diff options
| author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2021-03-09 15:58:39 +0100 |
|---|---|---|
| committer | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2021-03-10 13:46:00 +0100 |
| commit | 864691223cd407d1d9ab12fa42d6fa79a13507a7 (patch) | |
| tree | bcf74173d4d3ac47cff421a452d80f4753e1c683 /zkfacade | |
| parent | 7f81c030ecb230a75a21e02e78fa6bb9290f4a69 (diff) | |
Specify TLS configuration when enabling secure ZK client
Implement and use ssl context supplier class.
Move helpers methods for determining enabled ciphers/protocols to supplier class.
Diffstat (limited to 'zkfacade')
| -rw-r--r-- | zkfacade/src/main/java/com/yahoo/vespa/curator/Curator.java | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/zkfacade/src/main/java/com/yahoo/vespa/curator/Curator.java b/zkfacade/src/main/java/com/yahoo/vespa/curator/Curator.java index adfd9bd051f..4cbb6c95cb4 100644 --- a/zkfacade/src/main/java/com/yahoo/vespa/curator/Curator.java +++ b/zkfacade/src/main/java/com/yahoo/vespa/curator/Curator.java @@ -10,6 +10,7 @@ import com.yahoo.text.Utf8; import com.yahoo.vespa.curator.api.VespaCurator; import com.yahoo.vespa.curator.recipes.CuratorCounter; import com.yahoo.vespa.defaults.Defaults; +import com.yahoo.vespa.zookeeper.VespaSslContextProvider; import com.yahoo.vespa.zookeeper.VespaZooKeeperServer; import org.apache.curator.RetryPolicy; import org.apache.curator.framework.CuratorFramework; @@ -124,9 +125,15 @@ public class Curator implements VespaCurator, AutoCloseable { private static ZKClientConfig createClientConfig(Optional<File> clientConfigFile) { if (clientConfigFile.isPresent()) { boolean useSecureClient = Boolean.parseBoolean(getEnvironmentVariable("VESPA_USE_TLS_FOR_ZOOKEEPER_CLIENT").orElse("false")); - String config = "zookeeper.client.secure=" + useSecureClient + "\n"; + StringBuilder configBuilder = new StringBuilder("zookeeper.client.secure=").append(useSecureClient).append("\n"); + if (useSecureClient) { + configBuilder.append("zookeeper.ssl.context.supplier.class=").append(VespaSslContextProvider.class.getName()).append("\n") + .append("zookeeper.ssl.enabledProtocols=").append(VespaSslContextProvider.enabledTlsProtocolConfigValue()).append("\n") + .append("zookeeper.ssl.ciphersuites=").append(VespaSslContextProvider.enabledTlsCiphersConfigValue()).append("\n") + .append("zookeeper.ssl.clientAuth=NEED\n"); + } clientConfigFile.get().getParentFile().mkdirs(); - IOUtils.writeFile(clientConfigFile.get(), Utf8.toBytes(config)); + IOUtils.writeFile(clientConfigFile.get(), Utf8.toBytes(configBuilder.toString())); try { return new ZKClientConfig(clientConfigFile.get()); } catch (QuorumPeerConfig.ConfigException e) { |