[
https://issues.apache.org/jira/browse/BOOKKEEPER-391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15659408#comment-15659408
]
Rakesh R edited comment on BOOKKEEPER-391 at 11/12/16 10:15 AM:
----------------------------------------------------------------
bq. During the meeting we talked about this issue
I hope the discussion went well. Wish you all the best for your dev efforts.
bq.so we would need to add some "special" flag to make BookKeeper client use
the special entry instead of the defualt client entry
It would be good to avoid boolean flag. Just a plain thought from me, probably
you could consider while coding. How about make the {{clientLoginContext}}
section configurable. At the server side, admin could pass the value as
{{BookieAuditor}} and read the Kerb credential entries under this section. On
the other side, normal bk client could pass the value as {{BookKeeper}} so that
the user configured Kerb credential entries can be read from this section.
bq. Can you explain more deeply the purpose of having a special entry for the
Auditor ?
AutoRecovery is meant for replication purpose and iirc, this is designed as an
admin operated service. BK supports to start AutoRecovery service in either
embedded mode or start
[AutoRecovery|https://github.com/apache/bookkeeper/blob/master/bookkeeper-server/bin/bookkeeper#L207]
as a separate process. Since this is designed as an admin operated service,
I'd prefer to provide a provision to configure his own credentials rather than
using a normal bookkeeper client's credentials. If admin wants to use same
bookkeeper client's credentials to AutoRecovery then he could take a call and
configure the same in {{BookieAuditor}} principal entries section. Does this
make sense to you?
was (Author: rakeshr):
bq. During the meeting we talked about this issue
I hope the discussion went well. Wish you all the best for your dev efforts.
bq. Can you explain more deeply the purpose of having a special entry for the
Auditor ?
AutoRecovery is meant for replication purpose and iirc, this is designed as an
admin operated service. BK supports to start AutoRecovery service in either
embedded mode or start
[AutoRecovery|https://github.com/apache/bookkeeper/blob/master/bookkeeper-server/bin/bookkeeper#L207]
as a separate process. Since this is designed as an admin operated service,
I'd prefer to provide a provision to configure his own credentials rather than
using a normal bookkeeper client's credentials. If admin wants to use same
bookkeeper client's credentials to AutoRecovery then he could take a call and
configure the same in {{BookieAuditor}} principal entries section. Does this
makes sense to you?
> Support Kerberos authentication of bookkeeper
> ---------------------------------------------
>
> Key: BOOKKEEPER-391
> URL: https://issues.apache.org/jira/browse/BOOKKEEPER-391
> Project: Bookkeeper
> Issue Type: New Feature
> Components: bookkeeper-client, bookkeeper-server
> Reporter: Rakesh R
> Assignee: Enrico Olivelli
>
> This JIRA to discuss authentication mechanism of bookie clients and server.
> Assume ZK provides fully secured communication channel using Kerberos based
> authentication and authorization model. We could also manage and renew users
> authenticated to BK via Kerberos. There is currently no configuration or
> hooks for the Bookie process to obtain Kerberos credentials.
> Today an unauthenticated bookie client can easily establish connection with
> the bookkeeper server.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
