From user-return-12432-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org  Fri Dec 13 07:06:10 2019
Return-Path: <user-return-12432-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org>
X-Original-To: archive-asf-public@cust-asf.ponee.io
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [207.244.88.153])
	by mx-eu-01.ponee.io (Postfix) with SMTP id 177FC18064E
	for <archive-asf-public@cust-asf.ponee.io>; Fri, 13 Dec 2019 08:06:09 +0100 (CET)
Received: (qmail 39326 invoked by uid 500); 13 Dec 2019 07:06:08 -0000
Mailing-List: contact user-help@zookeeper.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@zookeeper.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@zookeeper.apache.org>
List-Post: <mailto:user@zookeeper.apache.org>
List-Id: <user.zookeeper.apache.org>
Reply-To: user@zookeeper.apache.org
Delivered-To: mailing list user@zookeeper.apache.org
Received: (qmail 39314 invoked by uid 99); 13 Dec 2019 07:06:08 -0000
Received: from Unknown (HELO mailrelay1-lw-us.apache.org) (10.10.3.159)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 13 Dec 2019 07:06:08 +0000
Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171])
	by mailrelay1-lw-us.apache.org (ASF Mail Server at mailrelay1-lw-us.apache.org) with ESMTPSA id 2D8154FBC
	for <user@zookeeper.apache.org>; Fri, 13 Dec 2019 07:06:08 +0000 (UTC)
Received: by mail-pf1-f171.google.com with SMTP id 2so954273pfg.12
        for <user@zookeeper.apache.org>; Thu, 12 Dec 2019 23:06:08 -0800 (PST)
X-Gm-Message-State: APjAAAUd7aGVp2Ok0vC6vIU+fxsgcm8lkrrzVS6+vIvilsFhSzLf2hwm
	JjZwx5hyLRCMYr1PKgsaUc3RXIEpYoYTSUJsMtI=
X-Google-Smtp-Source: APXvYqw/CUEG1GLRshdVE5Yugpl7TOuKsWpK+8KLoEE+fna8oSeFAOFQOsZt6Ww6m0sCbTRfvDhwLOJ5iFakVTTzgBg=
X-Received: by 2002:a63:5d06:: with SMTP id r6mr15045355pgb.249.1576220767492;
 Thu, 12 Dec 2019 23:06:07 -0800 (PST)
MIME-Version: 1.0
References: <CALm_Vji5kqk6Jte1=yRDM5_HR8dcDQ_sTB3yWB2+WE39m9uHng@mail.gmail.com>
 <CAFvc9bbVSFsLrmxNrbwfZuugQSUTktzUk4mrk3gvAqtzpMNTsw@mail.gmail.com>
 <CALm_VjguBhE6yMXADPfbt0zfRAMgi1EL+qO7ouLgNSrqordrBA@mail.gmail.com> <CALm_VjgDi1rOh7_anV2K5YRFEfzfAJB+QDC=S9p2bvmxAAr+-Q@mail.gmail.com>
In-Reply-To: <CALm_VjgDi1rOh7_anV2K5YRFEfzfAJB+QDC=S9p2bvmxAAr+-Q@mail.gmail.com>
From: Rakesh Radhakrishnan <rakeshr@apache.org>
Date: Fri, 13 Dec 2019 12:35:56 +0530
X-Gmail-Original-Message-ID: <CAHB_t6pq1Kmt_wwqfW8Xz+B3aamQzes9Pj6sOGJnzhhQd7USjA@mail.gmail.com>
Message-ID: <CAHB_t6pq1Kmt_wwqfW8Xz+B3aamQzes9Pj6sOGJnzhhQd7USjA@mail.gmail.com>
Subject: Re: default value for quorum.auth.kerberos.servicePrincipal
To: user@zookeeper.apache.org
Content-Type: multipart/alternative; boundary="000000000000ef20ad0599907e05"

--000000000000ef20ad0599907e05
Content-Type: text/plain; charset="UTF-8"

Hi Ram,

ZooKeeper Quorum authentication support two schemes, Kerberos or
DIGEST-MD5. User has to configure either Kerb or digest configuration
values. Both together not required.

I'd recommend you to go through Kerberos, digest simulation unit test cases
where we have valid and invalid scenarios. Hope this would get idea about
the required configs.

https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumDigestAuthTest.java
https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumKerberosHostBasedAuthTest.java

Could you describe the issues that troubles you in setting up quorum auth,
if any.

Thanks,
Rakesh

On Fri, Dec 13, 2019 at 3:49 AM rammohan ganapavarapu <
rammohanganap@gmail.com> wrote:

> Hi,
>
> Even if i enable sasl but md5-diget what should be this property set to,
> this property only take effect for kerberos or for both?
>
> Ram
>
> On Fri, Dec 6, 2019 at 7:55 AM rammohan ganapavarapu <
> rammohanganap@gmail.com> wrote:
>
> > Mate,
> >
> > Thank you, I did search source code found the same, I am trying to create
> > a zoo conf with all default properties.
> >
> > Ram
> >
> > On Fri, Dec 6, 2019, 2:44 AM Mate Szalay-Beko
> <mszalay@cloudera.com.invalid>
> > wrote:
> >
> >> Hi Ram,
> >>
> >> this parameter is needed to be defined when you want to enable secure
> >> authentication in the communication between ZooKeeper servers. In
> general,
> >> the 'principal' is a 'username' what you want your ZooKeeper servers to
> >> use
> >> when they talk with each other. Ideally you have a central Kereros
> service
> >> somewhere where this principal is already registered.
> >> A kerberos principal is usually in the form of
> >> "user_or_service_name/host@realm" (some more explanation:
> >> https://ssimo.org/blog/id_016.html)
> >>
> >> According to the source code, the default value of
> >> quorum.auth.kerberos.servicePrincipal is "zkquorum/localhost". But I
> think
> >> if you don't enable the quorum SASL in ZooKeeper, then this property
> will
> >> never be actually used.
> >>
> >> Please see this page about SASL in ZooKeeper:
> >>
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+and+SASL
> >>
> >> I also found a Cloudera blogpost on the topic:
> >>
> >>
> https://blog.cloudera.com/hardening-apache-zookeeper-security-sasl-quorum-peer-mutual-authentication-and-authorization/
> >>
> >> Cheers,
> >> Mate
> >>
> >>
> >> On Thu, Dec 5, 2019 at 11:50 PM rammohan ganapavarapu <
> >> rammohanganap@gmail.com> wrote:
> >>
> >> > Hi,
> >> >
> >> > What is the default value for this property, if i don't  enable sasl
> >> and if
> >> > i don't define what will be the value?
> >> >
> >> > quorum.auth.kerberos.servicePrincipal
> >> >
> >> > Also what does this means "servicename/_HOST"
> >> >
> >> > Thanks,
> >> > Ram
> >> >
> >>
> >
>

--000000000000ef20ad0599907e05--