zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rammohan ganapavarapu <rammohanga...@gmail.com>
Subject Re: default value for quorum.auth.kerberos.servicePrincipal
Date Wed, 18 Dec 2019 19:14:27 GMT
OK, thank you!

On Tue, Dec 17, 2019 at 7:32 PM Rakesh Radhakrishnan <rakeshr@apache.org>
wrote:

> As the name says, "quorum.auth.kerberos.servicePrincipal" property is
> specifically for Kerberos based quorum authentication and no need to set
> anything if you are enabling digest-md5.
>
> Like mentioned earlier, its default value is "zkquorum/localhost" and it
> will never be used if you configure/enable digest-md5.
>
> Thanks,
> Rakesh
>
> On Mon, Dec 16, 2019 at 7:14 PM rammohan ganapavarapu <
> rammohanganap@gmail.com> wrote:
>
> > "quorum.auth.kerberos.servicePrincipal" this one
> >
> > On Sun, Dec 15, 2019, 9:33 PM Rakesh Radhakrishnan <rakeshr@apache.org>
> > wrote:
> >
> > > OK, got it.
> > >
> > > >>>> Even if i enable sasl but md5-diget what should be this property
> set
> > > to,
> > > Could you please name the specific property you are referring.
> > >
> > > Hope you are talking about "DIGEST-MD5" mechanism ? String[] mechs = {
> > > "DIGEST-MD5" };
> > >
> > > Presently the execution flow is that, if there is
> > > no subject.getPrincipals() in jaas config then it must not be GSSAPI
> and
> > > fallback to check DIGEST-MD5 details in jaas config.
> > > Whenever user want to enable DIGEST-MD5, they have to define the JAAS
> > > configuration file with DIGEST-MD5 configs like below and there is no
> > > default value for this mechanism.
> > >      QuorumServer {
> > >        org.apache.zookeeper.server.auth.DigestLoginModule required
> > >        user_test1="mypassword";
> > >      };
> > >
> > >     QuorumLearner {
> > >        org.apache.zookeeper.server.auth.DigestLoginModule required
> > >        user_test2=" mypassword";
> > >      };
> > >
> > > Populate DIGEST-MD5 user -> password map for the "QuorumServer",
> > > "QuorumLearner" section.
> > > Usernames are distinguished from other options by prefixing the
> username
> > > with a "user_" prefix.
> > >
> > > Hope its clear to you.
> > >
> > > Thanks,
> > > Rakesh
> > >
> > > On Fri, Dec 13, 2019 at 9:45 PM rammohan ganapavarapu <
> > > rammohanganap@gmail.com> wrote:
> > >
> > > > Hi Rakesh,
> > > >
> > > > Right now i am not enabling sasl but i am trying to define all
> default
> > > > properties and should be able to use them once sasl is enabled with
> > > > override values. So my question is for digest auth do we even need
> this
> > > > property? i remember seeing i don't set that property it was using
> the
> > > > default value "zkquorum/localhost".
> > > >
> > > > Thanks,
> > > > Ram
> > > >
> > > > On Thu, Dec 12, 2019 at 11:06 PM Rakesh Radhakrishnan <
> > > rakeshr@apache.org>
> > > > wrote:
> > > >
> > > > > Hi Ram,
> > > > >
> > > > > ZooKeeper Quorum authentication support two schemes, Kerberos or
> > > > > DIGEST-MD5. User has to configure either Kerb or digest
> configuration
> > > > > values. Both together not required.
> > > > >
> > > > > I'd recommend you to go through Kerberos, digest simulation unit
> test
> > > > cases
> > > > > where we have valid and invalid scenarios. Hope this would get idea
> > > about
> > > > > the required configs.
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >
> https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumDigestAuthTest.java
> > > > >
> > > > >
> > > >
> > >
> >
> https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumKerberosHostBasedAuthTest.java
> > > > >
> > > > > Could you describe the issues that troubles you in setting up
> quorum
> > > > auth,
> > > > > if any.
> > > > >
> > > > > Thanks,
> > > > > Rakesh
> > > > >
> > > > > On Fri, Dec 13, 2019 at 3:49 AM rammohan ganapavarapu <
> > > > > rammohanganap@gmail.com> wrote:
> > > > >
> > > > > > Hi,
> > > > > >
> > > > > > Even if i enable sasl but md5-diget what should be this property
> > set
> > > > to,
> > > > > > this property only take effect for kerberos or for both?
> > > > > >
> > > > > > Ram
> > > > > >
> > > > > > On Fri, Dec 6, 2019 at 7:55 AM rammohan ganapavarapu <
> > > > > > rammohanganap@gmail.com> wrote:
> > > > > >
> > > > > > > Mate,
> > > > > > >
> > > > > > > Thank you, I did search source code found the same, I am
trying
> > to
> > > > > create
> > > > > > > a zoo conf with all default properties.
> > > > > > >
> > > > > > > Ram
> > > > > > >
> > > > > > > On Fri, Dec 6, 2019, 2:44 AM Mate Szalay-Beko
> > > > > > <mszalay@cloudera.com.invalid>
> > > > > > > wrote:
> > > > > > >
> > > > > > >> Hi Ram,
> > > > > > >>
> > > > > > >> this parameter is needed to be defined when you want
to enable
> > > > secure
> > > > > > >> authentication in the communication between ZooKeeper
servers.
> > In
> > > > > > general,
> > > > > > >> the 'principal' is a 'username' what you want your
ZooKeeper
> > > servers
> > > > > to
> > > > > > >> use
> > > > > > >> when they talk with each other. Ideally you have a
central
> > Kereros
> > > > > > service
> > > > > > >> somewhere where this principal is already registered.
> > > > > > >> A kerberos principal is usually in the form of
> > > > > > >> "user_or_service_name/host@realm" (some more explanation:
> > > > > > >> https://ssimo.org/blog/id_016.html)
> > > > > > >>
> > > > > > >> According to the source code, the default value of
> > > > > > >> quorum.auth.kerberos.servicePrincipal is "zkquorum/localhost".
> > > But I
> > > > > > think
> > > > > > >> if you don't enable the quorum SASL in ZooKeeper, then
this
> > > property
> > > > > > will
> > > > > > >> never be actually used.
> > > > > > >>
> > > > > > >> Please see this page about SASL in ZooKeeper:
> > > > > > >>
> > > > > >
> > > >
> > https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+and+SASL
> > > > > > >>
> > > > > > >> I also found a Cloudera blogpost on the topic:
> > > > > > >>
> > > > > > >>
> > > > > >
> > > > >
> > > >
> > >
> >
> https://blog.cloudera.com/hardening-apache-zookeeper-security-sasl-quorum-peer-mutual-authentication-and-authorization/
> > > > > > >>
> > > > > > >> Cheers,
> > > > > > >> Mate
> > > > > > >>
> > > > > > >>
> > > > > > >> On Thu, Dec 5, 2019 at 11:50 PM rammohan ganapavarapu
<
> > > > > > >> rammohanganap@gmail.com> wrote:
> > > > > > >>
> > > > > > >> > Hi,
> > > > > > >> >
> > > > > > >> > What is the default value for this property, if
i don't
> > enable
> > > > sasl
> > > > > > >> and if
> > > > > > >> > i don't define what will be the value?
> > > > > > >> >
> > > > > > >> > quorum.auth.kerberos.servicePrincipal
> > > > > > >> >
> > > > > > >> > Also what does this means "servicename/_HOST"
> > > > > > >> >
> > > > > > >> > Thanks,
> > > > > > >> > Ram
> > > > > > >> >
> > > > > > >>
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message