Hello- I have been continuing work on ZOOKEEPER-236 and it would be great to get feedback from the community on the patch. The pull request can be found here: https://github.com/apache/zookeeper/pull/184
ZOOKEEPER-236 provides the ability to use SSL/TLS to secure communication within the ZooKeeper quorum. Documentation will be handled in another pull request but the usage is very similar to our existing Client <-> Quorum functionality, here is an overview of the basic configuration. System properties are set on each member of the quorum, for example: -Dzookeeper.ssl.quorum.keyStore.location=keystore.jks -Dzookeeper.ssl.quorum.keyStore.password=password -Dzookeeper.ssl.quorum.trustStore.location=truststore.jks A flag is set in the cfg files: sslQuorum=true The best way to see all the functionality provided by this patch is to take a look at the integration tests: https://github.com/afine/zookeeper/blob/3c6c81b69b7105fa7c5235a0f27718a7eae195de/src/java/test/org/apache/zookeeper/test/QuorumSSLTest.java. The integration tests contain examples showing how hostname verification, rolling upgrades, cipher configuration, protocol configuration, and certificate revocation are handled. There is a current outstanding question regarding hostname verification, please provide input here: https://github.com/apache/zookeeper/pull/184#discussion_r111485824 Looking forward to hearing everyone's thoughts. Thanks, Abraham Fine
