[jira] [Commented] (ZOOKEEPER-1045) Support Quorum Peer mutual authentication via SASL

Thu, 30 Jun 2016 09:32:12 -0700 

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15357399#comment-15357399
 ] 

Dan Benediktson commented on ZOOKEEPER-1045:
--------------------------------------------

This is kind of a side comment on this topic, but please make sure you support 
the case where all the ZK hosts run as the same Kerberos principal. You don't 
have to support *only* that case, of course, but it's definitely how I would be 
deploying ZK when using Kerb auth.

The reason for running all the service instances with the same Kerb principal 
is to enable clients to do Kerberos AuthN to all the ZK hosts using a single 
DNS name, which is pretty common, I think; we certainly do it, so that we can 
scale out the ensemble for more throughput as needed. Since they're pointed at 
a single DNS name, the clients should always construct the same service 
principal name, so the client will get a ticket that's only good for a single 
Kerberos service principal. All the services must be running as that same 
principal, otherwise they won't be able to crack the Kerberos ticket. 
Basically, since the clients can't see a difference between the servers (due to 
the shared DNS name), and since the clients are authenticating the servers' 
Kerberos identity, the servers have to be identical (according to Kerberos 
identity). 

> Support Quorum Peer mutual authentication via SASL
> --------------------------------------------------
>
>                 Key: ZOOKEEPER-1045
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1045
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: server
>            Reporter: Eugene Koontz
>            Assignee: Rakesh R
>            Priority: Critical
>             Fix For: 3.4.9, 3.5.3
>
>         Attachments: 0001-ZOOKEEPER-1045-br-3-4.patch, 
> 1045_failing_phunt.tar.gz, ZK-1045-test-case-failure-logs.zip, 
> ZOOKEEPER-1045-00.patch, ZOOKEEPER-1045-Rolling Upgrade Design Proposal.pdf, 
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch, 
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch, 
> ZOOKEEPER-1045-br-3-4.patch
>
>
> ZOOKEEPER-938 addresses mutual authentication between clients and servers. 
> This bug, on the other hand, is for authentication among quorum peers. 
> Hopefully much of the work done on SASL integration with Zookeeper for 
> ZOOKEEPER-938 can be used as a foundation for this enhancement.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to