[
https://issues.apache.org/jira/browse/ZOOKEEPER-2125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14362080#comment-14362080
]
Hongchao Deng commented on ZOOKEEPER-2125:
------------------------------------------
I'm almost getting consensus from Flavio. Waiting for his response.
The point that we have discussed is [this
code|https://github.com/apache/zookeeper/blob/b7698101e3cb02bd570b4098878e85882b3c2a22/src/java/main/org/apache/zookeeper/server/FinalRequestProcessor.java#L136]:
{code}
if (request.type == OpCode.closeSession) {
ServerCnxnFactory scxn = zks.getServerCnxnFactory();
// this might be possible since
// we might just be playing diffs from the leader
if (scxn != null && request.cnxn == null) {
// calling this if we have the cnxn results in the client's
// close session response being lost - we've already closed
// the session/socket here before we can send the closeSession
// in the switch block below
scxn.closeSession(request.sessionId);
return;
}
}
{code}
The patch adds another `zks.secureServerCnxnFactory`. So I have to change the
ServerCnxnFactory#closeSession to return boolean to check if session is found
and closed in either normal or secure factory. This is what I thought code
originally was.
If Michi or Camille can share some thoughts or original design on this code,
that would be very nice.
Thanks in advance for the long reading.
> SSL on Netty client-server communication
> ----------------------------------------
>
> Key: ZOOKEEPER-2125
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2125
> Project: ZooKeeper
> Issue Type: Sub-task
> Reporter: Hongchao Deng
> Assignee: Hongchao Deng
> Fix For: 3.5.1
>
> Attachments: ZOOKEEPER-2125-build.patch, ZOOKEEPER-2125.patch,
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch,
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch,
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch,
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch,
> ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch, ZOOKEEPER-2125.patch,
> ZOOKEEPER-2125.patch, testKeyStore.jks, testTrustStore.jks
>
>
> Supporting SSL on Netty client-server communication.
> 1. It supports keystore and trustore usage.
> 2. It adds an additional ZK server port which supports SSL. This would be
> useful for rolling upgrade.
> RB: https://reviews.apache.org/r/31277/
> The patch includes three files:
> * testing purpose keystore and truststore under
> "$(ZK_REPO_HOME)/src/java/test/data/ssl". Might need to create "ssl/".
> * latest ZOOKEEPER-2125.patch
> h2. How to use it
> You need to set some parameters on both ZK server and client.
> h3. Server
> You need to specify a listening SSL port in "zoo.cfg":
> {code}
> secureClientPort=2281
> {code}
> Just like what you did with "clientPort". And then set some jvm flags:
> {code}
> export
> SERVER_JVMFLAGS="-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
> -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks
> -Dzookeeper.ssl.keyStore.password=testpass
> -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks
> -Dzookeeper.ssl.trustStore.password=testpass"
> {code}
> Please change keystore and truststore parameters accordingly.
> h3. Client
> You need to set jvm flags:
> {code}
> export
> CLIENT_JVMFLAGS="-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
> -Dzookeeper.client.secure=true
> -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks
> -Dzookeeper.ssl.keyStore.password=testpass
> -Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks
> -Dzookeeper.ssl.trustStore.password=testpass"
> {code}
> change keystore and truststore parameters accordingly.
> And then connect to the server's SSL port, in this case:
> {code}
> bin/zkCli.sh -server 127.0.0.1:2281
> {code}
> If you have any feedback, you are more than welcome to discuss it here!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
