Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
3.4.0
-
Reviewed
Description
HADOOP-18709 added support for Zookeeper to communicate with SSL/TLS enabled in hadoop-common. With those changes we have the necessary parameters, that we need to set to enable SSL/TLS in a ZK Client. That change also did changes in ZKCuratorManager, so with that it is easy to set the SSL/TLS, for Yarn it was done in YARN-11468.
In DelegationTokenAuthenticationFilter currently we are using CuratorFrameworkFactory, it'd be good to change it to use ZKCuratorManager and with that we should support SSL/TLS enablement.
UPDATE
So as I investigated this a bit more, it wouldn't be so easy to move to using ZKCuratorManager.
DelegationTokenAuthenticationFilter uses ZK from two places: in ZKDelegationTokenSecretManager and in ZKSignerSecretProvider. In both places it uses CuratorFrameworkFactory, but the attributes and creation differentiates from ZKCuratorManager.
In ZKDelegationTokenSecretManager it would be easy to add the new config and based on that create ZK with CuratorFrameworkFactory. But ZKSignerSecretProvider is in hadoop-auth module and with my change it would need hadoop-common, so it would introduce circular dependency between modules 'hadoop-auth' and 'hadoop-common'. I'm still working on a straightforward solution.
Attachments
Issue Links
- relates to
-
HADOOP-18919 Zookeeper SSL/TLS support in HDFS ZKFC
- Resolved
- links to