Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Documentation on enabling SSL missing #315

Open
aby040 opened this issue Jun 1, 2022 · 10 comments
Open

Documentation on enabling SSL missing #315

aby040 opened this issue Jun 1, 2022 · 10 comments
Labels
feature-request help-wanted

Comments

@aby040
Copy link

aby040 commented Jun 1, 2022
edited
Loading

Could not find any documentation or guide on how to configure the below values in the client

client.secure=true
ssl.keystore.location=
ssl.keystore.password=
ssl.truststore.location=
ssl.truststore.password=

etc. Can someone help solve this?
@DavidVujic
Copy link
Collaborator

Hello @aby040, sorry for the late reply!

Is this settings for a ZooKeeper client? I don't recognize these, and they look like some ZooKeeper server settings. Do you have any more info about these?

@DavidVujic
Copy link
Collaborator

I think I have found something for the Java client actually: https://cwiki.apache.org/confluence/display/zookeeper/zookeeper+ssl+user+guide

Not sure if this is implemented in the C client, though.

@Megabyte516
Copy link

Hi, Can this be documented? How are the parameters for enabling SSL be specified?

@DavidVujic
Copy link
Collaborator

I don't think the parameters are supported in the C based client (that this library is built on top of as a Node.js AddOn). But if OpenSSL is available on the machine, it will build the AddOn with SSL (on Linux). Not sure it this answers your question @Megabyte516 though, this is an area that I haven't much knowledge in.

To try it out on a Mac or Windows locally, you can delete the prebuilds folder in this package and run npm install. Mac OS X and Windows have already prebuilt versions added (to speed things up during installation). The prebuilds doesn't include SSL.

@Megabyte516
Copy link

Thanks for the quick answer, although to be honest I do not understand it. What does it mean in this context "build with SSL"? I am just a user, and what I wanted to now is what I need to do to use zookeeper client to access a ZooKeeper server that is SSL enabled, obviously involving server/client keystores, passwords, etc. If a client "supports" SSL, it should provide a way of communicating these to server in order to be (mutually) authenticated?

@DavidVujic
Copy link
Collaborator

Sorry, I should have explained it further!

A Node.js app that has zookeeper as a dependency will, on Linux, build a Node AddOn when running npm install for the app. The zookeeper library will be downloaded from npm just as the other dependencies - but its own install script will trigger the building of an AddOn. The AddOn is a wrapper around the official ZooKeeper C Client.

I haven't found anything about the keystore configurations in the docs or the source code of the C client. However, the docs for the C Client are very minimalistic and I think some of it also is outdated.

The only SSL related thing I know of is that if openssl is installed in the Linux machine already, it will be enabled in the C client too when the AddOn is built (during npm install). But I don't really know that that actually means. I haven't used that feature myself.

I would very much appreciate help with investigating this. My guess is that it isn't added in the C client, but if it is we would probably need to add support for it in this repo too (probably a minor thing to do).

@DavidVujic
Copy link
Collaborator

Maybe there's a clue here: apache/zookeeper#1107

@DavidVujic
Copy link
Collaborator

There's likely something missing here in this repo, the config passed on from new ZooKeeper(config) isn't passed through as-is (If I understand the C/C++ interop correctly, I am not the developer that wrote that part).

@DavidVujic
Copy link
Collaborator

DavidVujic commented Jan 11, 2024
edited
Loading

Documenting some findings here, the C client has two ways of initialization - one with and one without SSL:
https://github.com/apache/zookeeper/blob/master/zookeeper-client/zookeeper-client-c/src/cli.c#L889
https://github.com/apache/zookeeper/blob/master/zookeeper-client/zookeeper-client-c/src/cli.c#L999
https://github.com/apache/zookeeper/blob/master/zookeeper-client/zookeeper-client-c/src/zookeeper.c#L1452

This should be implemented in the AddOn wrapper too, currently only without SSL:
https://github.com/yfinkelstein/node-zookeeper/blob/master/src/node-zk.cpp#L417

@DavidVujic DavidVujic self-assigned this Jan 25, 2024
@DavidVujic DavidVujic mentioned this issue Jan 28, 2024
Closed
6 tasks
@DavidVujic
Copy link
Collaborator

Unfortunately, I haven't been able to solve this. The reason is that I don't fully understand the underlying C Client and how it should have the proper preprocessor directives set.

To summarize, currently there is no support in this client for SSL. I will update the docs about this.

@DavidVujic DavidVujic removed their assignment Jan 29, 2024
@DavidVujic DavidVujic mentioned this issue Jan 29, 2024
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request help-wanted
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

WIP: add SSL config and starting up client with SSL mode if available DavidVujic/node-zookeeper
3 participants
@DavidVujic @aby040 @Megabyte516