ZOOKEEPER-4990: accept ssl.* in client config

Author: seekskyworld

zookeeper-docs/src/main/resources/markdown/zookeeperCLI.md

@@ -29,6 +29,21 @@ bin/zkCli.sh -waitforconnection -timeout 3000 -server remoteIP:2181
 # connect with a custom client configuration properties file
 bin/zkCli.sh -client-configuration /path/to/client.properties
 ```
+
+When connecting to a TLS-only server, provide a client configuration file with
+the SSL settings. The `zookeeper.ssl.*` keys are preferred; `ssl.*` keys from a
+server `zoo.cfg` are also accepted.
+
+```bash
+# client.properties (TLS example)
+zookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
+zookeeper.client.secure=true
+zookeeper.ssl.trustStore.location=/path/to/client-truststore.jks
+zookeeper.ssl.trustStore.password=changeit
+zookeeper.ssl.keyStore.location=/path/to/client-keystore.jks
+zookeeper.ssl.keyStore.password=changeit
+```
+
 ## help
 Showing helps about ZooKeeper commands
 
@@ -570,4 +585,4 @@ Gives all authentication information added into the current session.
     [zkshell: 3] whoami
     Auth scheme: User
     ip: 127.0.0.1
-    digest: user1
+    digest: user1

zookeeper-server/src/main/java/org/apache/zookeeper/client/ZKClientConfig.java

@@ -21,6 +21,7 @@
 import java.io.File;
 import org.apache.yetus.audience.InterfaceAudience;
 import org.apache.zookeeper.ZooKeeper;
+import org.apache.zookeeper.common.ClientX509Util;
 import org.apache.zookeeper.common.ZKConfig;
 import org.apache.zookeeper.server.quorum.QuorumPeerConfig.ConfigException;
 
@@ -64,6 +65,7 @@ public class ZKClientConfig extends ZKConfig {
      * Feature is disabled by default.
      */
     public static final long ZOOKEEPER_REQUEST_TIMEOUT_DEFAULT = 0;
+    private static final String ZOOKEEPER_PREFIX = "zookeeper.";
 
     public ZKClientConfig() {
         super();
@@ -78,6 +80,12 @@ public ZKClientConfig(String configPath) throws ConfigException {
         super(configPath);
     }
 
+    @Override
+    public void addConfiguration(File configFile) throws ConfigException {
+        super.addConfiguration(configFile);
+        applyServerSslConfiguration();
+    }
+
     /**
      * Initialize all the ZooKeeper client properties which are configurable as
      * java system property
@@ -108,6 +116,43 @@ protected void handleBackwardCompatibility() {
         setProperty(SECURE_CLIENT, System.getProperty(SECURE_CLIENT));
     }
 
+    private void applyServerSslConfiguration() {
+        try (ClientX509Util clientX509Util = new ClientX509Util()) {
+            copyServerSslProperty(clientX509Util.getSslProtocolProperty());
+            copyServerSslProperty(clientX509Util.getSslEnabledProtocolsProperty());
+            copyServerSslProperty(clientX509Util.getSslCipherSuitesProperty());
+            copyServerSslProperty(clientX509Util.getSslKeystoreLocationProperty());
+            copyServerSslProperty(clientX509Util.getSslKeystorePasswdProperty());
+            copyServerSslProperty(clientX509Util.getSslKeystorePasswdPathProperty());
+            copyServerSslProperty(clientX509Util.getSslKeystoreTypeProperty());
+            copyServerSslProperty(clientX509Util.getSslTruststoreLocationProperty());
+            copyServerSslProperty(clientX509Util.getSslTruststorePasswdProperty());
+            copyServerSslProperty(clientX509Util.getSslTruststorePasswdPathProperty());
+            copyServerSslProperty(clientX509Util.getSslTruststoreTypeProperty());
+            copyServerSslProperty(clientX509Util.getSslContextSupplierClassProperty());
+            copyServerSslProperty(clientX509Util.getSslHostnameVerificationEnabledProperty());
+            copyServerSslProperty(clientX509Util.getSslCrlEnabledProperty());
+            copyServerSslProperty(clientX509Util.getSslOcspEnabledProperty());
+            copyServerSslProperty(clientX509Util.getSslClientAuthProperty());
+            copyServerSslProperty(clientX509Util.getSslHandshakeDetectionTimeoutMillisProperty());
+            copyServerSslProperty(clientX509Util.getSslAuthProviderProperty());
+        }
+    }
+
+    private void copyServerSslProperty(String clientProperty) {
+        if (clientProperty == null || getProperty(clientProperty) != null) {
+            return;
+        }
+        if (!clientProperty.startsWith(ZOOKEEPER_PREFIX)) {
+            return;
+        }
+        String serverProperty = clientProperty.substring(ZOOKEEPER_PREFIX.length());
+        String serverValue = getProperty(serverProperty);
+        if (serverValue != null) {
+            setProperty(clientProperty, serverValue);
+        }
+    }
+
     /**
      * Returns true if the SASL client is enabled. By default, the client is
      * enabled but can be disabled by setting the system property

zookeeper-server/src/test/java/org/apache/zookeeper/client/ZKClientConfigTest.java

@@ -36,6 +36,7 @@
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Properties;
+import org.apache.zookeeper.common.ClientX509Util;
 import org.apache.zookeeper.common.ZKConfig;
 import org.apache.zookeeper.server.quorum.QuorumPeerConfig.ConfigException;
 import org.junit.jupiter.api.BeforeAll;
@@ -138,6 +139,37 @@ public void testReadConfigurationFile() throws IOException, ConfigException {
         file.delete();
     }
 
+    @Test
+    @Timeout(value = 10)
+    public void testServerSslPropertyFallback() throws IOException, ConfigException {
+        File file = File.createTempFile("clientConfigSsl", ".conf", testData);
+        file.deleteOnExit();
+        Properties clientConfProp = new Properties();
+        clientConfProp.setProperty("ssl.trustStore.location", "/tmp/server-truststore.jks");
+        clientConfProp.setProperty("ssl.trustStore.password", "server-pass");
+        clientConfProp.setProperty("ssl.keyStore.location", "/tmp/server-keystore.jks");
+        clientConfProp.setProperty("ssl.keyStore.password", "server-pass");
+        clientConfProp.setProperty("zookeeper.ssl.trustStore.location", "/tmp/client-truststore.jks");
+        OutputStream io = new FileOutputStream(file);
+        try {
+            clientConfProp.store(io, "Client Configurations");
+        } finally {
+            io.close();
+        }
+
+        ZKClientConfig conf = new ZKClientConfig();
+        conf.addConfiguration(file.getAbsolutePath());
+
+        try (ClientX509Util clientX509Util = new ClientX509Util()) {
+            assertEquals("/tmp/client-truststore.jks", conf.getProperty(clientX509Util.getSslTruststoreLocationProperty()));
+            assertEquals("server-pass", conf.getProperty(clientX509Util.getSslTruststorePasswdProperty()));
+            assertEquals("/tmp/server-keystore.jks", conf.getProperty(clientX509Util.getSslKeystoreLocationProperty()));
+            assertEquals("server-pass", conf.getProperty(clientX509Util.getSslKeystorePasswdProperty()));
+        }
+
+        file.delete();
+    }
+
     @Test
     @Timeout(value = 10)
     public void testSetConfiguration() {