[jira] [Resolved] (HADOOP-18956) Zookeeper SSL/TLS support in ZKDelegationTokenSecretManager and ZKSignerSecretProvider

Fri, 17 Nov 2023 01:53:46 -0800 


     [ 
https://issues.apache.org/jira/browse/HADOOP-18956?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Wei-Chiu Chuang resolved HADOOP-18956.
--------------------------------------
    Fix Version/s: 3.4.0
       Resolution: Fixed

> Zookeeper SSL/TLS support in ZKDelegationTokenSecretManager and 
> ZKSignerSecretProvider
> --------------------------------------------------------------------------------------
>
>                 Key: HADOOP-18956
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18956
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Zita Dombi
>            Assignee: István Fajth
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 3.4.0
>
>
> HADOOP-18709 added support for Zookeeper to communicate with SSL/TLS enabled 
> in hadoop-common. With those changes we have the necessary parameters, that 
> we need to set to enable SSL/TLS in a ZK Client. That change also did changes 
> in ZKCuratorManager, so with that it is easy to set the SSL/TLS, for Yarn it 
> was done in YARN-11468.
> In DelegationTokenAuthenticationFilter currently we are using 
> CuratorFrameworkFactory, it'd be good to change it to use ZKCuratorManager 
> and with that we should support SSL/TLS enablement.
> *UPDATE*
> So as I investigated this a bit more, it wouldn't be so easy to move to using 
> ZKCuratorManager. 
> DelegationTokenAuthenticationFilter uses ZK from two places: in 
> ZKDelegationTokenSecretManager and in ZKSignerSecretProvider. In both places 
> it uses CuratorFrameworkFactory, but the attributes and creation 
> differentiates from ZKCuratorManager. 
> In ZKDelegationTokenSecretManager it would be easy to add the new config and 
> based on that create ZK with CuratorFrameworkFactory. But 
> ZKSignerSecretProvider is in hadoop-auth module and with my change it would 
> need hadoop-common, so it would introduce circular dependency between modules 
> 'hadoop-auth' and 'hadoop-common'. I'm still working on a straightforward 
> solution. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to