diff options
Diffstat (limited to 'zookeeper-server/zookeeper-server-common')
10 files changed, 37 insertions, 55 deletions
diff --git a/zookeeper-server/zookeeper-server-common/pom.xml b/zookeeper-server/zookeeper-server-common/pom.xml index 86734ec6c56..2238f6ad086 100644 --- a/zookeeper-server/zookeeper-server-common/pom.xml +++ b/zookeeper-server/zookeeper-server-common/pom.xml @@ -13,6 +13,12 @@ <version>8-SNAPSHOT</version> <dependencies> <dependency> + <groupId>com.yahoo.vespa</groupId> + <artifactId>zookeeper-common</artifactId> + <version>${project.version}</version> + <scope>compile</scope> + </dependency> + <dependency> <groupId>junit</groupId> <artifactId>junit</artifactId> <scope>test</scope> diff --git a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java index 727e369885e..06e4d0da00c 100644 --- a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java +++ b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Configurator.java @@ -3,10 +3,10 @@ package com.yahoo.vespa.zookeeper; import com.yahoo.cloud.config.ZookeeperServerConfig; import com.yahoo.cloud.config.ZookeeperServerConfig.Server; -import com.yahoo.security.tls.ConfigFileBasedTlsContext; import com.yahoo.security.tls.MixedMode; import com.yahoo.security.tls.TlsContext; import com.yahoo.security.tls.TransportSecurityUtils; +import com.yahoo.vespa.zookeeper.tls.VespaZookeeperTlsContextUtils; import java.io.FileWriter; import java.io.IOException; @@ -47,9 +47,8 @@ public class Configurator { // Doc says that it is max size of data in a zookeeper node, but it goes for everything that // needs to be serialized, see https://issues.apache.org/jira/browse/ZOOKEEPER-1162 for details System.setProperty(ZOOKEEPER_JUTE_MAX_BUFFER, Integer.valueOf(zookeeperServerConfig.juteMaxBuffer()).toString()); - // Need to set these as a system properties instead of config, config does not work + // Need to set this as a system properties instead of config, config does not work System.setProperty("zookeeper.authProvider.x509", "com.yahoo.vespa.zookeeper.VespaMtlsAuthenticationProvider"); - System.setProperty("zookeeper.ssl.authProvider", "x509"); // Need to set this as a system property, otherwise it will be parsed for _every_ packet and an exception will be thrown (and handled) System.setProperty("zookeeper.globalOutstandingLimit", "1000"); System.setProperty("zookeeper.snapshot.compression.method", zookeeperServerConfig.snapshotMethod()); @@ -60,13 +59,9 @@ public class Configurator { } void writeConfigToDisk() { - VespaTlsConfig config; - String cfgFile = zookeeperServerConfig.vespaTlsConfigFile(); - if (cfgFile.isBlank()) { - config = VespaTlsConfig.fromSystem(); - } else { - config = VespaTlsConfig.fromConfig(Paths.get(cfgFile)); - } + VespaTlsConfig config = VespaZookeeperTlsContextUtils.tlsContext() + .map(ctx -> new VespaTlsConfig(ctx, TransportSecurityUtils.getInsecureMixedMode())) + .orElse(VespaTlsConfig.tlsDisabled()); writeConfigToDisk(config); } @@ -90,7 +85,7 @@ public class Configurator { } } - private String transformConfigToString(ZookeeperServerConfig config, VespaTlsConfig vespaTlsConfig, Map<String, String> dynamicConfig) { + private static String transformConfigToString(ZookeeperServerConfig config, VespaTlsConfig vespaTlsConfig, Map<String, String> dynamicConfig) { Map<String, String> configEntries = new LinkedHashMap<>(); configEntries.put("tickTime", Integer.toString(config.tickTime())); configEntries.put("initLimit", Integer.toString(config.initLimit())); @@ -118,7 +113,7 @@ public class Configurator { return transformConfigToString(configEntries); } - void addServerSpecs(Map<String, String> configEntries, ZookeeperServerConfig config, Map<String, String> dynamicConfig) { + static void addServerSpecs(Map<String, String> configEntries, ZookeeperServerConfig config, Map<String, String> dynamicConfig) { int myIndex = ensureThisServerIsRepresented(config.myid(), config.server()); // If dynamic config refers to servers that are not in the current config, we must ignore it. @@ -210,7 +205,7 @@ public class Configurator { .toList(); } - Path makeAbsolutePath(String filename) { + static Path makeAbsolutePath(String filename) { Path path = Paths.get(filename); return path.isAbsolute() ? path : Paths.get(getDefaults().underVespaHome(filename)); } @@ -220,9 +215,8 @@ public class Configurator { default void appendSharedTlsConfig(Map<String, String> configEntries, VespaTlsConfig vespaTlsConfig) { vespaTlsConfig.context().ifPresent(ctx -> { - VespaSslContextProvider.set(ctx); - configEntries.put(configFieldPrefix() + ".context.supplier.class", VespaSslContextProvider.class.getName()); String enabledCiphers = Arrays.stream(ctx.parameters().getCipherSuites()).sorted().collect(Collectors.joining(",")); + configEntries.put(configFieldPrefix() + ".context.supplier.class", VespaSslContextProvider.class.getName()); configEntries.put(configFieldPrefix() + ".ciphersuites", enabledCiphers); String enabledProtocols = Arrays.stream(ctx.parameters().getProtocols()).sorted().collect(Collectors.joining(",")); configEntries.put(configFieldPrefix() + ".enabledProtocols", enabledProtocols); @@ -276,19 +270,6 @@ public class Configurator { this.mixedMode = mixedMode; } - static VespaTlsConfig fromSystem() { - return new VespaTlsConfig( - TransportSecurityUtils.getSystemTlsContext().orElse(null), - TransportSecurityUtils.getInsecureMixedMode()); - } - - static VespaTlsConfig fromConfig(Path file) { - return new VespaTlsConfig( - new ConfigFileBasedTlsContext(file, TransportSecurityUtils.getInsecureAuthorizationMode()), - TransportSecurityUtils.getInsecureMixedMode()); - } - - static VespaTlsConfig tlsDisabled() { return new VespaTlsConfig(null, MixedMode.defaultValue()); } boolean tlsEnabled() { return context != null; } diff --git a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/DummyVespaZooKeeperServer.java b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/DummyVespaZooKeeperServer.java index cc3d5117241..f99d4cb6881 100644 --- a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/DummyVespaZooKeeperServer.java +++ b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/DummyVespaZooKeeperServer.java @@ -3,6 +3,7 @@ package com.yahoo.vespa.zookeeper; import com.yahoo.component.annotation.Inject; import com.yahoo.component.AbstractComponent; +import com.yahoo.vespa.zookeeper.server.VespaZooKeeperServer; import java.nio.file.Path; diff --git a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Reconfigurer.java b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Reconfigurer.java index f2886be93d7..201bb7af272 100644 --- a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Reconfigurer.java +++ b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/Reconfigurer.java @@ -5,6 +5,7 @@ import com.yahoo.cloud.config.ZookeeperServerConfig; import com.yahoo.component.AbstractComponent; import com.yahoo.component.annotation.Inject; import com.yahoo.protect.Process; +import com.yahoo.vespa.zookeeper.server.VespaZooKeeperServer; import com.yahoo.yolean.Exceptions; import java.time.Duration; diff --git a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/VespaSslContextProvider.java b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/VespaSslContextProvider.java index 71cc81a0db0..eca5df73dfb 100644 --- a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/VespaSslContextProvider.java +++ b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/VespaSslContextProvider.java @@ -1,11 +1,9 @@ // Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.zookeeper; -import com.yahoo.security.X509SslContext; -import com.yahoo.security.tls.TlsContext; +import com.yahoo.vespa.zookeeper.tls.VespaZookeeperTlsContextUtils; import javax.net.ssl.SSLContext; -import java.util.Optional; import java.util.function.Supplier; /** @@ -15,22 +13,11 @@ import java.util.function.Supplier; */ public class VespaSslContextProvider implements Supplier<SSLContext> { - private static TlsContext tlsContext; - @Override public SSLContext get() { - return tlsContext().orElseThrow(() -> new IllegalStateException("Vespa TLS is not enabled")).context(); - } - - public Optional<X509SslContext> tlsContext() { - synchronized (VespaSslContextProvider.class) { - return Optional.ofNullable(tlsContext.sslContext()); - } - } - - static synchronized void set(TlsContext ctx) { - if (tlsContext != null) tlsContext.close(); - tlsContext = ctx; + return VespaZookeeperTlsContextUtils.tlsContext() + .orElseThrow(() -> new IllegalStateException("Vespa TLS is not enabled")) + .sslContext().context(); } } diff --git a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperRunner.java b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperRunner.java index eaae3c74d11..9c18dde3380 100644 --- a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperRunner.java +++ b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/ZooKeeperRunner.java @@ -4,6 +4,7 @@ package com.yahoo.vespa.zookeeper; import com.yahoo.cloud.config.ZookeeperServerConfig; import com.yahoo.concurrent.DaemonThreadFactory; import com.yahoo.protect.Process; +import com.yahoo.vespa.zookeeper.server.VespaZooKeeperServer; import com.yahoo.yolean.Exceptions; import java.nio.file.Files; diff --git a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServer.java b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/server/VespaZooKeeperServer.java index ef6083ae5f7..0eddf5175d4 100644 --- a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/VespaZooKeeperServer.java +++ b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/server/VespaZooKeeperServer.java @@ -1,5 +1,5 @@ // Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.zookeeper; +package com.yahoo.vespa.zookeeper.server; import java.nio.file.Path; diff --git a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/package-info.java b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/server/package-info.java index f43f095d66d..fd6967ffbe4 100644 --- a/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/package-info.java +++ b/zookeeper-server/zookeeper-server-common/src/main/java/com/yahoo/vespa/zookeeper/server/package-info.java @@ -1,5 +1,5 @@ // Copyright Vespa.ai. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. @ExportPackage -package com.yahoo.vespa.zookeeper; +package com.yahoo.vespa.zookeeper.server; import com.yahoo.osgi.annotation.ExportPackage; diff --git a/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java b/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java index 3cf1d07be65..2c3c4ead420 100644 --- a/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java +++ b/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ConfiguratorTest.java @@ -224,17 +224,21 @@ public class ConfiguratorTest { } private String tlsQuorumConfig() { - return "ssl.quorum.context.supplier.class=com.yahoo.vespa.zookeeper.VespaSslContextProvider\n" + - "ssl.quorum.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\n" + - "ssl.quorum.enabledProtocols=TLSv1.2,TLSv1.3\n" + - "ssl.quorum.clientAuth=NEED\n"; + return """ + ssl.quorum.context.supplier.class=com.yahoo.vespa.zookeeper.VespaSslContextProvider + ssl.quorum.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + ssl.quorum.enabledProtocols=TLSv1.2,TLSv1.3 + ssl.quorum.clientAuth=NEED + """; } private String tlsClientServerConfig() { - return "ssl.context.supplier.class=com.yahoo.vespa.zookeeper.VespaSslContextProvider\n" + - "ssl.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256\n" + - "ssl.enabledProtocols=TLSv1.2,TLSv1.3\n" + - "ssl.clientAuth=NEED\n"; + return """ + ssl.context.supplier.class=com.yahoo.vespa.zookeeper.VespaSslContextProvider + ssl.ciphersuites=TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + ssl.enabledProtocols=TLSv1.2,TLSv1.3 + ssl.clientAuth=NEED + """; } private void validateConfigFileMultipleHosts(File cfgFile, boolean hosted) { diff --git a/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ReconfigurerTest.java b/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ReconfigurerTest.java index b21f907ec5d..ebf1194fdfe 100644 --- a/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ReconfigurerTest.java +++ b/zookeeper-server/zookeeper-server-common/src/test/java/com/yahoo/vespa/zookeeper/ReconfigurerTest.java @@ -3,6 +3,7 @@ package com.yahoo.vespa.zookeeper; import com.yahoo.cloud.config.ZookeeperServerConfig; import com.yahoo.net.HostName; +import com.yahoo.vespa.zookeeper.server.VespaZooKeeperServer; import org.junit.After; import org.junit.Before; import org.junit.Rule; |