apache
ZOOKEEPER-4849: Option to Provide Custom X509 Implementation of QuorumAuthServer and QuorumAuthLearner
@eolivelli @kezhuw @anmolnar could you please review? This change implements our paranoid security recommendation: each ZooKeeper quorum member must present a distinct mTLS certificate, validated against its CNAME. The patch adds the ability to configure authentication for both quorum servers and learners—very similar to the work tracked in https://issues.apache.org/jira/browse/ZOOKEEPER-2123
@kezhuw thank you for your review. About using a dedicated CA: we actually use a global certificate-management system called Athenz to issue certs for all our services, including multiple ZooKeeper quorums. Spinning up a completely separate CA per quorum would be painful—every time you add or remove a ZooKeeper node you’d have to provision or revoke a cert in that dedicated CA.
Instead, you can continue using Athenz but tighten its issuance policies for your ZK quorums. For example:
-
Scoped Roles or Domains: Define an Athenz domain (e.g. zookeeper.quorum) and only allow services in that domain to get certs with a specific OU or SAN (ou=zookeeper-quorum).
-
Dynamic Membership: When a new ZK server spins up, it simply presents its Athenz role and automatically gets a cert scoped to the quorum domain—no manual CA changes.
This lets you keep a single, centrally managed CA (Athenz) while still ensuring only bona fide quorum members can join.