Allow ZooKeeper to be configured with custom Vespa mTLS config

author: Bjørn Christian Seime <bjorncs@yahooinc.com> 2022-08-26 18:29:13 +0200
committer: Bjørn Christian Seime <bjorncs@yahooinc.com> 2022-08-26 18:29:13 +0200
commit: 7c1023262df5d2254e4cd31d795b26fa5fef3cef (patch)
tree: e9b5d506cd0a7364e59a6811c11f846a8c969d7c /zookeeper-server
parent: f5b826180c679e43697bb5c160f9e42e614084b7 (diff)
2 files changed, 29 insertions, 5 deletions
diff --git a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java
index 8f8058c6c0b..6508c154978 100644
--- a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java
+++ b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java
@@ -2,6 +2,7 @@
 package com.yahoo.vespa.zookeeper;
 
 import com.yahoo.cloud.config.ZookeeperServerConfig;
+import com.yahoo.security.tls.ConfigFileBasedTlsContext;
 import com.yahoo.security.tls.MixedMode;
 import com.yahoo.security.tls.TlsContext;
 import com.yahoo.security.tls.TransportSecurityUtils;
@@ -47,7 +48,16 @@ public class Configurator {
         System.setProperty("zookeeper.snapshot.compression.method", zookeeperServerConfig.snapshotMethod());
     }
 
-    void writeConfigToDisk() { writeConfigToDisk(VespaTlsConfig.fromSystem()); }
+    void writeConfigToDisk() {
+        VespaTlsConfig config;
+        String cfgFile = zookeeperServerConfig.vespaTlsConfigFile();
+        if (cfgFile.isBlank()) {
+            config = VespaTlsConfig.fromSystem();
+        } else {
+            config = VespaTlsConfig.fromConfig(Paths.get(cfgFile));
+        }
+        writeConfigToDisk(config);
+    }
 
     // override of Vespa TLS config for unit testing
     void writeConfigToDisk(VespaTlsConfig vespaTlsConfig) {
@@ -158,6 +168,7 @@ public class Configurator {
 
         default void appendSharedTlsConfig(StringBuilder builder, VespaTlsConfig vespaTlsConfig) {
             vespaTlsConfig.context().ifPresent(ctx -> {
+                VespaSslContextProvider.set(ctx);
                 builder.append(configFieldPrefix()).append(".context.supplier.class=").append(VespaSslContextProvider.class.getName()).append("\n");
                 String enabledCiphers = Arrays.stream(ctx.parameters().getCipherSuites()).sorted().collect(Collectors.joining(","));
                 builder.append(configFieldPrefix()).append(".ciphersuites=").append(enabledCiphers).append("\n");
@@ -224,6 +235,13 @@ public class Configurator {
                     TransportSecurityUtils.getInsecureMixedMode());
         }
 
+        static VespaTlsConfig fromConfig(Path file) {
+            return new VespaTlsConfig(
+                    new ConfigFileBasedTlsContext(file, TransportSecurityUtils.getInsecureAuthorizationMode()),
+                    TransportSecurityUtils.getInsecureMixedMode());
+        }
+
+
         static VespaTlsConfig tlsDisabled() { return new VespaTlsConfig(null, MixedMode.defaultValue()); }
 
         boolean tlsEnabled() { return context != null; }
diff --git a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/VespaSslContextProvider.java b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/VespaSslContextProvider.java
index 89a0fa8a924..5434804cd62 100644
--- a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/VespaSslContextProvider.java
+++ b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/VespaSslContextProvider.java
@@ -2,7 +2,6 @@
 package com.yahoo.vespa.zookeeper;
 
 import com.yahoo.security.tls.TlsContext;
-import com.yahoo.security.tls.TransportSecurityUtils;
 
 import javax.net.ssl.SSLContext;
 import java.util.function.Supplier;
@@ -14,12 +13,19 @@ import java.util.function.Supplier;
  */
 public class VespaSslContextProvider implements Supplier<SSLContext> {
 
-    private static final SSLContext sslContext = TransportSecurityUtils.getSystemTlsContext().map(TlsContext::context).orElse(null);
+    private static TlsContext tlsContext;
 
     @Override
     public SSLContext get() {
-        if (sslContext == null) throw new IllegalStateException("Vespa TLS is not enabled");
-        return sslContext;
+        synchronized (VespaSslContextProvider.class) {
+            if (tlsContext == null) throw new IllegalStateException("Vespa TLS is not enabled");
+            return tlsContext.context();
+        }
+    }
+
+    static synchronized void set(TlsContext ctx) {
+        if (tlsContext != null) tlsContext.close();
+        tlsContext = ctx;
     }
 
 }
author	Bjørn Christian Seime <bjorncs@yahooinc.com>	2022-08-26 18:29:13 +0200
committer	Bjørn Christian Seime <bjorncs@yahooinc.com>	2022-08-26 18:29:13 +0200
commit	7c1023262df5d2254e4cd31d795b26fa5fef3cef (patch)
tree	e9b5d506cd0a7364e59a6811c11f846a8c969d7c /zookeeper-server
parent	f5b826180c679e43697bb5c160f9e42e614084b7 (diff)