Return-Path: <dev-return-53545-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id C7406200BEB
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Wed, 14 Dec 2016 04:34:12 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id C5C7E160B31; Wed, 14 Dec 2016 03:34:12 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 1C768160B23
	for <archive-asf-public@cust-asf.ponee.io>; Wed, 14 Dec 2016 04:34:11 +0100 (CET)
Received: (qmail 12870 invoked by uid 500); 14 Dec 2016 03:34:11 -0000
Mailing-List: contact dev-help@zookeeper.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@zookeeper.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@zookeeper.apache.org>
List-Post: <mailto:dev@zookeeper.apache.org>
List-Id: <dev.zookeeper.apache.org>
Reply-To: dev@zookeeper.apache.org
Delivered-To: mailing list dev@zookeeper.apache.org
Received: (qmail 12858 invoked by uid 99); 14 Dec 2016 03:34:11 -0000
Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 14 Dec 2016 03:34:11 +0000
Received: from mail-lf0-f50.google.com (mail-lf0-f50.google.com [209.85.215.50])
	by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id 7E08E1A02E6
	for <dev@zookeeper.apache.org>; Wed, 14 Dec 2016 03:34:10 +0000 (UTC)
Received: by mail-lf0-f50.google.com with SMTP id y21so4322336lfa.1
        for <dev@zookeeper.apache.org>; Tue, 13 Dec 2016 19:34:10 -0800 (PST)
X-Gm-Message-State: AKaTC03Tjteaj1gArAXWcVpQrJ0dL6CdM/0S6L3kX2/gSOzAzWNaQ302nqOCQNM2QuaOvu4S/ejrUX5TNR2Xrw==
X-Received: by 10.25.234.145 with SMTP id y17mr10722978lfi.25.1481686448892;
 Tue, 13 Dec 2016 19:34:08 -0800 (PST)
MIME-Version: 1.0
Received: by 10.25.221.157 with HTTP; Tue, 13 Dec 2016 19:33:28 -0800 (PST)
In-Reply-To: <CAHB_t6rFYVaKC4X=+5AaFhpsiLXYbVG=99G2vzXq7yjRpG6D7g@mail.gmail.com>
References: <CAHB_t6rFYVaKC4X=+5AaFhpsiLXYbVG=99G2vzXq7yjRpG6D7g@mail.gmail.com>
From: Patrick Hunt <phunt@apache.org>
Date: Tue, 13 Dec 2016 19:33:28 -0800
X-Gmail-Original-Message-ID: <CANLc_9JxQooAywQaDk8AFqb9-mASX4EXrcf+emxu7OZpAGjbWA@mail.gmail.com>
Message-ID: <CANLc_9JxQooAywQaDk8AFqb9-mASX4EXrcf+emxu7OZpAGjbWA@mail.gmail.com>
Subject: Re: ZooKeeper cwiki - Updated ZooKeeper and SASL auth 1045 work
To: DevZooKeeper <dev@zookeeper.apache.org>
Content-Type: multipart/alternative; boundary=94eb2c0ecc5e7479a705439602b7
archived-at: Wed, 14 Dec 2016 03:34:13 -0000

--94eb2c0ecc5e7479a705439602b7
Content-Type: text/plain; charset=UTF-8

Nice job Rakesh, some comments:

1) the appendix is a great idea, should be useful for many people. One
thing I noticed
"There is no additional dependencies needed to use SASL with Java since it
is part of the the Java Standard Edition." - you might want to mention/link
the JCE? The JVM doesn't come with very modern encryption - some of the
distros use more strong encryption out of the box with kerberos. I've run
into this a number of times (need to also install JCE).

2) consistently use "ZooKeeper" rather than "Zookeeper". Only noticed this
in a few places...

3) on client-server it would be good to mention when it was added (3.4.0+),
similar to what you did with 1045.

4) on "ZooKeeper SASL configurations" the numbering of the bullets starts
at 2.1. and finishes at 2.4. I suspect the formatting didn't copy over
quite right?

5) similar formatting issue for "# Defaulting to
20quorum.cnxn.threads.size=20"

Can we give any insight into how this value should be set? i.e. why is 20
the default and when should it be raised/lowered?

6) can the doc shed any light on why we are recommending
"javax.security.auth.useSubjectCredsOnly=false" ? I'm not familiar with
this myself.

7) "This feature is supported in 3.4 branch" is ambiguous - perhaps
rephrase. What "feature" are you referring to, 1045 or to rolling upgrade?
Also the ref to 3.4 itself is ambiguous - perhaps change to 3.4.10+?

These are some minor nits, overall impressive effort -- thanks again Rakesh!

Patrick



On Tue, Dec 13, 2016 at 6:56 PM, Rakesh Radhakrishnan <rakeshr@apache.org>
wrote:

> Hi All,
>
> I've incorporated ZK-1045 feature details into the Apache ZooKeeper project
> cwiki. Since "ZooKeeper and SASL" section is quite large I've splitted
> ZooKeeper client-server and server-server sections into sub-pages. Please
> read the following page,
>
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+and+SASL+
> authentication
>
> *ZooKeeper and SASL authentication*
>
>    - Client-Server mutual authentication
>    - Server-Server mutual authentication
>    - Appendix: Kerberos, GSSAPI, SASL, and JAAS
>
> I have reused the content from the "Client-Server" and "Appendix" sections
> from the existing page
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zookeeper+and+SASL
> Presently I've maintained this original page as a history, probably we need
> to delete this page after everyone agrees on the changes.
>
> Appreciate your feedback, thanks!
>
> Regards,
> Rakesh
>

--94eb2c0ecc5e7479a705439602b7--