[
https://issues.apache.org/jira/browse/ZOOKEEPER-1045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15396386#comment-15396386
]
Patrick Hunt commented on ZOOKEEPER-1045:
-----------------------------------------
Rakesh - I don't think we can rely on the "host" from the zoo.cfg file, it
might be the host name, it might be an IP address, it might be FQDN, might not
match whatever is in the kerberos credential.
I chatted with the HDFS and HBase folks briefly, and what they mentioned to me
was that they look at the user and domain portion of the user/host@domain
principal, and don't compare the host portion. This is why it's a bit more
complicated than a simple string comparison as we originally had it in this
patch. This would provide the authz at the user and domain level, while not
constraining the host. Given we aren't using shared credentials I believe this
is sufficient - the ZK servers would authenticate each of the zk servers with
kerberos, then check that the user and domain is correct. ZK servers would have
dedicated user name such as "zk-quorum-peer" or something like that. Another
way to say it, is that we are authorizing the servers by user id, which is
unique to an ensemble of quorum peers, and that is sufficient within a domain.
Note that I'm not an expert at this stuff myself. Does what I'm saying make
sense? Perhaps we should get on a hangout and discuss f2f for a bit? I'm open
to that if you think it would help figure out the right approach.
> Support Quorum Peer mutual authentication via SASL
> --------------------------------------------------
>
> Key: ZOOKEEPER-1045
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1045
> Project: ZooKeeper
> Issue Type: New Feature
> Components: server
> Reporter: Eugene Koontz
> Assignee: Rakesh R
> Priority: Critical
> Fix For: 3.4.9, 3.5.3
>
> Attachments: 0001-ZOOKEEPER-1045-br-3-4.patch,
> 1045_failing_phunt.tar.gz,
> TEST-org.apache.zookeeper.server.quorum.auth.QuorumAuthUpgradeTest.txt,
> ZK-1045-test-case-failure-logs.zip, ZOOKEEPER-1045-00.patch,
> ZOOKEEPER-1045-Rolling Upgrade Design Proposal.pdf,
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch,
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch,
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch,
> ZOOKEEPER-1045TestValidationDesign.pdf
>
>
> ZOOKEEPER-938 addresses mutual authentication between clients and servers.
> This bug, on the other hand, is for authentication among quorum peers.
> Hopefully much of the work done on SASL integration with Zookeeper for
> ZOOKEEPER-938 can be used as a foundation for this enhancement.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
