[
https://issues.apache.org/jira/browse/ZOOKEEPER-1469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Himanshu Vashishtha resolved ZOOKEEPER-1469.
--------------------------------------------
Resolution: Fixed
I enabled the cross realm hbase replication after adding rules for zookeeper
and hadoop.
So, the steps are:
* Add tgt principals for cross realm: add principals
krbtgt/[email protected] and krbtgt/[email protected], in both the realms.
* Add rules in the slave zookeeper quorum to let it create the short names
based on the incoming principal, using the system property:
-Dzookeeper.security.auth_to_local=RULE:[2:\$1@\$0](.*@\\QFIRST.COM\\E$)s/@\\QFIRST.COM\\E$//DEFAULT
* Add rules in the core-site.xml of the slave cluster hadoop setup:
{code}
<property>
<name>hadoop.security.auth_to_local</name>
<value>
RULE:[2:$1@$0](.*@\QFIRST.COM\E$)s/@\QFIRST.COM\E$//
DEFAULT
</value>
{code}
The above rules are for principals which have both service and instance in them
(service/instance@REALM).
Regarding -requires_preauth, its documented at the mit docs. But then when I
used that, I was getting errors to do the same for zookeeper, and hadoop
principals too. So, I went ahead with the default ones (which requires
pre_auth). Closing out this jira now.
Thanks to Eugene and Patrick.
> Adding Cross-Realm support for secure Zookeeper
> -----------------------------------------------
>
> Key: ZOOKEEPER-1469
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1469
> Project: ZooKeeper
> Issue Type: Improvement
> Components: c client, server
> Affects Versions: 3.4.3
> Reporter: Himanshu Vashishtha
> Attachments: SaslServerCallBackHandlerException.patch
>
>
> There is a use case where one needs to support cross realm authentication for
> zookeeper cluster. One use case is HBase Replication: HBase supports
> replicating data to multiple slave clusters, where the later might be running
> in different realms. With current zookeeper security, the region server of
> master HBase cluster are not able to query the zookeeper quorum members of
> the slave cluster. This jira is about adding such Xrealm support.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
