diff options
author | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2022-08-26 18:29:13 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@yahooinc.com> | 2022-08-26 18:29:13 +0200 |
commit | 7c1023262df5d2254e4cd31d795b26fa5fef3cef (patch) | |
tree | e9b5d506cd0a7364e59a6811c11f846a8c969d7c | |
parent | f5b826180c679e43697bb5c160f9e42e614084b7 (diff) |
Allow ZooKeeper to be configured with custom Vespa mTLS config
3 files changed, 32 insertions, 5 deletions
diff --git a/configdefinitions/src/vespa/zookeeper-server.def b/configdefinitions/src/vespa/zookeeper-server.def index 761f331a99e..5cff46dd226 100644 --- a/configdefinitions/src/vespa/zookeeper-server.def +++ b/configdefinitions/src/vespa/zookeeper-server.def @@ -45,3 +45,6 @@ trustEmptySnapshot bool default=true dynamicReconfiguration bool default=false snapshotMethod string default="gz" + +# Uses default Vespa mTLS config if empty string +vespaTlsConfigFile string default="" diff --git a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java index 8f8058c6c0b..6508c154978 100644 --- a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java +++ b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java @@ -2,6 +2,7 @@ package com.yahoo.vespa.zookeeper; import com.yahoo.cloud.config.ZookeeperServerConfig; +import com.yahoo.security.tls.ConfigFileBasedTlsContext; import com.yahoo.security.tls.MixedMode; import com.yahoo.security.tls.TlsContext; import com.yahoo.security.tls.TransportSecurityUtils; @@ -47,7 +48,16 @@ public class Configurator { System.setProperty("zookeeper.snapshot.compression.method", zookeeperServerConfig.snapshotMethod()); } - void writeConfigToDisk() { writeConfigToDisk(VespaTlsConfig.fromSystem()); } + void writeConfigToDisk() { + VespaTlsConfig config; + String cfgFile = zookeeperServerConfig.vespaTlsConfigFile(); + if (cfgFile.isBlank()) { + config = VespaTlsConfig.fromSystem(); + } else { + config = VespaTlsConfig.fromConfig(Paths.get(cfgFile)); + } + writeConfigToDisk(config); + } // override of Vespa TLS config for unit testing void writeConfigToDisk(VespaTlsConfig vespaTlsConfig) { @@ -158,6 +168,7 @@ public class Configurator { default void appendSharedTlsConfig(StringBuilder builder, VespaTlsConfig vespaTlsConfig) { vespaTlsConfig.context().ifPresent(ctx -> { + VespaSslContextProvider.set(ctx); builder.append(configFieldPrefix()).append(".context.supplier.class=").append(VespaSslContextProvider.class.getName()).append("\n"); String enabledCiphers = Arrays.stream(ctx.parameters().getCipherSuites()).sorted().collect(Collectors.joining(",")); builder.append(configFieldPrefix()).append(".ciphersuites=").append(enabledCiphers).append("\n"); @@ -224,6 +235,13 @@ public class Configurator { TransportSecurityUtils.getInsecureMixedMode()); } + static VespaTlsConfig fromConfig(Path file) { + return new VespaTlsConfig( + new ConfigFileBasedTlsContext(file, TransportSecurityUtils.getInsecureAuthorizationMode()), + TransportSecurityUtils.getInsecureMixedMode()); + } + + static VespaTlsConfig tlsDisabled() { return new VespaTlsConfig(null, MixedMode.defaultValue()); } boolean tlsEnabled() { return context != null; } diff --git a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/VespaSslContextProvider.java b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/VespaSslContextProvider.java index 89a0fa8a924..5434804cd62 100644 --- a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/VespaSslContextProvider.java +++ b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/VespaSslContextProvider.java @@ -2,7 +2,6 @@ package com.yahoo.vespa.zookeeper; import com.yahoo.security.tls.TlsContext; -import com.yahoo.security.tls.TransportSecurityUtils; import javax.net.ssl.SSLContext; import java.util.function.Supplier; @@ -14,12 +13,19 @@ import java.util.function.Supplier; */ public class VespaSslContextProvider implements Supplier<SSLContext> { - private static final SSLContext sslContext = TransportSecurityUtils.getSystemTlsContext().map(TlsContext::context).orElse(null); + private static TlsContext tlsContext; @Override public SSLContext get() { - if (sslContext == null) throw new IllegalStateException("Vespa TLS is not enabled"); - return sslContext; + synchronized (VespaSslContextProvider.class) { + if (tlsContext == null) throw new IllegalStateException("Vespa TLS is not enabled"); + return tlsContext.context(); + } + } + + static synchronized void set(TlsContext ctx) { + if (tlsContext != null) tlsContext.close(); + tlsContext = ctx; } } |