zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Flavio Junqueira <...@apache.org>
Subject Re: Kerberos authentication setup question
Date Sat, 30 Jan 2016 05:10:53 GMT
Hi Irfan, 

Your description sounds right to me. I'd add that you can check that your client watcher is
getting a SaslConnected event.

There is some more information here in the case you haven't seen this page:

https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zookeeper+and+SASL <https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zookeeper+and+SASL>

-Flavio

> On 29 Jan 2016, at 14:51, Irfan Hamid <ihamid@salesforce.com> wrote:
> 
> Hi,
> 
> We're trying to set up ZooKeeper with Kerberos authentication in our setup.
> The documentation about setting this up is a bit complicated. The steps for
> the ZooKeeper quorum servers are quite clear:
> 
> *ZooKeeper quorum servers*
> 1. Create zookeeper service principals as described here
> <http://www.cloudera.com/documentation/archive/cdh/4-x/4-2-0/CDH4-Security-Guide/cdh4sg_topic_11_1.html>.
> I am creating them as zookeeper/fqdn.of.my.zk.quorum.server@MYREAL.COM
> 2. Copy the keytab files created in (1) to the respective ZooKeeper quorum
> servers and place it in the ZooKeeper conf directory
> 3. Add the configs indicated to the zoo.cfg file
> 4. Add a jaas.conf file (and point to it as part of the jvm params) as
> indicated
> 
> *ZooKeeper client side*
> This part is throwing me for a loop. We are using the basic ZooKeeper API
> (not Curator) in our client side code and creating connections using the
> vanilla new ZooKeeper(cxnString, ...) constructor. The only documentation
> on how to set this up I could find is here
> <http://www.cloudera.com/documentation/archive/cdh/4-x/4-3-0/CDH4-Security-Guide/cdh4sg_topic_11_2.html>.
> I was wondering if the linked steps would work for my use-case or if these
> are for a specific Cloudera ZooKeeper client tool?
> 
> 1. Create zookeeper client principals using zkcli@MYREAL.COM (the client's
> FQDN isn't needed here?)
> 2. Copy the keytab file to the machine running our client app
> 3. Make the necessary modifications to jaas.conf
> 4. Run our client app with the JVM param pointing to the jaas.conf file
> from (2)
> 
> Is my understanding correct or are these steps only for the Cloudera client
> shell?
> 
> Regards,
> Irfan.


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message