Hi, Zookeeper today is purely TCP, so it may be tunnelled transparently through, e.g., stunnel connections. However, the configuration of this is a bit cumbersome if not generated automatically. My approach to this is as follows:
- Each Zookeeper x has a unique set of ports, e.g., 2000+x (client), 2100+x (quorum), 2200+x (election). - Each Zookeeper is configured to listen only on localhost (clientPortAddress=127.0.0.1) - Each Zookeeper instance has server= lines with only localhost entries. - Each Zookeeper host has a receiving end of an stunnel on localhost substituting for the respective Zookeeper. This stunnel is connected to an stunnel on the remote machine running the actual Zookeeper (on the non-localhost IP address), terminating again on localhost (the respective port of the actual Zookeeper). - On each client machine not running Zookeeper, each localhost port for a Zookeeper is forwarded using the same mechanism. This zoo of stunnels can be generated automatically with a simple script. I know it is not exactly beautiful, but it works. The task of making Zookeeper itself secure is rather easy. Each client will get a client certificate. Each ensemble will get a ensemble certificate. The ensemble certificate may be used as a server certificate (receiving end) and client certificate (sending end) inside the ensemble. The individual clients will need to trust the ensemble certificate and provide their certificates for the ensemble keystore. Actually, in cases where my clients are also part of the overall application, they would reuse the ensemble certificate, so in fact, there is only one single certificate to deal with. This can be nicely packages, including the key generation with Java keytool. I am already running other services with this type of instrumentation (e.g., secure logging, access to a SolrCloud, crawler services), so apart from the slight overhead of using SSL, this works quite transparently and efficiently. Not too many changes are necesssary to the respective services. At this point, I'm kind of busy with projects, but if nobody should tackle the issue in one of the next the official releases, I might consider putting that in myself :-) Best regards, --Jürgen On 25.09.2014 14:52, Flavio Junqueira wrote: > I believe the use of UDP for leader election has been deprecated, so it > should be all over TCP. We have talked about supporting ssl (see > ZOOKEEPER-1000), but it isn't an implemented feature yet. > > -Flavio > > > On 24 Sep 2014, at 06:09, Lu, Boying <[email protected]> wrote: > >> Hi, All, >> >> I want to know if the ZooKeeper supports node-to-node encrypt communication? >> I read some codes of ZooKeeper 3.4.6 and found that ZooKeeper uses both UDP >> (e.g. in QuorumPeer.java) and TCP protocols >> Is it possible to support encryption above UDP and TCP at the same time? >> >> Thanks >> >> Boying -- Mit freundlichen Grüßen/Kind regards/Cordialement vôtre/Atentamente/С уважением *i.A. Jürgen Wagner* Head of Competence Center "Intelligence" & Senior Cloud Consultant Devoteam GmbH, Industriestr. 3, 70565 Stuttgart, Germany Phone: +49 6151 868-8725, Fax: +49 711 13353-53, Mobile: +49 171 864 1543 E-Mail: [email protected] <mailto:[email protected]>, URL: www.devoteam.de <http://www.devoteam.de/> ------------------------------------------------------------------------ Managing Board: Jürgen Hatzipantelis (CEO) Address of Record: 64331 Weiterstadt, Germany; Commercial Register: Amtsgericht Darmstadt HRB 6450; Tax Number: DE 172 993 071
