[
https://issues.apache.org/jira/browse/BOOKKEEPER-588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15683157#comment-15683157
]
Enrico Olivelli commented on BOOKKEEPER-588:
--------------------------------------------
[~jujjuri] I have looked into the patch deeply
some comments/questions:
1) Interesting the force of the resolution of the hostname, maybe this is
because you want to use the name provided inside the cerficates
{code}
- String hostAddress = inetAddr.getAddress().getHostAddress();
- if (conf.getUseHostNameAsBookieID()) {
- hostAddress = inetAddr.getAddress().getCanonicalHostName();
+ String hostAddress = "127.0.0.1";
+ if (!inetAddr.isUnresolved()) {
+ hostAddress = inetAddr.getAddress().getHostAddress();
+ if (conf.getUseHostNameAsBookieID()) {
+ hostAddress = inetAddr.getAddress().getCanonicalHostName();
+ }
}
{code}
2) Curiosity: Why are you using system properties and not configuration
property ?
3) I do not know bk-proxy, maybe I miss something or it is something inside
your infrastructure
IMHO this approach does not allow a soft switch from no-auth to auth and from
no-SSL to SSL.
Currently we are discussing about using StartTLS mechanism which will allow us
to switch softly to the usage of SSL, because the switch to SSL will be
requested by the client upon connection establishment.
For the pure authentication part on BOOKKEEPER-959 I'm going to add support for
AuthPlugins to:
- have access to certificates exchanged during connection handshake (Principals)
- have the ability to start/stop custom resources (like the background thread
to check certificate expiry)
- have the ability to drop connections from clients whose certificate has
expired
so in my proposal from the server will drop connections with an expired
certificate
I miss one piece of the full schema: when a client certificate expires, who
uploads a new certificate to the client ? in your case the client is to be
restarted with a new certificate file or does someone overwrite the file and it
is expected that the client reloads the file ?
> SSL support
> -----------
>
> Key: BOOKKEEPER-588
> URL: https://issues.apache.org/jira/browse/BOOKKEEPER-588
> Project: Bookkeeper
> Issue Type: Sub-task
> Reporter: Ivan Kelly
> Assignee: Enrico Olivelli
> Fix For: 4.5.0
>
> Attachments: 0001-MutualTLS-for-Bookkeeper.patch,
> 0004-BOOKKEEPER-588-SSL-support-for-bookkeeper.patch
>
>
> SSL support using startTLS
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
