[
https://issues.apache.org/jira/browse/ZOOKEEPER-1045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15096966#comment-15096966
]
Chris Nauroth commented on ZOOKEEPER-1045:
------------------------------------------
bq. Doesn't Kerberos have requirement of timeout for session token etc?. Is
Kerberos used widely for data transfer protocol channels?
I can speak to how this is done in Hadoop. The Hadoop daemons do authenticate
via Kerberos, using a keytab file. The login is done once during initial
startup of the daemon. After that, the daemon can authenticate to other remote
daemons using the Kerberos ticket in SASL authentication.
There are some edge cases that need to be handled. Kerberos tickets have a
maximum lifetime, after which it is no longer possible to renew. To handle
this, Hadoop's RPC layer is capable of detecting an authentication failure
during a connection attempt, and it will handle it by doing an automatic
relogin of the same principal from the same keytab that was used during process
startup.
Another issue is that Kerberos infrastructure typically attempts to detect
replay attacks by checking for multiple login attempts for the same principal
within a short window. To handle that, we apply some backoff logic before
trying again.
It's tricky stuff, but it's solvable, and it has worked well for Hadoop.
bq. Two concerns that I have are , is it architecturally ok to enforce ZK to
talk to an external server(perhaps on regular intervals) to form a quorum and
if that is ok then is this the most widely used/requested feature by users.
You're right that overall availability then becomes tied to availability of the
KDC. I don't have any perspective to offer on which approach is more widely
requested by ZooKeeper users. I haven't personally received any requests for
quorum peer authentication myself.
> Quorum Peer mutual authentication
> ---------------------------------
>
> Key: ZOOKEEPER-1045
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1045
> Project: ZooKeeper
> Issue Type: New Feature
> Components: server
> Reporter: Eugene Koontz
> Assignee: Rakesh R
> Attachments: ZOOKEEPER-1045-00.patch, ZOOKEEPER-1045-Rolling Upgrade
> Design Proposal.pdf
>
>
> ZOOKEEPER-938 addresses mutual authentication between clients and servers.
> This bug, on the other hand, is for authentication among quorum peers.
> Hopefully much of the work done on SASL integration with Zookeeper for
> ZOOKEEPER-938 can be used as a foundation for this enhancement.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
