From user-return-12462-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org Wed Dec 18 19:15:12 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id CA28318065B for ; Wed, 18 Dec 2019 20:15:11 +0100 (CET) Received: (qmail 96872 invoked by uid 500); 18 Dec 2019 19:15:10 -0000 Mailing-List: contact user-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@zookeeper.apache.org Delivered-To: mailing list user@zookeeper.apache.org Received: (qmail 96860 invoked by uid 99); 18 Dec 2019 19:15:10 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 18 Dec 2019 19:15:10 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 9D0AAC02F9 for ; Wed, 18 Dec 2019 19:15:09 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.001 X-Spam-Level: X-Spam-Status: No, score=0.001 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.2, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-he-de.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id vW1daaLZnoFy for ; Wed, 18 Dec 2019 19:15:07 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2607:f8b0:4864:20::736; helo=mail-qk1-x736.google.com; envelope-from=rammohanganap@gmail.com; receiver= Received: from mail-qk1-x736.google.com (mail-qk1-x736.google.com [IPv6:2607:f8b0:4864:20::736]) by mx1-he-de.apache.org (ASF Mail Server at mx1-he-de.apache.org) with ESMTPS id D8AAC7DDAC for ; Wed, 18 Dec 2019 19:15:06 +0000 (UTC) Received: by mail-qk1-x736.google.com with SMTP id t129so2496795qke.10 for ; Wed, 18 Dec 2019 11:15:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=3IE1yTdYhSojz8I+n0LVh4ACxfc55NVAJgl06aaExic=; b=T1hhesJ472sHt7sGUGut80MdYXiejoW4UUOLFT6Dk3AwkJJMvAf6Tf0hFPSh01vkMc 2VSq4BEQNfltyhnA7C3Ef1v223LrSy8DYSO+Vq2AvEUXfdPuTzSm6n7fDv5c4CiO+AA+ NRB/iCAqQQqflpzbOX+gGrMQH9TsDTFSAHpsJ08husGCnxNvqHKB2raM4fCLq7jfhmM9 uUJO01B1jgOGqLDz331ZcePoBCxrUnAb9lh143HsTWtu/Kf8afIBGu65yk4gONuvx4jW azexUJ689PgJ7kZgOmf/Bw372+k5SShJkVqX2ThP7qZM0A/vsVelBXhf9ZBKhck9AX0F s1hQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=3IE1yTdYhSojz8I+n0LVh4ACxfc55NVAJgl06aaExic=; b=cJ/YWBRRIKhC7Ec+brRw0uOkwBlxfHGpqFMpoan3ZRoVPf7akdrh2Uzx4Ghr5ncmDr hICHtOIiPEOwyxQnoB43uTuXvhakSW5DZoNQIm4YSyUf6XnejxDl9YL2oMwakWDaT6As PzbszdcZLXPBleofD1eG1Knw+GBiB08Ej1F0XKmjUNwZJbX6t+M5vDcND+KDQTI/FNW1 q9NwIavz6+Qmg0p0Oi8EEfcbwDPKdY5F30KvaMVRI/a6FK+FUeHP31NBgP6yKE+QI0NZ jI1nr2ymSeKbkSMxWyAnEg5MNX2MvMweOQy1hkYZ2e1nWMG7SAqbbf4Zp+aiK3aLrZb8 VjuA== X-Gm-Message-State: APjAAAXFQ0+YsT0hKUR13zpxBdiYgOkLQvxc31x76goMqMBoKenvTkPQ tirMQek623go+YhQwC6JzHDnnnSBrLoQM8gMN02qwKoo X-Google-Smtp-Source: APXvYqyjICMoXCbnahps6KPrSdAfC/zo7aKHqp8LTAx0Qf2vQxVsD36aj+gYqfO9G0f/YePoLz5WCTg3F3wVNfJWPvs= X-Received: by 2002:a37:7685:: with SMTP id r127mr4409018qkc.166.1576696504808; Wed, 18 Dec 2019 11:15:04 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: rammohan ganapavarapu Date: Wed, 18 Dec 2019 11:14:27 -0800 Message-ID: Subject: Re: default value for quorum.auth.kerberos.servicePrincipal To: user@zookeeper.apache.org Content-Type: multipart/alternative; boundary="0000000000001679fe0599ff435e" --0000000000001679fe0599ff435e Content-Type: text/plain; charset="UTF-8" OK, thank you! On Tue, Dec 17, 2019 at 7:32 PM Rakesh Radhakrishnan wrote: > As the name says, "quorum.auth.kerberos.servicePrincipal" property is > specifically for Kerberos based quorum authentication and no need to set > anything if you are enabling digest-md5. > > Like mentioned earlier, its default value is "zkquorum/localhost" and it > will never be used if you configure/enable digest-md5. > > Thanks, > Rakesh > > On Mon, Dec 16, 2019 at 7:14 PM rammohan ganapavarapu < > rammohanganap@gmail.com> wrote: > > > "quorum.auth.kerberos.servicePrincipal" this one > > > > On Sun, Dec 15, 2019, 9:33 PM Rakesh Radhakrishnan > > wrote: > > > > > OK, got it. > > > > > > >>>> Even if i enable sasl but md5-diget what should be this property > set > > > to, > > > Could you please name the specific property you are referring. > > > > > > Hope you are talking about "DIGEST-MD5" mechanism ? String[] mechs = { > > > "DIGEST-MD5" }; > > > > > > Presently the execution flow is that, if there is > > > no subject.getPrincipals() in jaas config then it must not be GSSAPI > and > > > fallback to check DIGEST-MD5 details in jaas config. > > > Whenever user want to enable DIGEST-MD5, they have to define the JAAS > > > configuration file with DIGEST-MD5 configs like below and there is no > > > default value for this mechanism. > > > QuorumServer { > > > org.apache.zookeeper.server.auth.DigestLoginModule required > > > user_test1="mypassword"; > > > }; > > > > > > QuorumLearner { > > > org.apache.zookeeper.server.auth.DigestLoginModule required > > > user_test2=" mypassword"; > > > }; > > > > > > Populate DIGEST-MD5 user -> password map for the "QuorumServer", > > > "QuorumLearner" section. > > > Usernames are distinguished from other options by prefixing the > username > > > with a "user_" prefix. > > > > > > Hope its clear to you. > > > > > > Thanks, > > > Rakesh > > > > > > On Fri, Dec 13, 2019 at 9:45 PM rammohan ganapavarapu < > > > rammohanganap@gmail.com> wrote: > > > > > > > Hi Rakesh, > > > > > > > > Right now i am not enabling sasl but i am trying to define all > default > > > > properties and should be able to use them once sasl is enabled with > > > > override values. So my question is for digest auth do we even need > this > > > > property? i remember seeing i don't set that property it was using > the > > > > default value "zkquorum/localhost". > > > > > > > > Thanks, > > > > Ram > > > > > > > > On Thu, Dec 12, 2019 at 11:06 PM Rakesh Radhakrishnan < > > > rakeshr@apache.org> > > > > wrote: > > > > > > > > > Hi Ram, > > > > > > > > > > ZooKeeper Quorum authentication support two schemes, Kerberos or > > > > > DIGEST-MD5. User has to configure either Kerb or digest > configuration > > > > > values. Both together not required. > > > > > > > > > > I'd recommend you to go through Kerberos, digest simulation unit > test > > > > cases > > > > > where we have valid and invalid scenarios. Hope this would get idea > > > about > > > > > the required configs. > > > > > > > > > > > > > > > > > > > > > > > > > https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumDigestAuthTest.java > > > > > > > > > > > > > > > > > > > > https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumKerberosHostBasedAuthTest.java > > > > > > > > > > Could you describe the issues that troubles you in setting up > quorum > > > > auth, > > > > > if any. > > > > > > > > > > Thanks, > > > > > Rakesh > > > > > > > > > > On Fri, Dec 13, 2019 at 3:49 AM rammohan ganapavarapu < > > > > > rammohanganap@gmail.com> wrote: > > > > > > > > > > > Hi, > > > > > > > > > > > > Even if i enable sasl but md5-diget what should be this property > > set > > > > to, > > > > > > this property only take effect for kerberos or for both? > > > > > > > > > > > > Ram > > > > > > > > > > > > On Fri, Dec 6, 2019 at 7:55 AM rammohan ganapavarapu < > > > > > > rammohanganap@gmail.com> wrote: > > > > > > > > > > > > > Mate, > > > > > > > > > > > > > > Thank you, I did search source code found the same, I am trying > > to > > > > > create > > > > > > > a zoo conf with all default properties. > > > > > > > > > > > > > > Ram > > > > > > > > > > > > > > On Fri, Dec 6, 2019, 2:44 AM Mate Szalay-Beko > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > >> Hi Ram, > > > > > > >> > > > > > > >> this parameter is needed to be defined when you want to enable > > > > secure > > > > > > >> authentication in the communication between ZooKeeper servers. > > In > > > > > > general, > > > > > > >> the 'principal' is a 'username' what you want your ZooKeeper > > > servers > > > > > to > > > > > > >> use > > > > > > >> when they talk with each other. Ideally you have a central > > Kereros > > > > > > service > > > > > > >> somewhere where this principal is already registered. > > > > > > >> A kerberos principal is usually in the form of > > > > > > >> "user_or_service_name/host@realm" (some more explanation: > > > > > > >> https://ssimo.org/blog/id_016.html) > > > > > > >> > > > > > > >> According to the source code, the default value of > > > > > > >> quorum.auth.kerberos.servicePrincipal is "zkquorum/localhost". > > > But I > > > > > > think > > > > > > >> if you don't enable the quorum SASL in ZooKeeper, then this > > > property > > > > > > will > > > > > > >> never be actually used. > > > > > > >> > > > > > > >> Please see this page about SASL in ZooKeeper: > > > > > > >> > > > > > > > > > > > > https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+and+SASL > > > > > > >> > > > > > > >> I also found a Cloudera blogpost on the topic: > > > > > > >> > > > > > > >> > > > > > > > > > > > > > > > > > > > > > https://blog.cloudera.com/hardening-apache-zookeeper-security-sasl-quorum-peer-mutual-authentication-and-authorization/ > > > > > > >> > > > > > > >> Cheers, > > > > > > >> Mate > > > > > > >> > > > > > > >> > > > > > > >> On Thu, Dec 5, 2019 at 11:50 PM rammohan ganapavarapu < > > > > > > >> rammohanganap@gmail.com> wrote: > > > > > > >> > > > > > > >> > Hi, > > > > > > >> > > > > > > > >> > What is the default value for this property, if i don't > > enable > > > > sasl > > > > > > >> and if > > > > > > >> > i don't define what will be the value? > > > > > > >> > > > > > > > >> > quorum.auth.kerberos.servicePrincipal > > > > > > >> > > > > > > > >> > Also what does this means "servicename/_HOST" > > > > > > >> > > > > > > > >> > Thanks, > > > > > > >> > Ram > > > > > > >> > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > > > > --0000000000001679fe0599ff435e--