diff options
Diffstat (limited to 'zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo')
2 files changed, 52 insertions, 81 deletions
diff --git a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java index d662bab8463..f302798589c 100644 --- a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java +++ b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java @@ -3,7 +3,9 @@ package com.yahoo.vespa.zookeeper; import com.yahoo.cloud.config.ZookeeperServerConfig; +import com.yahoo.security.tls.MixedMode; import com.yahoo.security.tls.TlsContext; +import com.yahoo.security.tls.TransportSecurityUtils; import com.yahoo.vespa.defaults.Defaults; import java.io.FileWriter; @@ -40,11 +42,14 @@ public class Configurator { System.setProperty("zookeeper.authProvider.x509", "com.yahoo.vespa.zookeeper.VespaMtlsAuthenticationProvider"); } - void writeConfigToDisk(Optional<TlsContext> tlsContext) { + void writeConfigToDisk() { writeConfigToDisk(VespaTlsConfig.fromSystem()); } + + // override of Vespa TLS config for unit testing + void writeConfigToDisk(VespaTlsConfig vespaTlsConfig) { configFilePath.toFile().getParentFile().mkdirs(); try { - writeZooKeeperConfigFile(zookeeperServerConfig, tlsContext); + writeZooKeeperConfigFile(zookeeperServerConfig, vespaTlsConfig); writeMyIdFile(zookeeperServerConfig); } catch (IOException e) { throw new RuntimeException("Error writing zookeeper config", e); @@ -52,13 +57,13 @@ public class Configurator { } private void writeZooKeeperConfigFile(ZookeeperServerConfig config, - Optional<TlsContext> tlsContext) throws IOException { + VespaTlsConfig vespaTlsConfig) throws IOException { try (FileWriter writer = new FileWriter(configFilePath.toFile())) { - writer.write(transformConfigToString(config, tlsContext)); + writer.write(transformConfigToString(config, vespaTlsConfig)); } } - private String transformConfigToString(ZookeeperServerConfig config, Optional<TlsContext> tlsContext) { + private String transformConfigToString(ZookeeperServerConfig config, VespaTlsConfig vespaTlsConfig) { StringBuilder sb = new StringBuilder(); sb.append("tickTime=").append(config.tickTime()).append("\n"); sb.append("initLimit=").append(config.initLimit()).append("\n"); @@ -80,8 +85,8 @@ public class Configurator { sb.append("skipACL=yes").append("\n"); ensureThisServerIsRepresented(config.myid(), config.server()); config.server().forEach(server -> addServerToCfg(sb, server, config.clientPort())); - sb.append(new TlsQuorumConfig().createConfig(config, tlsContext)); - sb.append(new TlsClientServerConfig().createConfig(config, tlsContext)); + sb.append(new TlsQuorumConfig().createConfig(vespaTlsConfig)); + sb.append(new TlsClientServerConfig().createConfig(vespaTlsConfig)); return sb.toString(); } @@ -143,22 +148,10 @@ public class Configurator { } private interface TlsConfig { - String createConfig(ZookeeperServerConfig config, Optional<TlsContext> tlsContext); - - default Optional<String> getEnvironmentVariable(String variableName) { - return Optional.ofNullable(System.getenv().get(variableName)) - .filter(var -> !var.isEmpty()); - } - - default void validateOptions(Optional<TlsContext> tlsContext, String tlsSetting) { - if (tlsContext.isEmpty() && !tlsSetting.equals("OFF")) - throw new RuntimeException("Could not retrieve transport security options"); - } - String configFieldPrefix(); - default void appendSharedTlsConfig(StringBuilder builder, Optional<TlsContext> tlsContext) { - tlsContext.ifPresent(ctx -> { + default void appendSharedTlsConfig(StringBuilder builder, VespaTlsConfig vespaTlsConfig) { + vespaTlsConfig.context().ifPresent(ctx -> { builder.append(configFieldPrefix()).append(".context.supplier.class=").append(VespaSslContextProvider.class.getName()).append("\n"); String enabledCiphers = Arrays.stream(ctx.parameters().getCipherSuites()).sorted().collect(Collectors.joining(",")); builder.append(configFieldPrefix()).append(".ciphersuites=").append(enabledCiphers).append("\n"); @@ -167,39 +160,23 @@ public class Configurator { builder.append(configFieldPrefix()).append(".clientAuth=NEED\n"); }); } + + default boolean enablePortUnification(VespaTlsConfig config) { + return config.tlsEnabled() + && (config.mixedMode() == MixedMode.TLS_CLIENT_MIXED_SERVER || config.mixedMode() == MixedMode.PLAINTEXT_CLIENT_MIXED_SERVER); + } } static class TlsClientServerConfig implements TlsConfig { - @Override - public String createConfig(ZookeeperServerConfig config, Optional<TlsContext> tlsContext) { - String tlsSetting = getEnvironmentVariable("VESPA_TLS_FOR_ZOOKEEPER_CLIENT_SERVER_COMMUNICATION") - .orElse(config.tlsForClientServerCommunication().name()); - validateOptions(tlsContext, tlsSetting); - - StringBuilder sb = new StringBuilder(); - boolean portUnification; - boolean secureClientPort; - switch (tlsSetting) { - case "OFF": - secureClientPort = false; portUnification = false; - break; - case "TLS_ONLY": - secureClientPort = true; portUnification = false; - break; - case "PORT_UNIFICATION": - case "TLS_WITH_PORT_UNIFICATION": - secureClientPort = false; portUnification = true; - break; - default: - throw new IllegalArgumentException("Unknown value of config setting tlsForClientServerCommunication: " + tlsSetting); - } - sb.append("client.portUnification=").append(portUnification).append("\n"); + public String createConfig(VespaTlsConfig vespaTlsConfig) { + StringBuilder sb = new StringBuilder() + .append("client.portUnification=").append(enablePortUnification(vespaTlsConfig)).append("\n"); // ZooKeeper Dynamic Reconfiguration requires the "non-secure" client port to exist // This is a hack to override the secure parameter through our connection factory wrapper // https://issues.apache.org/jira/browse/ZOOKEEPER-3577 - VespaNettyServerCnxnFactory_isSecure = secureClientPort; - appendSharedTlsConfig(sb, tlsContext); + VespaNettyServerCnxnFactory_isSecure = vespaTlsConfig.tlsEnabled() && vespaTlsConfig.mixedMode() == MixedMode.DISABLED; + appendSharedTlsConfig(sb, vespaTlsConfig); return sb.toString(); } @@ -212,38 +189,11 @@ public class Configurator { static class TlsQuorumConfig implements TlsConfig { - @Override - public String createConfig(ZookeeperServerConfig config, Optional<TlsContext> tlsContext) { - String tlsSetting = getEnvironmentVariable("VESPA_TLS_FOR_ZOOKEEPER_QUORUM_COMMUNICATION") - .orElse(config.tlsForQuorumCommunication().name()); - validateOptions(tlsContext, tlsSetting); - - StringBuilder sb = new StringBuilder(); - boolean sslQuorum; - boolean portUnification; - switch (tlsSetting) { - case "OFF": - sslQuorum = false; - portUnification = false; - break; - case "PORT_UNIFICATION": - sslQuorum = false; - portUnification = true; - break; - case "TLS_WITH_PORT_UNIFICATION": - sslQuorum = true; - portUnification = true; - break; - case "TLS_ONLY": - sslQuorum = true; - portUnification = false; - break; - default: throw new IllegalArgumentException("Unknown value of config setting tlsForQuorumCommunication: " + tlsSetting); - } - sb.append("sslQuorum=").append(sslQuorum).append("\n"); - sb.append("portUnification=").append(portUnification).append("\n"); - appendSharedTlsConfig(sb, tlsContext); - + public String createConfig(VespaTlsConfig vespaTlsConfig) { + StringBuilder sb = new StringBuilder() + .append("sslQuorum=").append(vespaTlsConfig.tlsEnabled()).append("\n") + .append("portUnification=").append(enablePortUnification(vespaTlsConfig)).append("\n"); + appendSharedTlsConfig(sb, vespaTlsConfig); return sb.toString(); } @@ -253,4 +203,26 @@ public class Configurator { } } + static class VespaTlsConfig { + private final TlsContext context; + private final MixedMode mixedMode; + + VespaTlsConfig(TlsContext context, MixedMode mixedMode) { + this.context = context; + this.mixedMode = mixedMode; + } + + static VespaTlsConfig fromSystem() { + return new VespaTlsConfig( + TransportSecurityUtils.getSystemTlsContext().orElse(null), + TransportSecurityUtils.getInsecureMixedMode()); + } + + static VespaTlsConfig tlsDisabled() { return new VespaTlsConfig(null, MixedMode.defaultValue()); } + + boolean tlsEnabled() { return context != null; } + Optional<TlsContext> context() { return Optional.ofNullable(context); } + MixedMode mixedMode() { return mixedMode; } + } + } diff --git a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperRunner.java b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperRunner.java index adbc7a369b3..8c748250503 100644 --- a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperRunner.java +++ b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperRunner.java @@ -4,7 +4,6 @@ package com.yahoo.vespa.zookeeper; import com.yahoo.cloud.config.ZookeeperServerConfig; import com.yahoo.concurrent.DaemonThreadFactory; import com.yahoo.protect.Process; -import com.yahoo.security.tls.TransportSecurityUtils; import java.nio.file.Path; import java.nio.file.Paths; @@ -39,7 +38,7 @@ public class ZooKeeperRunner implements Runnable { public ZooKeeperRunner(ZookeeperServerConfig zookeeperServerConfig, VespaZooKeeperServer server) { this.zookeeperServerConfig = zookeeperServerConfig; this.server = server; - new Configurator(zookeeperServerConfig).writeConfigToDisk(TransportSecurityUtils.getSystemTlsContext()); + new Configurator(zookeeperServerConfig).writeConfigToDisk(); executorService = Executors.newSingleThreadExecutor(new DaemonThreadFactory("zookeeper server")); executorService.submit(this); } |