Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ZOOKEEPER-4819 Fix can't seek for writable tls server if connected to readonly server #2200

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

ZOOKEEPER-4819 Fix can't seek for writable tls server if connected to readonly server #2200

wants to merge 4 commits into from
+171 −32

Conversation

luoxiner
Copy link
Contributor

ClientCnxn::pingRwServer uses raw socket to issue "isro" 4lw command. This results in unsuccessful handshake to tls server. Use SSLSocket when zookeeper.client.secure is set to true.

associated jira issue ZOOKEEPER-4819

@kezhuw
Copy link
Member

kezhuw commented Oct 12, 2024

Great! I think we need tests.

@luoxiner
Copy link
Contributor Author

Great! I think we need tests.

Hi @kezhuw, I added a test case based on the ReadOnlyModeTest. Please take a look.

kezhuw
kezhuw reviewed Oct 13, 2024
View reviewed changes
Copy link
Member

@kezhuw kezhuw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @luoxiner, thank you for your contribution!

Given the fact that pingRwServer uses four letter word command "isro", I propose to use FourLetterWordMain.send4LetterWord directly. Beware that send4LetterWord appends \n to the response.

zookeeper-server/src/main/java/org/apache/zookeeper/ClientCnxn.java Outdated Show resolved Hide resolved
zookeeper-server/src/test/java/org/apache/zookeeper/test/ReadOnlyModeWithSSLTest.java Outdated Show resolved Hide resolved
eolivelli
eolivelli reviewed Oct 13, 2024
View reviewed changes
Copy link
Contributor

@eolivelli eolivelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 as soon as @kezhuw's commenta are addressed

Nice work! Thanks

@luoxiner
ZOOKEEPER-4819 Fix can't seek for writable tls server if connected to…
33c19e3 
… readonly server

ClientCnxn::pingRwServer uses raw socket to issue "isro" 4lw command.
This results in unsuccessful handshake to tls server. Use SSLSocket
when zookeeper.client.secure is set to true.
@luoxiner
Copy link
Contributor Author

@kezhuw @eolivelli Thank you for your reply. I have changed my code based on the suggestions. Please take a look.

kezhuw
kezhuw reviewed Oct 15, 2024
View reviewed changes
Copy link
Member

@kezhuw kezhuw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I left comments regarding the interference between ZKConfig and system properties. I think we should build dedicated client side ZKConfig in test so we can test pingRwServer correctly.

zookeeper-server/src/test/java/org/apache/zookeeper/test/ReadOnlyModeWithSSLTest.java
System.setProperty(ServerCnxnFactory.ZOOKEEPER_SERVER_CNXN_FACTORY, "org.apache.zookeeper.server.NettyServerCnxnFactory");
System.setProperty(ZKClientConfig.ZOOKEEPER_CLIENT_CNXN_SOCKET, "org.apache.zookeeper.ClientCnxnSocketNetty");
System.setProperty(ZKClientConfig.SECURE_CLIENT, "true");
System.setProperty(clientX509Util.getSslKeystoreLocationProperty(), testDataPath + "/ssl/testKeyStore.jks");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These properties are mixed between client and server. I think we should build a ZKClientConfig for client usage prior to set them up for server(there is ZOOKEEPER-2139 counterpart in server) as ZKClientConfig will inherit properties from system.

zookeeper/zookeeper-server/src/main/java/org/apache/zookeeper/common/ZKConfig.java

Lines 95 to 136 in 75884ec

/**
* Now onwards client code will use properties from this class but older
* clients still be setting properties through system properties. So to make
* this change backward compatible we should set old system properties in
* this configuration.
*/
protected void handleBackwardCompatibility() {
properties.put(JUTE_MAXBUFFER, System.getProperty(JUTE_MAXBUFFER));
properties.put(KINIT_COMMAND, System.getProperty(KINIT_COMMAND));
properties.put(JGSS_NATIVE, System.getProperty(JGSS_NATIVE));
try (ClientX509Util clientX509Util = new ClientX509Util()) {
putSSLProperties(clientX509Util);
properties.put(clientX509Util.getSslAuthProviderProperty(), System.getProperty(clientX509Util.getSslAuthProviderProperty()));
properties.put(clientX509Util.getSslProviderProperty(), System.getProperty(clientX509Util.getSslProviderProperty()));
}
try (X509Util x509Util = new QuorumX509Util()) {
putSSLProperties(x509Util);
}
}
private void putSSLProperties(X509Util x509Util) {
properties.put(x509Util.getSslProtocolProperty(), System.getProperty(x509Util.getSslProtocolProperty()));
properties.put(x509Util.getSslEnabledProtocolsProperty(), System.getProperty(x509Util.getSslEnabledProtocolsProperty()));
properties.put(x509Util.getSslCipherSuitesProperty(), System.getProperty(x509Util.getSslCipherSuitesProperty()));
properties.put(x509Util.getSslKeystoreLocationProperty(), System.getProperty(x509Util.getSslKeystoreLocationProperty()));
properties.put(x509Util.getSslKeystorePasswdProperty(), System.getProperty(x509Util.getSslKeystorePasswdProperty()));
properties.put(x509Util.getSslKeystorePasswdPathProperty(), System.getProperty(x509Util.getSslKeystorePasswdPathProperty()));
properties.put(x509Util.getSslKeystoreTypeProperty(), System.getProperty(x509Util.getSslKeystoreTypeProperty()));
properties.put(x509Util.getSslTruststoreLocationProperty(), System.getProperty(x509Util.getSslTruststoreLocationProperty()));
properties.put(x509Util.getSslTruststorePasswdProperty(), System.getProperty(x509Util.getSslTruststorePasswdProperty()));
properties.put(x509Util.getSslTruststorePasswdPathProperty(), System.getProperty(x509Util.getSslTruststorePasswdPathProperty()));
properties.put(x509Util.getSslTruststoreTypeProperty(), System.getProperty(x509Util.getSslTruststoreTypeProperty()));
properties.put(x509Util.getSslContextSupplierClassProperty(), System.getProperty(x509Util.getSslContextSupplierClassProperty()));
properties.put(x509Util.getSslHostnameVerificationEnabledProperty(), System.getProperty(x509Util.getSslHostnameVerificationEnabledProperty()));
properties.put(x509Util.getSslCrlEnabledProperty(), System.getProperty(x509Util.getSslCrlEnabledProperty()));
properties.put(x509Util.getSslOcspEnabledProperty(), System.getProperty(x509Util.getSslOcspEnabledProperty()));
properties.put(x509Util.getSslClientAuthProperty(), System.getProperty(x509Util.getSslClientAuthProperty()));
properties.put(x509Util.getSslHandshakeDetectionTimeoutMillisProperty(), System.getProperty(x509Util.getSslHandshakeDetectionTimeoutMillisProperty()));
properties.put(x509Util.getFipsModeProperty(), System.getProperty(x509Util.getFipsModeProperty()));
}

Copy link
Member

@kezhuw kezhuw Oct 15, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test passed since send4LetterWord will inherit these properties in setUp for server side. It would be really good to not populate any properties for this test. But it is not possible currently. I created ZOOKEEPER-4875 instead.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it preferable to prioritize the use of ClientConfig over system properties? If the properties are not already set in the ClientConfig, then we can retrieve them from the system properties. We can also maintain backward compatibility and ensure that properties in ClientConfig remain isolated in this manner.

Copy link
Member

@kezhuw kezhuw Oct 15, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it preferable to prioritize the use of ClientConfig over system properties?

Client should use ZKClientConfig instead system properties after constructed. If not, it is a bug. So, 33c19e3#diff-9657d4a14708c9ec1df56fd01581a442e10ef70cae39c7223d4f979b0ae54263R1307 is buggy as it does not use the one in constructor but the new ZkConfig(). These two are not necessary to have same properties. It should use ClientCnxn.clientConfig which means b13e196#diff-9657d4a14708c9ec1df56fd01581a442e10ef70cae39c7223d4f979b0ae54263R1359 is correct.

zookeeper/zookeeper-server/src/main/java/org/apache/zookeeper/ZooKeeper.java

Line 1099 in b997145

this.clientConfig = clientConfig != null ? clientConfig : new ZKClientConfig();

If the properties are not already set in the ClientConfig, then we can retrieve them from the system properties.

This is already done in construction of a ZKConfig.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Client should use ZKClientConfig instead system properties after constructed. If not, it is a bug.

This is the whole point of ZOOKEEPER-2139.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I realize that ZKConfig#init is only called when we construct ZKConfig with empty parameters. I had missed this before. I will fix it based on your comments later.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can revise here once ZOOKEEPER-4875 delivered.

zookeeper-server/src/main/java/org/apache/zookeeper/ClientCnxn.java Outdated Show resolved Hide resolved
kezhuw
kezhuw approved these changes Oct 17, 2024
View reviewed changes
Copy link
Member

@kezhuw kezhuw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! I left two minor comments.

zookeeper-server/src/main/java/org/apache/zookeeper/client/FourLetterWordMain.java Outdated Show resolved Hide resolved
zookeeper-server/src/main/java/org/apache/zookeeper/ClientCnxn.java Show resolved Hide resolved
zookeeper-server/src/test/java/org/apache/zookeeper/test/ReadOnlyModeWithSSLTest.java
System.setProperty(ServerCnxnFactory.ZOOKEEPER_SERVER_CNXN_FACTORY, "org.apache.zookeeper.server.NettyServerCnxnFactory");
System.setProperty(ZKClientConfig.ZOOKEEPER_CLIENT_CNXN_SOCKET, "org.apache.zookeeper.ClientCnxnSocketNetty");
System.setProperty(ZKClientConfig.SECURE_CLIENT, "true");
System.setProperty(clientX509Util.getSslKeystoreLocationProperty(), testDataPath + "/ssl/testKeyStore.jks");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can revise here once ZOOKEEPER-4875 delivered.

@kezhuw
Copy link
Member

kezhuw commented Oct 23, 2024

Looks good from my side.

@eolivelli Would you want take another look ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eolivelli eolivelli eolivelli left review comments

@kezhuw kezhuw kezhuw approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@luoxiner @kezhuw @eolivelli