enabled` prior to evaluating `dfs.ha.zkfc.client.ssl.enabled`. `hadoop.zk.ssl.enabled` does not have a default value set. The intent is to make it possible to enable SSL/TLS towards Zookeeper at once, or for all 4 places separately if one wish to do so. ZkDelegationTokenSecretManager, and ZKSignerSecretProvider has their own Truststore and Keystore overrides, those take precedence over the related hadoop.zk.* properties, so custom keystores and truststores can be configured even if the common setup is already set. (DFSZKFailoverController and YARN uses the hadoop.zk.* properties and does not have custom properties to set the truststore and keystore as it was implemented earlier). ### How was this patch tested? Added a JUnit test that checks how the new class introduced to create the CuratorFramework instance sets up the builder. From that point on it is Curator's responsibility to use the configuration as expected. Additionally some other tests should cover the functionality that should be provided exactly the same way as before. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
