Skip to content

ZOOKEEPER-4790: Make client hostname verification configurable #2173

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
anmolnar merged 3 commits into from
Nov 22, 2024
Merged

ZOOKEEPER-4790: Make client hostname verification configurable #2173

anmolnar merged 3 commits into from
Nov 22, 2024
+15 −1

Conversation

@nightkr
Copy link
Contributor

@nightkr nightkr commented Jun 17, 2024

FIPS mode technically covers this, in a sort of sledgehammery way, but I think it's still worthwhile to have an explicit option for this and only this. Especially since FIPS compliance is a pretty broad thing (see ZOOKEEPER-4832) that will likely expand in the future to cover a lot of things that may or may not be desired.

@nightkr nightkr force-pushed the feature/config-client-hostname-verification branch from 4bb9978 to 802953e Compare June 17, 2024 13:20
@nightkr nightkr mentioned this pull request Jun 19, 2024
Closed
@nightkr nightkr mentioned this pull request Jun 26, 2024
Open
@anmolnar anmolnar closed this Aug 27, 2024
@anmolnar anmolnar reopened this Aug 27, 2024
@anmolnar
Copy link
Contributor

anmolnar commented Aug 27, 2024
edited
Loading

Accidentally closed the PR, sorry.
Wanted to ask:

Have you considered replacing the current apporach with separate config settings?

  • zookeeper.ssl.(quorum.)server.hostnameVerification
  • zookeeper.ssl.(quorum.)client.hostnameVerification

@nightkr
Copy link
Contributor Author

nightkr commented Aug 27, 2024

In a green field I think that makes sense, but I don't think it's worth breaking the old config value "just" for this.

@anmolnar
Copy link
Contributor

anmolnar commented Aug 27, 2024

In a green field I think that makes sense, but I don't think it's worth breaking the old config value "just" for this.

You can keep backward compatibility by parsing both zookeeper.ssl.server.hostnameVerification and zookeeper.ssl.hostnameVerification as the server setting.

anmolnar
anmolnar reviewed Aug 27, 2024
View reviewed changes
zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md Outdated

* *ssl.clientHostnameVerification* and *ssl.quorum.clientHostnameVerification* :
(Java system properties: **zookeeper.ssl.clientHostnameVerification** and **zookeeper.ssl.quorum.clientHostnameVerification**)
**New in (INSERT VERSION HERE):**
Copy link
Contributor

@anmolnar anmolnar Aug 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3.9.3

Copy link
Contributor Author

@nightkr nightkr Nov 22, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

6897947

Skipped 3.9.3 since it's already released at this point

anmolnar
anmolnar reviewed Aug 27, 2024
View reviewed changes
zookeeper-docs/src/main/resources/markdown/zookeeperAdmin.md
* *ssl.clientHostnameVerification* and *ssl.quorum.clientHostnameVerification* :
(Java system properties: **zookeeper.ssl.clientHostnameVerification** and **zookeeper.ssl.quorum.clientHostnameVerification**)
**New in (INSERT VERSION HERE):**
Specifies whether the client's hostname verification is enabled in client and quorum TLS negotiation process.
Copy link
Contributor

@anmolnar anmolnar Aug 27, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add that this setting will require server hostnameVerification setting to be true.

Copy link
Contributor Author

@nightkr nightkr Nov 22, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2a7980d

@anmolnar
Copy link
Contributor

anmolnar commented Aug 27, 2024
edited
Loading

@nightkr Ignore my previous comment. Since client hostname verification is bound to server hostname verification setting, it makes sense to keep the original and general hostnameVerification setting. It enables/disabled the entire feature. Your patch is good as it is, just elaborate a bit in the admin documentation.

@nightkr
Copy link
Contributor Author

nightkr commented Nov 22, 2024

Sorry about the delay, got distracted by other stuff.

anmolnar
anmolnar approved these changes Nov 22, 2024
View reviewed changes
Copy link
Contributor

@anmolnar anmolnar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@anmolnar anmolnar merged commit 91ab3f5 into apache:master Nov 22, 2024
13 checks passed
asfgit pushed a commit that referenced this pull request Nov 22, 2024
@nightkr @anmolnar
ZOOKEEPER-4790: Make client hostname verification configurable
5523ef5 
Reviewers: anmolnar
Author: nightkr
Closes #2173 from nightkr/feature/config-client-hostname-verification

(cherry picked from commit 91ab3f5)
Signed-off-by: Andor Molnar <andor@apache.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anmolnar anmolnar anmolnar approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nightkr @anmolnar