zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Purtell (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-1045) Support Quorum Peer mutual authentication via SASL
Date Wed, 02 Nov 2016 01:59:59 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-1045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15627361#comment-15627361
] 

Andrew Purtell commented on ZOOKEEPER-1045:
-------------------------------------------

I posted details of a worked example to dev@, using the 3.4 patch on this issue applied to
3.4.9. The feature seems to basically work in that I can see a quorum bootstrap with successful
authentication, and specifying an incorrect principal in the configuration of an instance
or making the keytab unreadable will prevent that. Suggestions on a hammer test to try now?

One nit I noticed is with Java 8 (OpenJDK 8u112 specifically) - and I believe recent versions
of Java 7 will have the same behavior - if you do not use precisely the form <principal>/_HOST
for quorum.auth.kerberos.servicePrincipal the JRE will throw exceptions during configuration
file processing. The instructions in the PDF attached to this issue suggest you can use other
 name formats like <principal>@<realm> or <principal>/<fqdn>@<realm>
but I had trouble with those. Could be a local JRE issue or have been operator error I suppose.
You may want to try out a few variations when testing this feature.



> Support Quorum Peer mutual authentication via SASL
> --------------------------------------------------
>
>                 Key: ZOOKEEPER-1045
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1045
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: quorum, security
>            Reporter: Eugene Koontz
>            Assignee: Rakesh R
>            Priority: Critical
>             Fix For: 3.4.10, 3.5.3
>
>         Attachments: 0001-ZOOKEEPER-1045-br-3-4.patch, 1045_failing_phunt.tar.gz, HOST_RESOLVER-ZK-1045.patch,
QuorumPeer Mutual Authentication Via Sasl Feature Doc - 2016-Sep-25.pdf, TEST-org.apache.zookeeper.server.quorum.auth.QuorumAuthUpgradeTest.txt,
ZK-1045-test-case-failure-logs.zip, ZOOKEEPER-1045 Test Plan.pdf, ZOOKEEPER-1045-00.patch,
ZOOKEEPER-1045-Rolling Upgrade Design Proposal.pdf, ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch,
ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch,
ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch,
ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045TestValidationDesign.pdf, org.apache.zookeeper.server.quorum.auth.QuorumAuthUpgradeTest.testRollingUpgrade.log
>
>
> ZOOKEEPER-938 addresses mutual authentication between clients and servers. This bug,
on the other hand, is for authentication among quorum peers. Hopefully much of the work done
on SASL integration with Zookeeper for ZOOKEEPER-938 can be used as a foundation for this
enhancement.
> Review board: https://reviews.apache.org/r/47354/



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message