zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rakesh Radhakrishnan <rake...@apache.org>
Subject Re: default value for quorum.auth.kerberos.servicePrincipal
Date Fri, 13 Dec 2019 07:05:56 GMT
Hi Ram,

ZooKeeper Quorum authentication support two schemes, Kerberos or
DIGEST-MD5. User has to configure either Kerb or digest configuration
values. Both together not required.

I'd recommend you to go through Kerberos, digest simulation unit test cases
where we have valid and invalid scenarios. Hope this would get idea about
the required configs.

https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumDigestAuthTest.java
https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumKerberosHostBasedAuthTest.java

Could you describe the issues that troubles you in setting up quorum auth,
if any.

Thanks,
Rakesh

On Fri, Dec 13, 2019 at 3:49 AM rammohan ganapavarapu <
rammohanganap@gmail.com> wrote:

> Hi,
>
> Even if i enable sasl but md5-diget what should be this property set to,
> this property only take effect for kerberos or for both?
>
> Ram
>
> On Fri, Dec 6, 2019 at 7:55 AM rammohan ganapavarapu <
> rammohanganap@gmail.com> wrote:
>
> > Mate,
> >
> > Thank you, I did search source code found the same, I am trying to create
> > a zoo conf with all default properties.
> >
> > Ram
> >
> > On Fri, Dec 6, 2019, 2:44 AM Mate Szalay-Beko
> <mszalay@cloudera.com.invalid>
> > wrote:
> >
> >> Hi Ram,
> >>
> >> this parameter is needed to be defined when you want to enable secure
> >> authentication in the communication between ZooKeeper servers. In
> general,
> >> the 'principal' is a 'username' what you want your ZooKeeper servers to
> >> use
> >> when they talk with each other. Ideally you have a central Kereros
> service
> >> somewhere where this principal is already registered.
> >> A kerberos principal is usually in the form of
> >> "user_or_service_name/host@realm" (some more explanation:
> >> https://ssimo.org/blog/id_016.html)
> >>
> >> According to the source code, the default value of
> >> quorum.auth.kerberos.servicePrincipal is "zkquorum/localhost". But I
> think
> >> if you don't enable the quorum SASL in ZooKeeper, then this property
> will
> >> never be actually used.
> >>
> >> Please see this page about SASL in ZooKeeper:
> >>
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+and+SASL
> >>
> >> I also found a Cloudera blogpost on the topic:
> >>
> >>
> https://blog.cloudera.com/hardening-apache-zookeeper-security-sasl-quorum-peer-mutual-authentication-and-authorization/
> >>
> >> Cheers,
> >> Mate
> >>
> >>
> >> On Thu, Dec 5, 2019 at 11:50 PM rammohan ganapavarapu <
> >> rammohanganap@gmail.com> wrote:
> >>
> >> > Hi,
> >> >
> >> > What is the default value for this property, if i don't  enable sasl
> >> and if
> >> > i don't define what will be the value?
> >> >
> >> > quorum.auth.kerberos.servicePrincipal
> >> >
> >> > Also what does this means "servicename/_HOST"
> >> >
> >> > Thanks,
> >> > Ram
> >> >
> >>
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message