[jira] [Commented] (ZOOKEEPER-1469) Adding Cross-Realm support for secure Zookeeper

[Himanshu Vashishtha (JIRA)]

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13279676#comment-13279676
 ] 

Himanshu Vashishtha commented on ZOOKEEPER-1469:
------------------------------------------------

Let's say we have two REALMs: ABC.COM, and XYZ.COM. To enable Xrealm 
authentication, I added principals krbtgt/abc....@xyz.com and 
krbtgt/xyz....@abc.com with -require_preauth attribute, on both the clusters. 
Apart from that, I needed to modify the zookeeper principal to have 
-require_preauth attribute as it was giving a NO PREAUTH error:
{code}
May 19 14:36:46 c1230.hal.cloudera.com krb5kdc[21238](info): TGS_REQ (5 etypes 
{3 1 23 16 17}) 172.29.81.100: NO PREAUTH: authtime 0,  
hbase/c0318.hal.cloudera....@cloudera.com for 
zookeeper/c1230.hal.cloudera....@hal.cloudera.com, Generic error (see e-text)
{code}

I wonder whether this is the right approach, safe or unsafe? Please not that 
for HBase replication use case, there can be many to many relation... one 
cluster replicating data to multiple clusters and vice versa.

After enabling Xrealm, I get the following exception:
{code}
2012-05-19 22:47:26,529 [myid:] - ERROR 
[NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:SaslServerCallbackHandler@137] - 
Failed to set name based on Kerberos authentication rules.
{code}

This is because of the difference in the realm of client and server, and the 
RULE is set to DEFAULT: In the 
SaslServerCallbackHandler->handleAuthorizeCallback, kerberosName.getShortName() 
throws an IOException.
                
> Adding Cross-Realm support for secure Zookeeper
> -----------------------------------------------
>
>                 Key: ZOOKEEPER-1469
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1469
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: c client, server
>    Affects Versions: 3.4.3
>            Reporter: Himanshu Vashishtha
>
> There is a use case where one needs to support cross realm authentication for 
> zookeeper cluster. One use case is HBase Replication: HBase supports 
> replicating data to multiple slave clusters, where the later might be running 
> in different realms. With current zookeeper security, the region server of 
> master HBase cluster are not able to query the zookeeper quorum members of 
> the slave cluster. This jira is about adding such Xrealm support.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira