zookeeper-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jörn Franke (JIRA) <j...@apache.org>
Subject [jira] [Updated] (ZOOKEEPER-3482) SASL (Kerberos) Authentication with SSL for clients and Quorum
Date Thu, 01 Aug 2019 19:43:00 GMT

     [ https://issues.apache.org/jira/browse/ZOOKEEPER-3482?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jörn Franke updated ZOOKEEPER-3482:
-----------------------------------
    Description: 
It seems that Kerberos authentication does not work for encrypted connections of clients and
quorum. It seems that only X509 Authentication works.

What I would have expected:

ClientSecurePort is defined

A keystore and truststore are deployed on the ZooKeeper servers

Only a truststore is deployed with the client (to validate the CA of the server certificate)

Client can authenticate with SASL (Kerberos)

Similarly, it should work for the Quorum SSL connection.

Is there a way to configure this in ZooKeeper?

 

Note: Kerberos Authentication for SSL encrypted connection should be used instead of X509
authentication for this case and not in addition. However, if it only works in 3.5.5 in addition
then I would be interested and willing to test it.

  was:
It seems that Kerberos authentication does not work for encrypted connections of clients and
quorum. It seems that only X509 Authentication works.

What I would have expected:

ClientSecurePort is defined

A keystore and truststore are deployed on the ZooKeeper servers

Only a truststore is deployed with the client (to validate the CA of the server certificate)

Client can authenticate with SASL (Kerberos)

Similarly for the Quorum SSL connection.

Is there a way to configure this in ZooKeeper?

 

Note: Kerberos Authentication for SSL encrypted connection should be used instead of X509
authentication for this case and not in addition. However, if it only works in 3.5.5 in addition
then I would be interested and willing to test it.


> SASL (Kerberos) Authentication with SSL for clients and Quorum
> --------------------------------------------------------------
>
>                 Key: ZOOKEEPER-3482
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3482
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: server
>    Affects Versions: 3.5.5
>            Reporter: Jörn Franke
>            Priority: Major
>
> It seems that Kerberos authentication does not work for encrypted connections of clients
and quorum. It seems that only X509 Authentication works.
> What I would have expected:
> ClientSecurePort is defined
> A keystore and truststore are deployed on the ZooKeeper servers
> Only a truststore is deployed with the client (to validate the CA of the server certificate)
> Client can authenticate with SASL (Kerberos)
> Similarly, it should work for the Quorum SSL connection.
> Is there a way to configure this in ZooKeeper?
>  
> Note: Kerberos Authentication for SSL encrypted connection should be used instead of
X509 authentication for this case and not in addition. However, if it only works in 3.5.5
in addition then I would be interested and willing to test it.



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

Mime
View raw message