diff options
| author | Jon Bratseth <bratseth@gmail.com> | 2023-12-16 10:20:56 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-12-16 10:20:56 +0100 |
| commit | c8ece8b229362c7bf725e4433ef4fec86024cd29 (patch) | |
| tree | b09186497c636ddd6cb438db0f66fc5fe64393d7 | |
| parent | d42b67f0fe821d122548a345f27fda7f9c9c9d10 (diff) | |
| parent | 65de0a24ea030de6bc0af330c73f3a772fa41e36 (diff) | |
Merge pull request #29683 from vespa-engine/revert-29678-jonmv/reapply-zk-3.9.1
Revert "Jonmv/reapply zk 3.9.1"
41 files changed, 194 insertions, 258 deletions
diff --git a/bundle-plugin/src/main/java/com/yahoo/container/plugin/mojo/AssembleFatJarMojo.java b/bundle-plugin/src/main/java/com/yahoo/container/plugin/mojo/AssembleFatJarMojo.java index ca2ffbb178e..920883bfb0a 100644 --- a/bundle-plugin/src/main/java/com/yahoo/container/plugin/mojo/AssembleFatJarMojo.java +++ b/bundle-plugin/src/main/java/com/yahoo/container/plugin/mojo/AssembleFatJarMojo.java @@ -27,7 +27,6 @@ import java.io.IOException; import java.io.InputStream; import java.nio.file.Files; import java.nio.file.StandardCopyOption; -import java.util.Comparator; import java.util.List; import java.util.Set; import java.util.SortedSet; @@ -104,7 +103,7 @@ public class AssembleFatJarMojo extends AbstractMojo { var jarsToShade = projectDependencies.stream() .filter(d -> !installedDependencies.contains(d) && !d.getType().equals("pom") && d.getScope().equals("compile")) .map(Artifact::getFile) - .collect(Collectors.toCollection(() -> new TreeSet<>(Comparator.<File>reverseOrder()))); + .collect(Collectors.toCollection(TreeSet::new)); jarsToShade.add(project.getArtifact().getFile()); try { var classpath = generateClasspath(installedDependencies, projectDependencies); diff --git a/clustercontroller-apps/src/main/java/com/yahoo/vespa/clustercontroller/apps/clustercontroller/ClusterController.java b/clustercontroller-apps/src/main/java/com/yahoo/vespa/clustercontroller/apps/clustercontroller/ClusterController.java index 7e0c6fe3f63..ed954512a26 100644 --- a/clustercontroller-apps/src/main/java/com/yahoo/vespa/clustercontroller/apps/clustercontroller/ClusterController.java +++ b/clustercontroller-apps/src/main/java/com/yahoo/vespa/clustercontroller/apps/clustercontroller/ClusterController.java @@ -10,7 +10,7 @@ import com.yahoo.vespa.clustercontroller.core.FleetControllerOptions; import com.yahoo.vespa.clustercontroller.core.RemoteClusterControllerTaskScheduler; import com.yahoo.vespa.clustercontroller.core.restapiv2.ClusterControllerStateRestAPI; import com.yahoo.vespa.clustercontroller.core.status.StatusHandler; -import com.yahoo.vespa.zookeeper.server.VespaZooKeeperServer; +import com.yahoo.vespa.zookeeper.VespaZooKeeperServer; import java.util.LinkedHashMap; import java.util.Map; import java.util.TreeMap; diff --git a/clustercontroller-apps/src/main/java/com/yahoo/vespa/clustercontroller/apps/clustercontroller/ClusterControllerClusterConfigurer.java b/clustercontroller-apps/src/main/java/com/yahoo/vespa/clustercontroller/apps/clustercontroller/ClusterControllerClusterConfigurer.java index 5a2034f0372..b87b3d4f5ea 100644 --- a/clustercontroller-apps/src/main/java/com/yahoo/vespa/clustercontroller/apps/clustercontroller/ClusterControllerClusterConfigurer.java +++ b/clustercontroller-apps/src/main/java/com/yahoo/vespa/clustercontroller/apps/clustercontroller/ClusterControllerClusterConfigurer.java @@ -11,7 +11,7 @@ import com.yahoo.vespa.config.content.FleetcontrollerConfig; import com.yahoo.cloud.config.SlobroksConfig; import com.yahoo.vespa.config.content.StorDistributionConfig; import com.yahoo.cloud.config.ZookeepersConfig; -import com.yahoo.vespa.zookeeper.server.VespaZooKeeperServer; +import com.yahoo.vespa.zookeeper.VespaZooKeeperServer; import java.time.Duration; import java.util.Map; diff --git a/clustercontroller-core/pom.xml b/clustercontroller-core/pom.xml index 579e8dd91bb..7f845a26c73 100644 --- a/clustercontroller-core/pom.xml +++ b/clustercontroller-core/pom.xml @@ -100,7 +100,7 @@ <groupId>com.yahoo.vespa</groupId> <artifactId>zookeeper-client-common</artifactId> <version>${project.version}</version> - <scope>provided</scope> + <scope>compile</scope> </dependency> <dependency> <!-- Not used by this module, but compilation fails without it because zookeeper uses these annotations. diff --git a/clustercontroller-reindexer/src/main/java/ai/vespa/reindexing/ReindexingMaintainer.java b/clustercontroller-reindexer/src/main/java/ai/vespa/reindexing/ReindexingMaintainer.java index 3e0772234a5..63f7c914fad 100644 --- a/clustercontroller-reindexer/src/main/java/ai/vespa/reindexing/ReindexingMaintainer.java +++ b/clustercontroller-reindexer/src/main/java/ai/vespa/reindexing/ReindexingMaintainer.java @@ -16,7 +16,7 @@ import com.yahoo.net.HostName; import com.yahoo.vespa.config.content.AllClustersBucketSpacesConfig; import com.yahoo.vespa.config.content.reindexing.ReindexingConfig; import com.yahoo.vespa.curator.Curator; -import com.yahoo.vespa.zookeeper.server.VespaZooKeeperServer; +import com.yahoo.vespa.zookeeper.VespaZooKeeperServer; import java.time.Clock; import java.time.Duration; diff --git a/clustercontroller-reindexer/src/main/java/ai/vespa/reindexing/http/ReindexingV1ApiHandler.java b/clustercontroller-reindexer/src/main/java/ai/vespa/reindexing/http/ReindexingV1ApiHandler.java index ca9f317e840..29f009cd61d 100644 --- a/clustercontroller-reindexer/src/main/java/ai/vespa/reindexing/http/ReindexingV1ApiHandler.java +++ b/clustercontroller-reindexer/src/main/java/ai/vespa/reindexing/http/ReindexingV1ApiHandler.java @@ -20,7 +20,7 @@ import com.yahoo.slime.Cursor; import com.yahoo.slime.Slime; import com.yahoo.vespa.config.content.reindexing.ReindexingConfig; import com.yahoo.vespa.curator.Curator; -import com.yahoo.vespa.zookeeper.server.VespaZooKeeperServer; +import com.yahoo.vespa.zookeeper.VespaZooKeeperServer; import java.util.Collection; import java.util.List; diff --git a/container-core/src/test/java/com/yahoo/jdisc/http/server/jetty/ProxyProtocolTest.java b/container-core/src/test/java/com/yahoo/jdisc/http/server/jetty/ProxyProtocolTest.java index eac7b7c5df7..cdebd41d177 100644 --- a/container-core/src/test/java/com/yahoo/jdisc/http/server/jetty/ProxyProtocolTest.java +++ b/container-core/src/test/java/com/yahoo/jdisc/http/server/jetty/ProxyProtocolTest.java @@ -216,12 +216,13 @@ class ProxyProtocolTest { } } + /* Don't close Jetty to early ensuring that the request log is written */ private static void assertLogSizeAndCloseDriver( JettyTestDriver driver, InMemoryRequestLog reqLog, int expectedReqLogSize, InMemoryConnectionLog connLog, int expectedConnLogSize) { Predicate<Void> waitCondition = __ -> - reqLog.entries().size() < expectedReqLogSize && connLog.logEntries().size() < expectedConnLogSize; + reqLog.entries().size() < expectedConnLogSize && connLog.logEntries().size() < expectedConnLogSize; await(waitCondition); assertTrue(driver.close()); if (waitCondition.test(null)) await(waitCondition); diff --git a/dependency-versions/pom.xml b/dependency-versions/pom.xml index 72a523e2a66..16602bcb452 100644 --- a/dependency-versions/pom.xml +++ b/dependency-versions/pom.xml @@ -139,8 +139,7 @@ <wiremock.vespa.version>3.3.1</wiremock.vespa.version> <xerces.vespa.version>2.12.2</xerces.vespa.version> <zero-allocation-hashing.vespa.version>0.16</zero-allocation-hashing.vespa.version> - <zookeeper.client.vespa.version>3.9.1</zookeeper.client.vespa.version> - <zookeeper.client.artifactId>zookeeper-server-3.9.1</zookeeper.client.artifactId> + <zookeeper.client.vespa.version>3.8.0</zookeeper.client.vespa.version> <!-- Versions used by tenant parent pom and testing framework --> <!-- CAUTION: upgrading junit for tenants poms may break testing frameworks --> diff --git a/jdisc_core/abi-spec.json b/jdisc_core/abi-spec.json index 382ce72bd0a..31594fed155 100644 --- a/jdisc_core/abi-spec.json +++ b/jdisc_core/abi-spec.json @@ -604,8 +604,8 @@ "methods" : [ "public void <init>()", "public void <init>(com.yahoo.jdisc.handler.ContentChannel)", - "public void <init>(com.yahoo.jdisc.handler.ResponseHandler)", "public void addListener(java.lang.Runnable, java.util.concurrent.Executor)", + "public void <init>(com.yahoo.jdisc.handler.ResponseHandler)", "public com.yahoo.jdisc.handler.ContentChannel handleResponse(com.yahoo.jdisc.Response)", "public final boolean cancel(boolean)", "public final boolean isCancelled()" @@ -139,7 +139,6 @@ <module>zkfacade</module> <module>zookeeper-client-common</module> <module>zookeeper-command-line-client</module> - <module>zookeeper-common</module> <module>zookeeper-server</module> </modules> diff --git a/zkfacade/pom.xml b/zkfacade/pom.xml index 02be1006bc3..daaa7dfa14f 100644 --- a/zkfacade/pom.xml +++ b/zkfacade/pom.xml @@ -58,9 +58,36 @@ </exclusions> </dependency> <dependency> - <groupId>com.yahoo.vespa</groupId> - <artifactId>${zookeeper.client.artifactId}</artifactId> - <version>${project.version}</version> + <groupId>org.apache.zookeeper</groupId> + <artifactId>zookeeper</artifactId> + <exclusions> + <!-- + Container provides wiring for all common log libraries + Duplicate embedding results in various warnings being printed to stderr + --> + <exclusion> + <groupId>org.slf4j</groupId> + <artifactId>slf4j-api</artifactId> + </exclusion> + </exclusions> + </dependency> + <!-- snappy-java and metrics-core are included here + to be able to work with ZooKeeper >= 3.6.2 due to + class loading issues --> + <dependency> + <groupId>io.dropwizard.metrics</groupId> + <artifactId>metrics-core</artifactId> + <scope>compile</scope> + <exclusions> + <exclusion> + <groupId>org.slf4j</groupId> + <artifactId>slf4j-api</artifactId> + </exclusion> + </exclusions> + </dependency> + <dependency> + <groupId>org.xerial.snappy</groupId> + <artifactId>snappy-java</artifactId> <scope>compile</scope> </dependency> <dependency> diff --git a/zkfacade/src/main/java/com/yahoo/vespa/curator/Curator.java b/zkfacade/src/main/java/com/yahoo/vespa/curator/Curator.java index 169aee416e5..c372c69ad6b 100644 --- a/zkfacade/src/main/java/com/yahoo/vespa/curator/Curator.java +++ b/zkfacade/src/main/java/com/yahoo/vespa/curator/Curator.java @@ -8,7 +8,7 @@ import com.yahoo.concurrent.DaemonThreadFactory; import com.yahoo.path.Path; import com.yahoo.vespa.curator.recipes.CuratorCounter; import com.yahoo.vespa.defaults.Defaults; -import com.yahoo.vespa.zookeeper.server.VespaZooKeeperServer; +import com.yahoo.vespa.zookeeper.VespaZooKeeperServer; import com.yahoo.vespa.zookeeper.client.ZkClientConfigBuilder; import org.apache.curator.RetryPolicy; import org.apache.curator.framework.CuratorFramework; diff --git a/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/client/package-info.java b/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/client/package-info.java deleted file mode 100644 index 7c81b651f30..00000000000 --- a/zkfacade/src/main/java/com/yahoo/vespa/zookeeper/client/package-info.java +++ /dev/null @@ -1,4 +0,0 @@ -// Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -@ExportPackage -package com.yahoo.vespa.zookeeper.client; -import com.yahoo.osgi.annotation.ExportPackage; diff --git a/zookeeper-client-common/pom.xml b/zookeeper-client-common/pom.xml index ccfdbd9a429..12ff1517e53 100644 --- a/zookeeper-client-common/pom.xml +++ b/zookeeper-client-common/pom.xml @@ -21,25 +21,12 @@ <scope>provided</scope> </dependency> <dependency> - <groupId>com.yahoo.vespa</groupId> - <artifactId>defaults</artifactId> - <version>${project.version}</version> - <scope>provided</scope> - </dependency> - <dependency> <groupId>org.apache.zookeeper</groupId> <artifactId>zookeeper</artifactId> <scope>provided</scope> </dependency> <!-- compile scope --> - <dependency> - <groupId>com.yahoo.vespa</groupId> - <artifactId>zookeeper-common</artifactId> - <version>${project.version}</version> - <scope>compile</scope> - </dependency> - <!-- test scope --> <dependency> <groupId>org.junit.jupiter</groupId> diff --git a/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/VespaSslContextProvider.java b/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/VespaSslContextProvider.java index 5772070d550..9cc71eab96e 100644 --- a/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/VespaSslContextProvider.java +++ b/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/VespaSslContextProvider.java @@ -1,23 +1,25 @@ // Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.zookeeper.client; -import com.yahoo.vespa.zookeeper.tls.VespaZookeeperTlsContextUtils; +import com.yahoo.security.tls.TransportSecurityUtils; import javax.net.ssl.SSLContext; import java.util.function.Supplier; /** - * Provider for Vespa {@link SSLContext} instance to Zookeeper. + * Provider for Vespa {@link SSLContext} instance to Zookeeper + misc utility methods for providing Vespa TLS specific ZK configuration. * * @author bjorncs */ public class VespaSslContextProvider implements Supplier<SSLContext> { + private static final SSLContext sslContext = TransportSecurityUtils.getSystemTlsContext() + .map(tc -> tc.sslContext().context()).orElse(null); + @Override public SSLContext get() { - return VespaZookeeperTlsContextUtils.tlsContext() - .orElseThrow(() -> new IllegalStateException("Vespa TLS is not enabled")) - .sslContext().context(); + if (sslContext == null) throw new IllegalStateException("Vespa TLS is not enabled"); + return sslContext; } } diff --git a/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilder.java b/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilder.java index af49fab0d40..5c969454d11 100644 --- a/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilder.java +++ b/zookeeper-client-common/src/main/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilder.java @@ -1,8 +1,9 @@ // Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.zookeeper.client; +import com.yahoo.security.tls.MixedMode; import com.yahoo.security.tls.TlsContext; -import com.yahoo.vespa.zookeeper.tls.VespaZookeeperTlsContextUtils; +import com.yahoo.security.tls.TransportSecurityUtils; import org.apache.zookeeper.client.ZKClientConfig; import org.apache.zookeeper.server.quorum.QuorumPeerConfig; @@ -13,6 +14,7 @@ import java.nio.file.StandardCopyOption; import java.util.Arrays; import java.util.HashMap; import java.util.Map; +import java.util.Optional; import java.util.stream.Collectors; /** @@ -29,7 +31,7 @@ public class ZkClientConfigBuilder { public static final String SSL_CLIENTAUTH_PROPERTY = "zookeeper.ssl.clientAuth"; public static final String CLIENT_CONNECTION_SOCKET = "zookeeper.clientCnxnSocket"; - private static final TlsContext defaultTlsContext = VespaZookeeperTlsContextUtils.tlsContext().orElse(null); + private static final TlsContext defaultTlsContext = getTlsContext().orElse(null); private final TlsContext tlsContext; @@ -69,8 +71,8 @@ public class ZkClientConfigBuilder { builder.put(CLIENT_SECURE_PROPERTY, Boolean.toString(tlsContext != null)); builder.put(CLIENT_CONNECTION_SOCKET, "org.apache.zookeeper.ClientCnxnSocketNetty"); if (tlsContext != null) { - String protocolsConfigValue = Arrays.stream(tlsContext.parameters().getProtocols()).sorted().collect(Collectors.joining(",")); builder.put(SSL_CONTEXT_SUPPLIER_CLASS_PROPERTY, VespaSslContextProvider.class.getName()); + String protocolsConfigValue = Arrays.stream(tlsContext.parameters().getProtocols()).sorted().collect(Collectors.joining(",")); builder.put(SSL_ENABLED_PROTOCOLS_PROPERTY, protocolsConfigValue); String ciphersConfigValue = Arrays.stream(tlsContext.parameters().getCipherSuites()).sorted().collect(Collectors.joining(",")); builder.put(SSL_ENABLED_CIPHERSUITES_PROPERTY, ciphersConfigValue); @@ -79,4 +81,8 @@ public class ZkClientConfigBuilder { return Map.copyOf(builder); } + private static Optional<TlsContext> getTlsContext() { + if (TransportSecurityUtils.getInsecureMixedMode() == MixedMode.PLAINTEXT_CLIENT_MIXED_SERVER) return Optional.empty(); + return TransportSecurityUtils.getSystemTlsContext(); + } } diff --git a/zookeeper-client-common/src/test/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilderTest.java b/zookeeper-client-common/src/test/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilderTest.java index 45ae68cb41d..56bfe8381c2 100644 --- a/zookeeper-client-common/src/test/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilderTest.java +++ b/zookeeper-client-common/src/test/java/com/yahoo/vespa/zookeeper/client/ZkClientConfigBuilderTest.java @@ -31,7 +31,6 @@ public class ZkClientConfigBuilderTest { assertEquals("org.apache.zookeeper.ClientCnxnSocketNetty", config.getProperty(CLIENT_CONNECTION_SOCKET)); assertNull(config.getProperty(SSL_CONTEXT_SUPPLIER_CLASS_PROPERTY)); assertNull(config.getProperty(SSL_CLIENTAUTH_PROPERTY)); - assertNull(config.getProperty(SSL_CONTEXT_SUPPLIER_CLASS_PROPERTY)); } @Test @@ -40,10 +39,10 @@ public class ZkClientConfigBuilderTest { ZKClientConfig config = builder.toConfig(); assertEquals("true", config.getProperty(CLIENT_SECURE_PROPERTY)); assertEquals("org.apache.zookeeper.ClientCnxnSocketNetty", config.getProperty(CLIENT_CONNECTION_SOCKET)); + assertEquals(com.yahoo.vespa.zookeeper.client.VespaSslContextProvider.class.getName(), config.getProperty(SSL_CONTEXT_SUPPLIER_CLASS_PROPERTY)); assertEquals("TLSv1.3", config.getProperty(SSL_ENABLED_PROTOCOLS_PROPERTY)); assertEquals("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", config.getProperty(SSL_ENABLED_CIPHERSUITES_PROPERTY)); assertEquals("NEED", config.getProperty(SSL_CLIENTAUTH_PROPERTY)); - assertEquals(VespaSslContextProvider.class.getName(), config.getProperty(SSL_CONTEXT_SUPPLIER_CLASS_PROPERTY)); } private static class MockTlsContext implements TlsContext { diff --git a/zookeeper-command-line-client/pom.xml b/zookeeper-command-line-client/pom.xml index 64208e283bf..dae8fdc671b 100644 --- a/zookeeper-command-line-client/pom.xml +++ b/zookeeper-command-line-client/pom.xml @@ -12,10 +12,8 @@ <version>8-SNAPSHOT</version> <dependencies> <dependency> - <groupId>com.yahoo.vespa</groupId> - <artifactId>${zookeeper.client.artifactId}</artifactId> - <version>${project.version}</version> - <scope>compile</scope> + <groupId>org.apache.zookeeper</groupId> + <artifactId>zookeeper</artifactId> </dependency> <dependency> <groupId>com.yahoo.vespa</groupId> @@ -25,12 +23,6 @@ </dependency> <dependency> <groupId>com.yahoo.vespa</groupId> - <artifactId>defaults</artifactId> - <version>${project.version}</version> - <scope>compile</scope> - </dependency> - <dependency> - <groupId>com.yahoo.vespa</groupId> <artifactId>security-utils</artifactId> <version>${project.version}</version> <scope>compile</scope> @@ -58,6 +50,11 @@ <scope>compile</scope> </dependency> <dependency> + <groupId>org.xerial.snappy</groupId> + <artifactId>snappy-java</artifactId> + <scope>compile</scope> + </dependency> + <dependency> <!-- Needed by zookeeper, which only has an optional dependency. --> <groupId>com.github.spotbugs</groupId> <artifactId>spotbugs-annotations</artifactId> diff --git a/zookeeper-common/OWNERS b/zookeeper-common/OWNERS deleted file mode 100644 index d0a102ecbf4..00000000000 --- a/zookeeper-common/OWNERS +++ /dev/null @@ -1 +0,0 @@ -jonmv diff --git a/zookeeper-common/README.md b/zookeeper-common/README.md deleted file mode 100644 index f0c7cee342d..00000000000 --- a/zookeeper-common/README.md +++ /dev/null @@ -1,4 +0,0 @@ -<!-- Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. --> -# zookeeper-common - -Shared configuration logic for ZooKeeper diff --git a/zookeeper-common/pom.xml b/zookeeper-common/pom.xml deleted file mode 100644 index 2c8ed8fe476..00000000000 --- a/zookeeper-common/pom.xml +++ /dev/null @@ -1,51 +0,0 @@ -<?xml version="1.0"?> -<!-- Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. --> -<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> - <modelVersion>4.0.0</modelVersion> - <parent> - <groupId>com.yahoo.vespa</groupId> - <artifactId>parent</artifactId> - <version>8-SNAPSHOT</version> - <relativePath>../parent/pom.xml</relativePath> - </parent> - <artifactId>zookeeper-common</artifactId> - <packaging>jar</packaging> - <version>8-SNAPSHOT</version> - - <dependencies> - - <dependency> - <groupId>com.yahoo.vespa</groupId> - <artifactId>security-utils</artifactId> - <version>${project.version}</version> - <scope>provided</scope> - </dependency> - - <dependency> - <groupId>com.yahoo.vespa</groupId> - <artifactId>defaults</artifactId> - <version>${project.version}</version> - <scope>provided</scope> - </dependency> - - <dependency> - <groupId>org.junit.jupiter</groupId> - <artifactId>junit-jupiter-api</artifactId> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.junit.jupiter</groupId> - <artifactId>junit-jupiter-engine</artifactId> - <scope>test</scope> - </dependency> - </dependencies> - - <build> - <plugins> - <plugin> - <groupId>org.apache.maven.plugins</groupId> - <artifactId>maven-compiler-plugin</artifactId> - </plugin> - </plugins> - </build> -</project> diff --git a/zookeeper-common/src/main/java/com/yahoo/vespa/zookeeper/tls/VespaZookeeperTlsContextUtils.java b/zookeeper-common/src/main/java/com/yahoo/vespa/zookeeper/tls/VespaZookeeperTlsContextUtils.java deleted file mode 100644 index 78de6c61e17..00000000000 --- a/zookeeper-common/src/main/java/com/yahoo/vespa/zookeeper/tls/VespaZookeeperTlsContextUtils.java +++ /dev/null @@ -1,26 +0,0 @@ -package com.yahoo.vespa.zookeeper.tls; - -import com.yahoo.security.tls.ConfigFileBasedTlsContext; -import com.yahoo.security.tls.TlsContext; -import com.yahoo.security.tls.TransportSecurityUtils; -import com.yahoo.vespa.defaults.Defaults; - -import java.nio.file.Files; -import java.nio.file.Path; -import java.util.Optional; - -/** - * @author jonmv - */ -public class VespaZookeeperTlsContextUtils { - - private static final Path ZOOKEEPER_TLS_CONFIG_FILE = Path.of(Defaults.getDefaults().underVespaHome("var/zookeeper/conf/tls.conf.json")); - private static final TlsContext tlsContext = Files.exists(ZOOKEEPER_TLS_CONFIG_FILE) - ? new ConfigFileBasedTlsContext(ZOOKEEPER_TLS_CONFIG_FILE, TransportSecurityUtils.getInsecureAuthorizationMode()) - : TransportSecurityUtils.getSystemTlsContext().orElse(null); - - public static Optional<TlsContext> tlsContext() { - return Optional.ofNullable(tlsContext); - } - -} diff --git a/zookeeper-server/zookeeper-server-3.8.0/src/main/java/com/yahoo/vespa/zookeeper/ConfigServerZooKeeperServer.java b/zookeeper-server/zookeeper-server-3.8.0/src/main/java/com/yahoo/vespa/zookeeper/ConfigServerZooKeeperServer.java index a7cd14c415f..d986f02d89a 100644 --- a/zookeeper-server/zookeeper-server-3.8.0/src/main/java/com/yahoo/vespa/zookeeper/ConfigServerZooKeeperServer.java +++ b/zookeeper-server/zookeeper-server-3.8.0/src/main/java/com/yahoo/vespa/zookeeper/ConfigServerZooKeeperServer.java @@ -4,8 +4,6 @@ package com.yahoo.vespa.zookeeper; import com.yahoo.cloud.config.ZookeeperServerConfig; import com.yahoo.component.AbstractComponent; import com.yahoo.component.annotation.Inject; -import com.yahoo.vespa.zookeeper.server.VespaZooKeeperServer; - import java.nio.file.Path; /** diff --git a/zookeeper-server/zookeeper-server-3.8.0/src/main/java/com/yahoo/vespa/zookeeper/ReconfigurableVespaZooKeeperServer.java b/zookeeper-server/zookeeper-server-3.8.0/src/main/java/com/yahoo/vespa/zookeeper/ReconfigurableVespaZooKeeperServer.java index d869cbb6938..1b469beb1b8 100644 --- a/zookeeper-server/zookeeper-server-3.8.0/src/main/java/com/yahoo/vespa/zookeeper/ReconfigurableVespaZooKeeperServer.java +++ b/zookeeper-server/zookeeper-server-3.8.0/src/main/java/com/yahoo/vespa/zookeeper/ReconfigurableVespaZooKeeperServer.java @@ -5,8 +5,6 @@ import ai.vespa.validation.Validation; import com.yahoo.cloud.config.ZookeeperServerConfig; import com.yahoo.component.AbstractComponent; import com.yahoo.component.annotation.Inject; -import com.yahoo.vespa.zookeeper.server.VespaZooKeeperServer; - import java.nio.file.Path; import java.time.Duration; diff --git a/zookeeper-server/zookeeper-server-3.8.0/src/main/java/com/yahoo/vespa/zookeeper/VespaMtlsAuthenticationProvider.java b/zookeeper-server/zookeeper-server-3.8.0/src/main/java/com/yahoo/vespa/zookeeper/VespaMtlsAuthenticationProvider.java index 90554910293..68f7459530e 100644 --- a/zookeeper-server/zookeeper-server-3.8.0/src/main/java/com/yahoo/vespa/zookeeper/VespaMtlsAuthenticationProvider.java +++ b/zookeeper-server/zookeeper-server-3.8.0/src/main/java/com/yahoo/vespa/zookeeper/VespaMtlsAuthenticationProvider.java @@ -2,24 +2,19 @@ package com.yahoo.vespa.zookeeper; import com.yahoo.security.X509SslContext; -import com.yahoo.security.tls.TlsContext; -import com.yahoo.security.tls.TransportSecurityUtils; import org.apache.zookeeper.KeeperException; -import org.apache.zookeeper.common.ClientX509Util; -import org.apache.zookeeper.common.X509Exception; import org.apache.zookeeper.data.Id; import org.apache.zookeeper.server.ServerCnxn; import org.apache.zookeeper.server.auth.AuthenticationProvider; import org.apache.zookeeper.server.auth.X509AuthenticationProvider; -import javax.net.ssl.KeyManager; import javax.net.ssl.X509KeyManager; import javax.net.ssl.X509TrustManager; import java.security.cert.X509Certificate; import java.util.logging.Logger; /** - * A {@link AuthenticationProvider} to be used in combination with Vespa mTLS. + * A {@link AuthenticationProvider} to be used in combination with Vespa mTLS * * @author bjorncs */ @@ -28,7 +23,15 @@ public class VespaMtlsAuthenticationProvider extends X509AuthenticationProvider private static final Logger log = Logger.getLogger(VespaMtlsAuthenticationProvider.class.getName()); public VespaMtlsAuthenticationProvider() { - super(null, null); + super(trustManager(), keyManager()); + } + + private static X509KeyManager keyManager() { + return new VespaSslContextProvider().tlsContext().map(X509SslContext::keyManager).orElse(null); + } + + private static X509TrustManager trustManager() { + return new VespaSslContextProvider().tlsContext().map(X509SslContext::trustManager).orElse(null); } @Override diff --git a/zookeeper-server/zookeeper-server-3.8.0/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java b/zookeeper-server/zookeeper-server-3.8.0/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java index 4f93eb0efa5..4a7f85d6985 100644 --- a/zookeeper-server/zookeeper-server-3.8.0/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java +++ b/zookeeper-server/zookeeper-server-3.8.0/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java @@ -5,8 +5,6 @@ import ai.vespa.validation.Validation; import com.yahoo.cloud.config.ZookeeperServerConfig; import com.yahoo.component.AbstractComponent; import com.yahoo.component.annotation.Inject; -import com.yahoo.vespa.zookeeper.server.VespaZooKeeperServer; - import java.nio.file.Path; import java.time.Duration; diff --git a/zookeeper-server/zookeeper-server-common/pom.xml b/zookeeper-server/zookeeper-server-common/pom.xml index 2238f6ad086..86734ec6c56 100644 --- a/zookeeper-server/zookeeper-server-common/pom.xml +++ b/zookeeper-server/zookeeper-server-common/pom.xml @@ -13,12 +13,6 @@ <version>8-SNAPSHOT</version> <dependencies> <dependency> - <groupId>com.yahoo.vespa</groupId> - <artifactId>zookeeper-common</artifactId> - <version>${project.version}</version> - <scope>compile</scope> - </dependency> - <dependency> <groupId>junit</groupId> <artifactId>junit</artifactId> <scope>test</scope> diff --git a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java index 06e4d0da00c..727e369885e 100644 --- a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java +++ b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java @@ -3,10 +3,10 @@ package com.yahoo.vespa.zookeeper; import com.yahoo.cloud.config.ZookeeperServerConfig; import com.yahoo.cloud.config.ZookeeperServerConfig.Server; +import com.yahoo.security.tls.ConfigFileBasedTlsContext; import com.yahoo.security.tls.MixedMode; import com.yahoo.security.tls.TlsContext; import com.yahoo.security.tls.TransportSecurityUtils; -import com.yahoo.vespa.zookeeper.tls.VespaZookeeperTlsContextUtils; import java.io.FileWriter; import java.io.IOException; @@ -47,8 +47,9 @@ public class Configurator { // Doc says that it is max size of data in a zookeeper node, but it goes for everything that // needs to be serialized, see https://issues.apache.org/jira/browse/ZOOKEEPER-1162 for details System.setProperty(ZOOKEEPER_JUTE_MAX_BUFFER, Integer.valueOf(zookeeperServerConfig.juteMaxBuffer()).toString()); - // Need to set this as a system properties instead of config, config does not work + // Need to set these as a system properties instead of config, config does not work System.setProperty("zookeeper.authProvider.x509", "com.yahoo.vespa.zookeeper.VespaMtlsAuthenticationProvider"); + System.setProperty("zookeeper.ssl.authProvider", "x509"); // Need to set this as a system property, otherwise it will be parsed for _every_ packet and an exception will be thrown (and handled) System.setProperty("zookeeper.globalOutstandingLimit", "1000"); System.setProperty("zookeeper.snapshot.compression.method", zookeeperServerConfig.snapshotMethod()); @@ -59,9 +60,13 @@ public class Configurator { } void writeConfigToDisk() { - VespaTlsConfig config = VespaZookeeperTlsContextUtils.tlsContext() - .map(ctx -> new VespaTlsConfig(ctx, TransportSecurityUtils.getInsecureMixedMode())) - .orElse(VespaTlsConfig.tlsDisabled()); + VespaTlsConfig config; + String cfgFile = zookeeperServerConfig.vespaTlsConfigFile(); + if (cfgFile.isBlank()) { + config = VespaTlsConfig.fromSystem(); + } else { + config = VespaTlsConfig.fromConfig(Paths.get(cfgFile)); + } writeConfigToDisk(config); } @@ -85,7 +90,7 @@ public class Configurator { } } - private static String transformConfigToString(ZookeeperServerConfig config, VespaTlsConfig vespaTlsConfig, Map<String, String> dynamicConfig) { + private String transformConfigToString(ZookeeperServerConfig config, VespaTlsConfig vespaTlsConfig, Map<String, String> dynamicConfig) { Map<String, String> configEntries = new LinkedHashMap<>(); configEntries.put("tickTime", Integer.toString(config.tickTime())); configEntries.put("initLimit", Integer.toString(config.initLimit())); @@ -113,7 +118,7 @@ public class Configurator { return transformConfigToString(configEntries); } - static void addServerSpecs(Map<String, String> configEntries, ZookeeperServerConfig config, Map<String, String> dynamicConfig) { + void addServerSpecs(Map<String, String> configEntries, ZookeeperServerConfig config, Map<String, String> dynamicConfig) { int myIndex = ensureThisServerIsRepresented(config.myid(), config.server()); // If dynamic config refers to servers that are not in the current config, we must ignore it. @@ -205,7 +210,7 @@ public class Configurator { .toList(); } - static Path makeAbsolutePath(String filename) { + Path makeAbsolutePath(String filename) { Path path = Paths.get(filename); return path.isAbsolute() ? path : Paths.get(getDefaults().underVespaHome(filename)); } @@ -215,8 +220,9 @@ public class Configurator { default void appendSharedTlsConfig(Map<String, String> configEntries, VespaTlsConfig vespaTlsConfig) { vespaTlsConfig.context().ifPresent(ctx -> { - String enabledCiphers = Arrays.stream(ctx.parameters().getCipherSuites()).sorted().collect(Collectors.joining(",")); + VespaSslContextProvider.set(ctx); configEntries.put(configFieldPrefix() + ".context.supplier.class", VespaSslContextProvider.class.getName()); + String enabledCiphers = Arrays.stream(ctx.parameters().getCipherSuites()).sorted().collect(Collectors.joining(",")); configEntries.put(configFieldPrefix() + ".ciphersuites", enabledCiphers); String enabledProtocols = Arrays.stream(ctx.parameters().getProtocols()).sorted().collect(Collectors.joining(",")); configEntries.put(configFieldPrefix() + ".enabledProtocols", enabledProtocols); @@ -270,6 +276,19 @@ public class Configurator { this.mixedMode = mixedMode; } + static VespaTlsConfig fromSystem() { + return new VespaTlsConfig( + TransportSecurityUtils.getSystemTlsContext().orElse(null), + TransportSecurityUtils.getInsecureMixedMode()); + } + + static VespaTlsConfig fromConfig(Path file) { + return new VespaTlsConfig( + new ConfigFileBasedTlsContext(file, TransportSecurityUtils.getInsecureAuthorizationMode()), + TransportSecurityUtils.getInsecureMixedMode()); + } + + static VespaTlsConfig tlsDisabled() { return new VespaTlsConfig(null, MixedMode.defaultValue()); } boolean tlsEnabled() { return context != null; } diff --git a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/DummyVespaZooKeeperServer.java b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/DummyVespaZooKeeperServer.java index f99d4cb6881..cc3d5117241 100644 --- a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/DummyVespaZooKeeperServer.java +++ b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/DummyVespaZooKeeperServer.java @@ -3,7 +3,6 @@ package com.yahoo.vespa.zookeeper; import com.yahoo.component.annotation.Inject; import com.yahoo.component.AbstractComponent; -import com.yahoo.vespa.zookeeper.server.VespaZooKeeperServer; import java.nio.file.Path; diff --git a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Reconfigurer.java b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Reconfigurer.java index 201bb7af272..f2886be93d7 100644 --- a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Reconfigurer.java +++ b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Reconfigurer.java @@ -5,7 +5,6 @@ import com.yahoo.cloud.config.ZookeeperServerConfig; import com.yahoo.component.AbstractComponent; import com.yahoo.component.annotation.Inject; import com.yahoo.protect.Process; -import com.yahoo.vespa.zookeeper.server.VespaZooKeeperServer; import com.yahoo.yolean.Exceptions; import java.time.Duration; diff --git a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/VespaSslContextProvider.java b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/VespaSslContextProvider.java index eca5df73dfb..71cc81a0db0 100644 --- a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/VespaSslContextProvider.java +++ b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/VespaSslContextProvider.java @@ -1,9 +1,11 @@ // Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.zookeeper; -import com.yahoo.vespa.zookeeper.tls.VespaZookeeperTlsContextUtils; +import com.yahoo.security.X509SslContext; +import com.yahoo.security.tls.TlsContext; import javax.net.ssl.SSLContext; +import java.util.Optional; import java.util.function.Supplier; /** @@ -13,11 +15,22 @@ import java.util.function.Supplier; */ public class VespaSslContextProvider implements Supplier<SSLContext> { + private static TlsContext tlsContext; + @Override public SSLContext get() { - return VespaZookeeperTlsContextUtils.tlsContext() - .orElseThrow(() -> new IllegalStateException("Vespa TLS is not enabled")) - .sslContext().context(); + return tlsContext().orElseThrow(() -> new IllegalStateException("Vespa TLS is not enabled")).context(); + } + + public Optional<X509SslContext> tlsContext() { + synchronized (VespaSslContextProvider.class) { + return Optional.ofNullable(tlsContext.sslContext()); + } + } + + static synchronized void set(TlsContext ctx) { + if (tlsContext != null) tlsContext.close(); + tlsContext = ctx; } } diff --git a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/server/VespaZooKeeperServer.java b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServer.java index 0eddf5175d4..ef6083ae5f7 100644 --- a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/server/VespaZooKeeperServer.java +++ b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServer.java @@ -1,5 +1,5 @@ // Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.zookeeper.server; +package com.yahoo.vespa.zookeeper; import java.nio.file.Path; diff --git a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperRunner.java b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperRunner.java index 9c18dde3380..eaae3c74d11 100644 --- a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperRunner.java +++ b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperRunner.java @@ -4,7 +4,6 @@ package com.yahoo.vespa.zookeeper; import com.yahoo.cloud.config.ZookeeperServerConfig; import com.yahoo.concurrent.DaemonThreadFactory; import com.yahoo.protect.Process; -import com.yahoo.vespa.zookeeper.server.VespaZooKeeperServer; import com.yahoo.yolean.Exceptions; import java.nio.file.Files; diff --git a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/server/package-info.java b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/package-info.java index fd6967ffbe4..f43f095d66d 100644 --- a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/server/package-info.java +++ b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/package-info.java @@ -1,5 +1,5 @@ // Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. @ExportPackage -package com.yahoo.vespa.zookeeper.server; +package com.yahoo.vespa.zookeeper; import com.yahoo.osgi.annotation.ExportPackage; diff --git a/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java b/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java index 2c3c4ead420..3cf1d07be65 100644 --- a/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java +++ b/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java @@ -224,21 +224,17 @@ public class ConfiguratorTest { } private String tlsQuorumConfig() { - return """ - ssl.quorum.context.supplier.class=com.yahoo.vespa.zookeeper.VespaSslContextProvider - ssl.quorum.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - ssl.quorum.enabledProtocols=TLSv1.2,TLSv1.3 - ssl.quorum.clientAuth=NEED - """; + return "ssl.quorum.context.supplier.class=com.yahoo.vespa.zookeeper.VespaSslContextProvider\n" + + "ssl.quorum.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\n" + + "ssl.quorum.enabledProtocols=TLSv1.2,TLSv1.3\n" + + "ssl.quorum.clientAuth=NEED\n"; } private String tlsClientServerConfig() { - return """ - ssl.context.supplier.class=com.yahoo.vespa.zookeeper.VespaSslContextProvider - ssl.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - ssl.enabledProtocols=TLSv1.2,TLSv1.3 - ssl.clientAuth=NEED - """; + return "ssl.context.supplier.class=com.yahoo.vespa.zookeeper.VespaSslContextProvider\n" + + "ssl.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\n" + + "ssl.enabledProtocols=TLSv1.2,TLSv1.3\n" + + "ssl.clientAuth=NEED\n"; } private void validateConfigFileMultipleHosts(File cfgFile, boolean hosted) { diff --git a/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ReconfigurerTest.java b/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ReconfigurerTest.java index ebf1194fdfe..b21f907ec5d 100644 --- a/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ReconfigurerTest.java +++ b/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ReconfigurerTest.java @@ -3,7 +3,6 @@ package com.yahoo.vespa.zookeeper; import com.yahoo.cloud.config.ZookeeperServerConfig; import com.yahoo.net.HostName; -import com.yahoo.vespa.zookeeper.server.VespaZooKeeperServer; import org.junit.After; import org.junit.Before; import org.junit.Rule; diff --git a/zookeeper-server/zookeeper-server/src/main/java/com/yahoo/vespa/zookeeper/ConfigServerZooKeeperServer.java b/zookeeper-server/zookeeper-server/src/main/java/com/yahoo/vespa/zookeeper/ConfigServerZooKeeperServer.java index a7cd14c415f..d986f02d89a 100644 --- a/zookeeper-server/zookeeper-server/src/main/java/com/yahoo/vespa/zookeeper/ConfigServerZooKeeperServer.java +++ b/zookeeper-server/zookeeper-server/src/main/java/com/yahoo/vespa/zookeeper/ConfigServerZooKeeperServer.java @@ -4,8 +4,6 @@ package com.yahoo.vespa.zookeeper; import com.yahoo.cloud.config.ZookeeperServerConfig; import com.yahoo.component.AbstractComponent; import com.yahoo.component.annotation.Inject; -import com.yahoo.vespa.zookeeper.server.VespaZooKeeperServer; - import java.nio.file.Path; /** diff --git a/zookeeper-server/zookeeper-server/src/main/java/com/yahoo/vespa/zookeeper/ReconfigurableVespaZooKeeperServer.java b/zookeeper-server/zookeeper-server/src/main/java/com/yahoo/vespa/zookeeper/ReconfigurableVespaZooKeeperServer.java index d869cbb6938..1b469beb1b8 100644 --- a/zookeeper-server/zookeeper-server/src/main/java/com/yahoo/vespa/zookeeper/ReconfigurableVespaZooKeeperServer.java +++ b/zookeeper-server/zookeeper-server/src/main/java/com/yahoo/vespa/zookeeper/ReconfigurableVespaZooKeeperServer.java @@ -5,8 +5,6 @@ import ai.vespa.validation.Validation; import com.yahoo.cloud.config.ZookeeperServerConfig; import com.yahoo.component.AbstractComponent; import com.yahoo.component.annotation.Inject; -import com.yahoo.vespa.zookeeper.server.VespaZooKeeperServer; - import java.nio.file.Path; import java.time.Duration; diff --git a/zookeeper-server/zookeeper-server/src/main/java/com/yahoo/vespa/zookeeper/VespaMtlsAuthenticationProvider.java b/zookeeper-server/zookeeper-server/src/main/java/com/yahoo/vespa/zookeeper/VespaMtlsAuthenticationProvider.java index 90554910293..100de4894ae 100644 --- a/zookeeper-server/zookeeper-server/src/main/java/com/yahoo/vespa/zookeeper/VespaMtlsAuthenticationProvider.java +++ b/zookeeper-server/zookeeper-server/src/main/java/com/yahoo/vespa/zookeeper/VespaMtlsAuthenticationProvider.java @@ -2,10 +2,7 @@ package com.yahoo.vespa.zookeeper; import com.yahoo.security.X509SslContext; -import com.yahoo.security.tls.TlsContext; -import com.yahoo.security.tls.TransportSecurityUtils; import org.apache.zookeeper.KeeperException; -import org.apache.zookeeper.common.ClientX509Util; import org.apache.zookeeper.common.X509Exception; import org.apache.zookeeper.data.Id; import org.apache.zookeeper.server.ServerCnxn; @@ -19,7 +16,7 @@ import java.security.cert.X509Certificate; import java.util.logging.Logger; /** - * A {@link AuthenticationProvider} to be used in combination with Vespa mTLS. + * A {@link AuthenticationProvider} to be used in combination with Vespa mTLS * * @author bjorncs */ @@ -28,7 +25,15 @@ public class VespaMtlsAuthenticationProvider extends X509AuthenticationProvider private static final Logger log = Logger.getLogger(VespaMtlsAuthenticationProvider.class.getName()); public VespaMtlsAuthenticationProvider() { - super(null, null); + super(trustManager(), keyManager()); + } + + private static X509KeyManager keyManager() { + return new VespaSslContextProvider().tlsContext().map(X509SslContext::keyManager).orElse(null); + } + + private static X509TrustManager trustManager() { + return new VespaSslContextProvider().tlsContext().map(X509SslContext::trustManager).orElse(null); } @Override diff --git a/zookeeper-server/zookeeper-server/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java b/zookeeper-server/zookeeper-server/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java index 4f93eb0efa5..4a7f85d6985 100644 --- a/zookeeper-server/zookeeper-server/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java +++ b/zookeeper-server/zookeeper-server/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServerImpl.java @@ -5,8 +5,6 @@ import ai.vespa.validation.Validation; import com.yahoo.cloud.config.ZookeeperServerConfig; import com.yahoo.component.AbstractComponent; import com.yahoo.component.annotation.Inject; -import com.yahoo.vespa.zookeeper.server.VespaZooKeeperServer; - import java.nio.file.Path; import java.time.Duration; diff --git a/zookeeper-server/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java b/zookeeper-server/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java index 83cfaf11a92..c0034a4723f 100644 --- a/zookeeper-server/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java +++ b/zookeeper-server/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java @@ -18,7 +18,6 @@ package org.apache.zookeeper.common; -import com.yahoo.vespa.zookeeper.tls.VespaZookeeperTlsContextUtils; import io.netty.handler.ssl.DelegatingSslContext; import io.netty.handler.ssl.SslContext; import io.netty.handler.ssl.SslContextBuilder; @@ -29,16 +28,21 @@ import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLException; import javax.net.ssl.SSLParameters; import javax.net.ssl.TrustManager; + +import org.apache.zookeeper.common.X509Exception.KeyManagerException; +import org.apache.zookeeper.common.X509Exception.SSLContextException; +import org.apache.zookeeper.server.auth.ProviderRegistry; +import org.apache.zookeeper.server.auth.X509AuthenticationProvider; import org.slf4j.Logger; import org.slf4j.LoggerFactory; /** - * X509 utilities specific for client-server communication framework. - * <p> - * <em>Modified to use Vespa's TLS context, whenever it is available, instead of the file-based key and trust stores of ZK 3.9. - * Based on https://github.com/apache/zookeeper/blob/branch-3.9/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java</em> * - * @author jonmv + * <em>NOTE: Overridden because ZK 3.9 completely broke the SSL setup APIs; for clients, key and trust stores are + * now mandatory, unlike for servers, where it's still possible to provide a custom authProvider. This patch fixes that. + * Based on https://github.com/apache/zookeeper/blob/branch-3.9/zookeeper-server/src/main/java/org/apache/zookeeper/common/ClientX509Util.java</em> + * <p> + * X509 utilities specific for client-server communication framework. */ public class ClientX509Util extends X509Util { @@ -66,31 +70,37 @@ public class ClientX509Util extends X509Util { } public SslContext createNettySslContextForClient(ZKConfig config) - throws X509Exception.KeyManagerException, X509Exception.TrustManagerException, SSLException { - SslContextBuilder sslContextBuilder = SslContextBuilder.forClient(); + throws X509Exception.KeyManagerException, X509Exception.TrustManagerException, SSLException { + KeyManager km; TrustManager tm; - if (VespaZookeeperTlsContextUtils.tlsContext().isPresent()) { - km = VespaZookeeperTlsContextUtils.tlsContext().get().sslContext().keyManager(); - tm = VespaZookeeperTlsContextUtils.tlsContext().get().sslContext().trustManager(); - } - else { + String authProviderProp = System.getProperty(getSslAuthProviderProperty()); + if (authProviderProp == null) { String keyStoreLocation = config.getProperty(getSslKeystoreLocationProperty(), ""); String keyStorePassword = getPasswordFromConfigPropertyOrFile(config, getSslKeystorePasswdProperty(), getSslKeystorePasswdPathProperty()); String keyStoreType = config.getProperty(getSslKeystoreTypeProperty()); - if (keyStoreLocation.isEmpty()) { LOG.warn("{} not specified", getSslKeystoreLocationProperty()); km = null; - } - else { + } else { km = createKeyManager(keyStoreLocation, keyStorePassword, keyStoreType); } - tm = getTrustManager(config); + } else { + X509AuthenticationProvider authProvider = (X509AuthenticationProvider) ProviderRegistry.getProvider( + System.getProperty(getSslAuthProviderProperty(), "x509")); + + if (authProvider == null) { + LOG.error("Auth provider not found: {}", authProviderProp); + throw new SSLException("Could not create SSLContext with specified auth provider: " + authProviderProp); + } + LOG.info("Using auth provider for client: {}", authProviderProp); + km = authProvider.getKeyManager(); + tm = authProvider.getTrustManager(); } + SslContextBuilder sslContextBuilder = SslContextBuilder.forClient(); if (km != null) { sslContextBuilder.keyManager(km); } @@ -98,54 +108,36 @@ public class ClientX509Util extends X509Util { sslContextBuilder.trustManager(tm); } - sslContextBuilder.enableOcsp(config.getBoolean(getSslOcspEnabledProperty())); - sslContextBuilder.protocols(getEnabledProtocols(config)); - Iterable<String> enabledCiphers = getCipherSuites(config); - if (enabledCiphers != null) { - sslContextBuilder.ciphers(enabledCiphers); - } - sslContextBuilder.sslProvider(getSslProvider(config)); - - SslContext sslContext1 = sslContextBuilder.build(); - - if (getFipsMode(config) && isServerHostnameVerificationEnabled(config)) { - return addHostnameVerification(sslContext1, "Server"); - } else { - return sslContext1; - } + return createNettySslContext(config, sslContextBuilder, "Server"); } public SslContext createNettySslContextForServer(ZKConfig config) - throws X509Exception.SSLContextException, X509Exception.KeyManagerException, X509Exception.TrustManagerException, SSLException { - KeyManager km; - TrustManager tm; - if (VespaZookeeperTlsContextUtils.tlsContext().isPresent()) { - km = VespaZookeeperTlsContextUtils.tlsContext().get().sslContext().keyManager(); - tm = VespaZookeeperTlsContextUtils.tlsContext().get().sslContext().trustManager(); + throws X509Exception.SSLContextException, X509Exception.KeyManagerException, X509Exception.TrustManagerException, SSLException { + String keyStoreLocation = config.getProperty(getSslKeystoreLocationProperty(), ""); + String keyStorePassword = getPasswordFromConfigPropertyOrFile(config, getSslKeystorePasswdProperty(), + getSslKeystorePasswdPathProperty()); + String keyStoreType = config.getProperty(getSslKeystoreTypeProperty()); + + if (keyStoreLocation.isEmpty()) { + throw new X509Exception.SSLContextException( + "Keystore is required for SSL server: " + getSslKeystoreLocationProperty()); } - else { - String keyStoreLocation = config.getProperty(getSslKeystoreLocationProperty(), ""); - String keyStorePassword = getPasswordFromConfigPropertyOrFile(config, getSslKeystorePasswdProperty(), - getSslKeystorePasswdPathProperty()); - String keyStoreType = config.getProperty(getSslKeystoreTypeProperty()); - if (keyStoreLocation.isEmpty()) { - throw new X509Exception.SSLContextException( - "Keystore is required for SSL server: " + getSslKeystoreLocationProperty()); - } - km = createKeyManager(keyStoreLocation, keyStorePassword, keyStoreType); - tm = getTrustManager(config); - } - return createNettySslContextForServer(config, km, tm); - } + KeyManager km = createKeyManager(keyStoreLocation, keyStorePassword, keyStoreType); + TrustManager trustManager = getTrustManager(config); - public SslContext createNettySslContextForServer(ZKConfig config, KeyManager keyManager, TrustManager trustManager) throws SSLException { - SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(keyManager); + return createNettySslContextForServer(config, km, trustManager); + } - if (trustManager != null) { - sslContextBuilder.trustManager(trustManager); + public SslContext createNettySslContextForServer(ZKConfig config, KeyManager km, TrustManager tm) throws SSLException { + SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(km); + if (tm != null) { + sslContextBuilder.trustManager(tm); } + return createNettySslContext(config, sslContextBuilder, "Client"); + } + SslContext createNettySslContext(ZKConfig config, SslContextBuilder sslContextBuilder, String clientOrServer) throws SSLException { sslContextBuilder.enableOcsp(config.getBoolean(getSslOcspEnabledProperty())); sslContextBuilder.protocols(getEnabledProtocols(config)); sslContextBuilder.clientAuth(getClientAuth(config).toNettyClientAuth()); @@ -155,12 +147,12 @@ public class ClientX509Util extends X509Util { } sslContextBuilder.sslProvider(getSslProvider(config)); - SslContext sslContext1 = sslContextBuilder.build(); + SslContext sslContext = sslContextBuilder.build(); if (getFipsMode(config) && isClientHostnameVerificationEnabled(config)) { - return addHostnameVerification(sslContext1, "Client"); + return addHostnameVerification(sslContext, clientOrServer); } else { - return sslContext1; + return sslContext; } } @@ -209,7 +201,7 @@ public class ClientX509Util extends X509Util { private TrustManager getTrustManager(ZKConfig config) throws X509Exception.TrustManagerException { String trustStoreLocation = config.getProperty(getSslTruststoreLocationProperty(), ""); String trustStorePassword = getPasswordFromConfigPropertyOrFile(config, getSslTruststorePasswdProperty(), - getSslTruststorePasswdPathProperty()); + getSslTruststorePasswdPathProperty()); String trustStoreType = config.getProperty(getSslTruststoreTypeProperty()); boolean sslCrlEnabled = config.getBoolean(getSslCrlEnabledProperty()); @@ -222,8 +214,8 @@ public class ClientX509Util extends X509Util { return null; } else { return createTrustManager(trustStoreLocation, trustStorePassword, trustStoreType, - sslCrlEnabled, sslOcspEnabled, sslServerHostnameVerificationEnabled, - sslClientHostnameVerificationEnabled, getFipsMode(config)); + sslCrlEnabled, sslOcspEnabled, sslServerHostnameVerificationEnabled, + sslClientHostnameVerificationEnabled, getFipsMode(config)); } } } |