YARN-11468. Zookeeper SSL/TLS support. Contributed by Ferenc Erdelyi

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-api/src/main/java/org/apache/hadoop/yarn/conf/YarnConfiguration.java

@@ -857,6 +857,10 @@ public static boolean isAclEnabled(Configuration conf) {
   /** Zookeeper interaction configs */
   public static final String RM_ZK_PREFIX = RM_PREFIX + "zk-";
 
+  /** Enable Zookeeper SSL/TLS communication. */
+  public static final String RM_ZK_CLIENT_SSL_ENABLED = RM_ZK_PREFIX + "client-ssl.enabled";
+  public static final boolean DEFAULT_RM_ZK_CLIENT_SSL_ENABLED = false;
+
   public static final String RM_ZK_ADDRESS = RM_ZK_PREFIX + "address";
 
   public static final String RM_ZK_NUM_RETRIES = RM_ZK_PREFIX + "num-retries";

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/resources/yarn-default.xml

@@ -741,6 +741,12 @@
     <value>1048576</value>
   </property>
 
+  <property>
+    <description>Enable SSL/TLS encryption for the ZooKeeper communication.</description>
+    <name>yarn.resourcemanager.zk-client-ssl.enabled</name>
+    <value>false</value>
+  </property>
+
   <property>
     <description>Name of the cluster. In a HA setting,
       this is used to ensure the RM participates in leader

hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-resourcemanager/src/main/java/org/apache/hadoop/yarn/server/resourcemanager/ResourceManager.java

@@ -427,7 +427,8 @@ public ZKCuratorManager createAndStartZKManager(Configuration
       authInfos.add(authInfo);
     }
 
-    manager.start(authInfos);
+    manager.start(authInfos, config.getBoolean(YarnConfiguration.RM_ZK_CLIENT_SSL_ENABLED,
+        YarnConfiguration.DEFAULT_RM_ZK_CLIENT_SSL_ENABLED));
     return manager;
   }