-
Notifications
You must be signed in to change notification settings - Fork 7.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ZOOKEEPER-4819 Fix can't seek for writable tls server if connected to readonly server #2200
base: master
Are you sure you want to change the base?
Conversation
Great! I think we need tests. |
d60b2f1
to
b8c90c2
Compare
Hi @kezhuw, I added a test case based on the ReadOnlyModeTest. Please take a look. |
b8c90c2
to
b13e196
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @luoxiner, thank you for your contribution!
Given the fact that pingRwServer
uses four letter word command "isro", I propose to use FourLetterWordMain.send4LetterWord
directly. Beware that send4LetterWord
appends \n
to the response.
zookeeper-server/src/main/java/org/apache/zookeeper/ClientCnxn.java
Outdated
Show resolved
Hide resolved
zookeeper-server/src/test/java/org/apache/zookeeper/test/ReadOnlyModeWithSSLTest.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 as soon as @kezhuw's commenta are addressed
Nice work! Thanks
… readonly server ClientCnxn::pingRwServer uses raw socket to issue "isro" 4lw command. This results in unsuccessful handshake to tls server. Use SSLSocket when zookeeper.client.secure is set to true.
b13e196
to
33c19e3
Compare
@kezhuw @eolivelli Thank you for your reply. I have changed my code based on the suggestions. Please take a look. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I left comments regarding the interference between ZKConfig
and system properties. I think we should build dedicated client side ZKConfig
in test so we can test pingRwServer
correctly.
System.setProperty(ServerCnxnFactory.ZOOKEEPER_SERVER_CNXN_FACTORY, "org.apache.zookeeper.server.NettyServerCnxnFactory"); | ||
System.setProperty(ZKClientConfig.ZOOKEEPER_CLIENT_CNXN_SOCKET, "org.apache.zookeeper.ClientCnxnSocketNetty"); | ||
System.setProperty(ZKClientConfig.SECURE_CLIENT, "true"); | ||
System.setProperty(clientX509Util.getSslKeystoreLocationProperty(), testDataPath + "/ssl/testKeyStore.jks"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These properties are mixed between client and server. I think we should build a ZKClientConfig
for client usage prior to set them up for server(there is ZOOKEEPER-2139 counterpart in server) as ZKClientConfig
will inherit properties from system.
zookeeper/zookeeper-server/src/main/java/org/apache/zookeeper/common/ZKConfig.java
Lines 95 to 136 in 75884ec
/** | |
* Now onwards client code will use properties from this class but older | |
* clients still be setting properties through system properties. So to make | |
* this change backward compatible we should set old system properties in | |
* this configuration. | |
*/ | |
protected void handleBackwardCompatibility() { | |
properties.put(JUTE_MAXBUFFER, System.getProperty(JUTE_MAXBUFFER)); | |
properties.put(KINIT_COMMAND, System.getProperty(KINIT_COMMAND)); | |
properties.put(JGSS_NATIVE, System.getProperty(JGSS_NATIVE)); | |
try (ClientX509Util clientX509Util = new ClientX509Util()) { | |
putSSLProperties(clientX509Util); | |
properties.put(clientX509Util.getSslAuthProviderProperty(), System.getProperty(clientX509Util.getSslAuthProviderProperty())); | |
properties.put(clientX509Util.getSslProviderProperty(), System.getProperty(clientX509Util.getSslProviderProperty())); | |
} | |
try (X509Util x509Util = new QuorumX509Util()) { | |
putSSLProperties(x509Util); | |
} | |
} | |
private void putSSLProperties(X509Util x509Util) { | |
properties.put(x509Util.getSslProtocolProperty(), System.getProperty(x509Util.getSslProtocolProperty())); | |
properties.put(x509Util.getSslEnabledProtocolsProperty(), System.getProperty(x509Util.getSslEnabledProtocolsProperty())); | |
properties.put(x509Util.getSslCipherSuitesProperty(), System.getProperty(x509Util.getSslCipherSuitesProperty())); | |
properties.put(x509Util.getSslKeystoreLocationProperty(), System.getProperty(x509Util.getSslKeystoreLocationProperty())); | |
properties.put(x509Util.getSslKeystorePasswdProperty(), System.getProperty(x509Util.getSslKeystorePasswdProperty())); | |
properties.put(x509Util.getSslKeystorePasswdPathProperty(), System.getProperty(x509Util.getSslKeystorePasswdPathProperty())); | |
properties.put(x509Util.getSslKeystoreTypeProperty(), System.getProperty(x509Util.getSslKeystoreTypeProperty())); | |
properties.put(x509Util.getSslTruststoreLocationProperty(), System.getProperty(x509Util.getSslTruststoreLocationProperty())); | |
properties.put(x509Util.getSslTruststorePasswdProperty(), System.getProperty(x509Util.getSslTruststorePasswdProperty())); | |
properties.put(x509Util.getSslTruststorePasswdPathProperty(), System.getProperty(x509Util.getSslTruststorePasswdPathProperty())); | |
properties.put(x509Util.getSslTruststoreTypeProperty(), System.getProperty(x509Util.getSslTruststoreTypeProperty())); | |
properties.put(x509Util.getSslContextSupplierClassProperty(), System.getProperty(x509Util.getSslContextSupplierClassProperty())); | |
properties.put(x509Util.getSslHostnameVerificationEnabledProperty(), System.getProperty(x509Util.getSslHostnameVerificationEnabledProperty())); | |
properties.put(x509Util.getSslCrlEnabledProperty(), System.getProperty(x509Util.getSslCrlEnabledProperty())); | |
properties.put(x509Util.getSslOcspEnabledProperty(), System.getProperty(x509Util.getSslOcspEnabledProperty())); | |
properties.put(x509Util.getSslClientAuthProperty(), System.getProperty(x509Util.getSslClientAuthProperty())); | |
properties.put(x509Util.getSslHandshakeDetectionTimeoutMillisProperty(), System.getProperty(x509Util.getSslHandshakeDetectionTimeoutMillisProperty())); | |
properties.put(x509Util.getFipsModeProperty(), System.getProperty(x509Util.getFipsModeProperty())); | |
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The test passed since send4LetterWord
will inherit these properties in setUp
for server side. It would be really good to not populate any properties for this test. But it is not possible currently. I created ZOOKEEPER-4875 instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it preferable to prioritize the use of ClientConfig over system properties? If the properties are not already set in the ClientConfig, then we can retrieve them from the system properties. We can also maintain backward compatibility and ensure that properties in ClientConfig remain isolated in this manner.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it preferable to prioritize the use of ClientConfig over system properties?
Client should use ZKClientConfig
instead system properties after constructed. If not, it is a bug. So, 33c19e3#diff-9657d4a14708c9ec1df56fd01581a442e10ef70cae39c7223d4f979b0ae54263R1307 is buggy as it does not use the one in constructor but the new ZkConfig()
. These two are not necessary to have same properties. It should use ClientCnxn.clientConfig
which means b13e196#diff-9657d4a14708c9ec1df56fd01581a442e10ef70cae39c7223d4f979b0ae54263R1359 is correct.
this.clientConfig = clientConfig != null ? clientConfig : new ZKClientConfig(); |
If the properties are not already set in the ClientConfig, then we can retrieve them from the system properties.
This is already done in construction of a ZKConfig
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Client should use ZKClientConfig instead system properties after constructed. If not, it is a bug.
This is the whole point of ZOOKEEPER-2139.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I realize that ZKConfig#init is only called when we construct ZKConfig with empty parameters. I had missed this before. I will fix it based on your comments later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can revise here once ZOOKEEPER-4875 delivered.
zookeeper-server/src/main/java/org/apache/zookeeper/ClientCnxn.java
Outdated
Show resolved
Hide resolved
3e0cdd5
to
4c26a3f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good! I left two minor comments.
zookeeper-server/src/main/java/org/apache/zookeeper/client/FourLetterWordMain.java
Outdated
Show resolved
Hide resolved
System.setProperty(ServerCnxnFactory.ZOOKEEPER_SERVER_CNXN_FACTORY, "org.apache.zookeeper.server.NettyServerCnxnFactory"); | ||
System.setProperty(ZKClientConfig.ZOOKEEPER_CLIENT_CNXN_SOCKET, "org.apache.zookeeper.ClientCnxnSocketNetty"); | ||
System.setProperty(ZKClientConfig.SECURE_CLIENT, "true"); | ||
System.setProperty(clientX509Util.getSslKeystoreLocationProperty(), testDataPath + "/ssl/testKeyStore.jks"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can revise here once ZOOKEEPER-4875 delivered.
zookeeper-server/src/main/java/org/apache/zookeeper/client/FourLetterWordMain.java
Outdated
Show resolved
Hide resolved
36fc60d
to
26adb57
Compare
zookeeper-server/src/main/java/org/apache/zookeeper/client/FourLetterWordMain.java
Outdated
Show resolved
Hide resolved
…rLetterWordMain.java
Looks good from my side. @eolivelli Would you want take another look ? |
ClientCnxn::pingRwServer uses raw socket to issue "isro" 4lw command. This results in unsuccessful handshake to tls server. Use SSLSocket when zookeeper.client.secure is set to true.
associated jira issue ZOOKEEPER-4819