diff options
Diffstat (limited to 'zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java')
-rw-r--r-- | zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java | 37 |
1 files changed, 28 insertions, 9 deletions
diff --git a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java index 06e4d0da00c..727e369885e 100644 --- a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java +++ b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java @@ -3,10 +3,10 @@ package com.yahoo.vespa.zookeeper; import com.yahoo.cloud.config.ZookeeperServerConfig; import com.yahoo.cloud.config.ZookeeperServerConfig.Server; +import com.yahoo.security.tls.ConfigFileBasedTlsContext; import com.yahoo.security.tls.MixedMode; import com.yahoo.security.tls.TlsContext; import com.yahoo.security.tls.TransportSecurityUtils; -import com.yahoo.vespa.zookeeper.tls.VespaZookeeperTlsContextUtils; import java.io.FileWriter; import java.io.IOException; @@ -47,8 +47,9 @@ public class Configurator { // Doc says that it is max size of data in a zookeeper node, but it goes for everything that // needs to be serialized, see https://issues.apache.org/jira/browse/ZOOKEEPER-1162 for details System.setProperty(ZOOKEEPER_JUTE_MAX_BUFFER, Integer.valueOf(zookeeperServerConfig.juteMaxBuffer()).toString()); - // Need to set this as a system properties instead of config, config does not work + // Need to set these as a system properties instead of config, config does not work System.setProperty("zookeeper.authProvider.x509", "com.yahoo.vespa.zookeeper.VespaMtlsAuthenticationProvider"); + System.setProperty("zookeeper.ssl.authProvider", "x509"); // Need to set this as a system property, otherwise it will be parsed for _every_ packet and an exception will be thrown (and handled) System.setProperty("zookeeper.globalOutstandingLimit", "1000"); System.setProperty("zookeeper.snapshot.compression.method", zookeeperServerConfig.snapshotMethod()); @@ -59,9 +60,13 @@ public class Configurator { } void writeConfigToDisk() { - VespaTlsConfig config = VespaZookeeperTlsContextUtils.tlsContext() - .map(ctx -> new VespaTlsConfig(ctx, TransportSecurityUtils.getInsecureMixedMode())) - .orElse(VespaTlsConfig.tlsDisabled()); + VespaTlsConfig config; + String cfgFile = zookeeperServerConfig.vespaTlsConfigFile(); + if (cfgFile.isBlank()) { + config = VespaTlsConfig.fromSystem(); + } else { + config = VespaTlsConfig.fromConfig(Paths.get(cfgFile)); + } writeConfigToDisk(config); } @@ -85,7 +90,7 @@ public class Configurator { } } - private static String transformConfigToString(ZookeeperServerConfig config, VespaTlsConfig vespaTlsConfig, Map<String, String> dynamicConfig) { + private String transformConfigToString(ZookeeperServerConfig config, VespaTlsConfig vespaTlsConfig, Map<String, String> dynamicConfig) { Map<String, String> configEntries = new LinkedHashMap<>(); configEntries.put("tickTime", Integer.toString(config.tickTime())); configEntries.put("initLimit", Integer.toString(config.initLimit())); @@ -113,7 +118,7 @@ public class Configurator { return transformConfigToString(configEntries); } - static void addServerSpecs(Map<String, String> configEntries, ZookeeperServerConfig config, Map<String, String> dynamicConfig) { + void addServerSpecs(Map<String, String> configEntries, ZookeeperServerConfig config, Map<String, String> dynamicConfig) { int myIndex = ensureThisServerIsRepresented(config.myid(), config.server()); // If dynamic config refers to servers that are not in the current config, we must ignore it. @@ -205,7 +210,7 @@ public class Configurator { .toList(); } - static Path makeAbsolutePath(String filename) { + Path makeAbsolutePath(String filename) { Path path = Paths.get(filename); return path.isAbsolute() ? path : Paths.get(getDefaults().underVespaHome(filename)); } @@ -215,8 +220,9 @@ public class Configurator { default void appendSharedTlsConfig(Map<String, String> configEntries, VespaTlsConfig vespaTlsConfig) { vespaTlsConfig.context().ifPresent(ctx -> { - String enabledCiphers = Arrays.stream(ctx.parameters().getCipherSuites()).sorted().collect(Collectors.joining(",")); + VespaSslContextProvider.set(ctx); configEntries.put(configFieldPrefix() + ".context.supplier.class", VespaSslContextProvider.class.getName()); + String enabledCiphers = Arrays.stream(ctx.parameters().getCipherSuites()).sorted().collect(Collectors.joining(",")); configEntries.put(configFieldPrefix() + ".ciphersuites", enabledCiphers); String enabledProtocols = Arrays.stream(ctx.parameters().getProtocols()).sorted().collect(Collectors.joining(",")); configEntries.put(configFieldPrefix() + ".enabledProtocols", enabledProtocols); @@ -270,6 +276,19 @@ public class Configurator { this.mixedMode = mixedMode; } + static VespaTlsConfig fromSystem() { + return new VespaTlsConfig( + TransportSecurityUtils.getSystemTlsContext().orElse(null), + TransportSecurityUtils.getInsecureMixedMode()); + } + + static VespaTlsConfig fromConfig(Path file) { + return new VespaTlsConfig( + new ConfigFileBasedTlsContext(file, TransportSecurityUtils.getInsecureAuthorizationMode()), + TransportSecurityUtils.getInsecureMixedMode()); + } + + static VespaTlsConfig tlsDisabled() { return new VespaTlsConfig(null, MixedMode.defaultValue()); } boolean tlsEnabled() { return context != null; } |