zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Irfan Hamid <iha...@salesforce.com>
Subject Re: Kerberos authentication setup question
Date Mon, 08 Feb 2016 22:58:04 GMT
Small followup/clarification. If a client needs to connect to two separate,
Kerberos-authenticated ZK ensembles, it should be possible since the client
side Kerberos ticket is generated as zkcli@MYREALM.COM and does not
indicate which ZK ensemble it is for?

Thanks,
Irfan.

On Sat, Jan 30, 2016 at 10:22 AM, Irfan Hamid <ihamid@salesforce.com> wrote:

> Thanks Flavio. That's good news, and I'm especially grateful for that
> second link, which inexplicably eluded me during my searches for this topic.
>
> Regards,
> Irfan.
>
> On Fri, Jan 29, 2016 at 9:10 PM, Flavio Junqueira <fpj@apache.org> wrote:
>
>> Hi Irfan,
>>
>> Your description sounds right to me. I'd add that you can check that your
>> client watcher is getting a SaslConnected event.
>>
>> There is some more information here in the case you haven't seen this
>> page:
>>
>> https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zookeeper+and+SASL
>> <https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zookeeper+and+SASL
>> >
>>
>> -Flavio
>>
>> > On 29 Jan 2016, at 14:51, Irfan Hamid <ihamid@salesforce.com> wrote:
>> >
>> > Hi,
>> >
>> > We're trying to set up ZooKeeper with Kerberos authentication in our
>> setup.
>> > The documentation about setting this up is a bit complicated. The steps
>> for
>> > the ZooKeeper quorum servers are quite clear:
>> >
>> > *ZooKeeper quorum servers*
>> > 1. Create zookeeper service principals as described here
>> > <
>> http://www.cloudera.com/documentation/archive/cdh/4-x/4-2-0/CDH4-Security-Guide/cdh4sg_topic_11_1.html
>> >.
>> > I am creating them as zookeeper/fqdn.of.my.zk.quorum.server@MYREAL.COM
>> > 2. Copy the keytab files created in (1) to the respective ZooKeeper
>> quorum
>> > servers and place it in the ZooKeeper conf directory
>> > 3. Add the configs indicated to the zoo.cfg file
>> > 4. Add a jaas.conf file (and point to it as part of the jvm params) as
>> > indicated
>> >
>> > *ZooKeeper client side*
>> > This part is throwing me for a loop. We are using the basic ZooKeeper
>> API
>> > (not Curator) in our client side code and creating connections using the
>> > vanilla new ZooKeeper(cxnString, ...) constructor. The only
>> documentation
>> > on how to set this up I could find is here
>> > <
>> http://www.cloudera.com/documentation/archive/cdh/4-x/4-3-0/CDH4-Security-Guide/cdh4sg_topic_11_2.html
>> >.
>> > I was wondering if the linked steps would work for my use-case or if
>> these
>> > are for a specific Cloudera ZooKeeper client tool?
>> >
>> > 1. Create zookeeper client principals using zkcli@MYREAL.COM (the
>> client's
>> > FQDN isn't needed here?)
>> > 2. Copy the keytab file to the machine running our client app
>> > 3. Make the necessary modifications to jaas.conf
>> > 4. Run our client app with the JVM param pointing to the jaas.conf file
>> > from (2)
>> >
>> > Is my understanding correct or are these steps only for the Cloudera
>> client
>> > shell?
>> >
>> > Regards,
>> > Irfan.
>>
>>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message