Ruel, Il giorno mer 16 nov 2022 alle ore 16:15 Ruel, Ryan <rr...@akamai.com.invalid> ha scritto: > > It seems that specifying the SECURE client port in the reconfig command does > work, while also keeping the same port defined as "secureClientPort" in > zookeeper.conf. > > (I thought I had tried this, but may have missed this combination) > > In any case, some clarification within the documentation may be helpful!
Would you like to send a PR to add these clarifications? Thanks Enrico > > /Ryan > > On 11/15/22, 10:10 AM, "Ruel, Ryan" <rr...@akamai.com.INVALID> wrote: > > In my ZooKeeper setup, I am strictly using TLS for both client and quorum > communication. > > In zookeeper.conf, I have “secureClientPort=2281” defined, and do not > have any “clientPort” option set. > > In the 3.8.0 documentation on dynamic reconfiguration > (https://urldefense.com/v3/__https://zookeeper.apache.org/doc/r3.8.0/zookeeperReconfig.html__;!!GjvTz_vk!T5lRlM3A1syL82ZMBR5kWiVdxaCcKIlRhDY-6muCLvhez9gyJTYbbhMkWMiee0evVrX0MQc-eYwvZhl1$ > ), the documentation says that the old “clientPort” configuration option > should not be specified, and instead the new server keyword specification > should look like this: > > server.<positive id> = <address1>:<port1>:<port2>[:role];[<client port > address>:]<client port>** > > However, this specification doesn’t consider the secure client port from > what I can tell. > > In some cases where the server keyword is used, I can just eliminate > putting in the client port address and client port, such as within the quorum > peer configuration (in zookeeper.conf or within the dynamic configuration > file). > > In other cases, however, such as using the “reconfig” command in the ZK > cli utility, the client port MUST be specified, or a “bad argument” type > error is produced. > > I of course don’t want to put a dummy port number in the server > specification which would then enable insecure communication. > > What’s the recommendation for using secure communication only while also > using dynamic reconfiguration? > > P.S. Another interesting bit in the documentation is the example: > server.1=125.23.63.23:2780:2783:participant;2791 > server.2=125.23.63.24:2781:2784:participant;2792 > server.3=125.23.63.25:2782:2785:participant;2793 > > In what use case would you want to use entirely different ports for each > server? Or is this just a demonstration that this is possible? > > /Ryan > > > > > >