zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rammohan ganapavarapu <rammohanga...@gmail.com>
Subject Re: default value for quorum.auth.kerberos.servicePrincipal
Date Fri, 13 Dec 2019 16:15:09 GMT
Hi Rakesh,

Right now i am not enabling sasl but i am trying to define all default
properties and should be able to use them once sasl is enabled with
override values. So my question is for digest auth do we even need this
property? i remember seeing i don't set that property it was using the
default value "zkquorum/localhost".

Thanks,
Ram

On Thu, Dec 12, 2019 at 11:06 PM Rakesh Radhakrishnan <rakeshr@apache.org>
wrote:

> Hi Ram,
>
> ZooKeeper Quorum authentication support two schemes, Kerberos or
> DIGEST-MD5. User has to configure either Kerb or digest configuration
> values. Both together not required.
>
> I'd recommend you to go through Kerberos, digest simulation unit test cases
> where we have valid and invalid scenarios. Hope this would get idea about
> the required configs.
>
>
> https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumDigestAuthTest.java
>
> https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumKerberosHostBasedAuthTest.java
>
> Could you describe the issues that troubles you in setting up quorum auth,
> if any.
>
> Thanks,
> Rakesh
>
> On Fri, Dec 13, 2019 at 3:49 AM rammohan ganapavarapu <
> rammohanganap@gmail.com> wrote:
>
> > Hi,
> >
> > Even if i enable sasl but md5-diget what should be this property set to,
> > this property only take effect for kerberos or for both?
> >
> > Ram
> >
> > On Fri, Dec 6, 2019 at 7:55 AM rammohan ganapavarapu <
> > rammohanganap@gmail.com> wrote:
> >
> > > Mate,
> > >
> > > Thank you, I did search source code found the same, I am trying to
> create
> > > a zoo conf with all default properties.
> > >
> > > Ram
> > >
> > > On Fri, Dec 6, 2019, 2:44 AM Mate Szalay-Beko
> > <mszalay@cloudera.com.invalid>
> > > wrote:
> > >
> > >> Hi Ram,
> > >>
> > >> this parameter is needed to be defined when you want to enable secure
> > >> authentication in the communication between ZooKeeper servers. In
> > general,
> > >> the 'principal' is a 'username' what you want your ZooKeeper servers
> to
> > >> use
> > >> when they talk with each other. Ideally you have a central Kereros
> > service
> > >> somewhere where this principal is already registered.
> > >> A kerberos principal is usually in the form of
> > >> "user_or_service_name/host@realm" (some more explanation:
> > >> https://ssimo.org/blog/id_016.html)
> > >>
> > >> According to the source code, the default value of
> > >> quorum.auth.kerberos.servicePrincipal is "zkquorum/localhost". But I
> > think
> > >> if you don't enable the quorum SASL in ZooKeeper, then this property
> > will
> > >> never be actually used.
> > >>
> > >> Please see this page about SASL in ZooKeeper:
> > >>
> > https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+and+SASL
> > >>
> > >> I also found a Cloudera blogpost on the topic:
> > >>
> > >>
> >
> https://blog.cloudera.com/hardening-apache-zookeeper-security-sasl-quorum-peer-mutual-authentication-and-authorization/
> > >>
> > >> Cheers,
> > >> Mate
> > >>
> > >>
> > >> On Thu, Dec 5, 2019 at 11:50 PM rammohan ganapavarapu <
> > >> rammohanganap@gmail.com> wrote:
> > >>
> > >> > Hi,
> > >> >
> > >> > What is the default value for this property, if i don't  enable sasl
> > >> and if
> > >> > i don't define what will be the value?
> > >> >
> > >> > quorum.auth.kerberos.servicePrincipal
> > >> >
> > >> > Also what does this means "servicename/_HOST"
> > >> >
> > >> > Thanks,
> > >> > Ram
> > >> >
> > >>
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message