zookeeper-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andor Molnar (Jira)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-3482) SASL (Kerberos) Authentication with SSL for clients and Quorum
Date Mon, 13 Jan 2020 12:44:00 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-3482?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17014286#comment-17014286

Andor Molnar commented on ZOOKEEPER-3482:

[~symat]  [~jornfranke]

I repeated my test with another cluster and I was able to use SSL and Kerberos in conjunction
successfully. I'm still looking at my original report to see the difference, but unfortunately
the test cluster has already been destroyed and I cannot see anything obvious now.

Anyway we can say that ZooKeeper supports Kerberized client connection on the secure port
as of version 3.5.5

Adding new tests is a very good idea and also some sort of documentation about how to set
this up properly would also be useful. Thanks.

> SASL (Kerberos) Authentication with SSL for clients and Quorum
> --------------------------------------------------------------
>                 Key: ZOOKEEPER-3482
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3482
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: server
>    Affects Versions: 3.5.5
>            Reporter: Jörn Franke
>            Assignee: Mate Szalay-Beko
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 1h 10m
>  Remaining Estimate: 0h
> It seems that Kerberos authentication does not work for encrypted connections of clients
and quorum. It seems that only X509 Authentication works.
> What I would have expected:
> ClientSecurePort is defined
> A keystore and truststore are deployed on the ZooKeeper servers
> Only a truststore is deployed with the client (to validate the CA of the server certificate)
> Client can authenticate with SASL (Kerberos)
> Similarly, it should work for the Quorum SSL connection.
> Is there a way to configure this in ZooKeeper?
> Note: Kerberos Authentication for SSL encrypted connection should be used instead of
X509 authentication for this case and not in addition. However, if it only works in 3.5.5
in addition then I would be interested and willing to test it.

This message was sent by Atlassian Jira

View raw message