[jira] [Commented] (ZOOKEEPER-1045) Quorum Peer mutual authentication

Wed, 13 Jan 2016 12:10:58 -0800 

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15096899#comment-15096899
 ] 

Powell Molleti commented on ZOOKEEPER-1045:
-------------------------------------------

Is it considered ok to enforce, a strong CA system like,  Zookeeper to connect 
to an external entity to get authenticated to form a quorum. Will the external 
entity be considered equal or more reliable than Zookeeper?. There is a 
difference in reading a key from local filesystem and reading key over socket 
from a remote machine. I see two layers of issues here,  single path networking 
to the authentication server and the HA capabilities of the authentication 
server it self.

Doesn't Kerberos have requirement of timeout for session token etc?. Is 
Kerberos used widely for data transfer protocol channels?. From my 
understanding it is pretty common to control user access to systems via 
Kerberos etc, I am unsure however w.r.t inter-cluster / inter-server channels. 

A quick survey of comparable/semi-comparable projects here:

- Etcd  [TLS/SSL for inter-node encryption | 
https://github.com/coreos/etcd/blob/master/Documentation/security.md]
- Consul  [TLS/SSL for inter-node encryption | 
https://www.consul.io/docs/internals/security.html]
- Cassandra [TLS/SSL for inter-node encryption | 
https://wiki.apache.org/cassandra/InternodeEncryption]
- Mongdb [TLS/SSL for intern-node encryption ? | 
http://s3.amazonaws.com/info-mongodb-com/MongoDB_Security_Architecture_WP.pdf]

Two concerns that I have are , is it architecturally ok to enforce ZK to talk 
to an external server(perhaps on regular intervals) to form a quorum and if 
that is ok then is this the most widely used/requested feature by users.

> Quorum Peer mutual authentication
> ---------------------------------
>
>                 Key: ZOOKEEPER-1045
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1045
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: server
>            Reporter: Eugene Koontz
>            Assignee: Rakesh R
>         Attachments: ZOOKEEPER-1045-00.patch, ZOOKEEPER-1045-Rolling Upgrade 
> Design Proposal.pdf
>
>
> ZOOKEEPER-938 addresses mutual authentication between clients and servers. 
> This bug, on the other hand, is for authentication among quorum peers. 
> Hopefully much of the work done on SASL integration with Zookeeper for 
> ZOOKEEPER-938 can be used as a foundation for this enhancement.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to