[ https://issues.apache.org/jira/browse/ZOOKEEPER-1045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15627361#comment-15627361 ]
Andrew Purtell commented on ZOOKEEPER-1045: ------------------------------------------- I posted details of a worked example to dev@, using the 3.4 patch on this issue applied to 3.4.9. The feature seems to basically work in that I can see a quorum bootstrap with successful authentication, and specifying an incorrect principal in the configuration of an instance or making the keytab unreadable will prevent that. Suggestions on a hammer test to try now? One nit I noticed is with Java 8 (OpenJDK 8u112 specifically) - and I believe recent versions of Java 7 will have the same behavior - if you do not use precisely the form <principal>/_HOST for quorum.auth.kerberos.servicePrincipal the JRE will throw exceptions during configuration file processing. The instructions in the PDF attached to this issue suggest you can use other name formats like <principal>@<realm> or <principal>/<fqdn>@<realm> but I had trouble with those. Could be a local JRE issue or have been operator error I suppose. You may want to try out a few variations when testing this feature. > Support Quorum Peer mutual authentication via SASL > -------------------------------------------------- > > Key: ZOOKEEPER-1045 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1045 > Project: ZooKeeper > Issue Type: New Feature > Components: quorum, security > Reporter: Eugene Koontz > Assignee: Rakesh R > Priority: Critical > Fix For: 3.4.10, 3.5.3 > > Attachments: 0001-ZOOKEEPER-1045-br-3-4.patch, > 1045_failing_phunt.tar.gz, HOST_RESOLVER-ZK-1045.patch, QuorumPeer Mutual > Authentication Via Sasl Feature Doc - 2016-Sep-25.pdf, > TEST-org.apache.zookeeper.server.quorum.auth.QuorumAuthUpgradeTest.txt, > ZK-1045-test-case-failure-logs.zip, ZOOKEEPER-1045 Test Plan.pdf, > ZOOKEEPER-1045-00.patch, ZOOKEEPER-1045-Rolling Upgrade Design Proposal.pdf, > ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch, > ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch, > ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch, > ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch, > ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch, > ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045TestValidationDesign.pdf, > org.apache.zookeeper.server.quorum.auth.QuorumAuthUpgradeTest.testRollingUpgrade.log > > > ZOOKEEPER-938 addresses mutual authentication between clients and servers. > This bug, on the other hand, is for authentication among quorum peers. > Hopefully much of the work done on SASL integration with Zookeeper for > ZOOKEEPER-938 can be used as a foundation for this enhancement. > Review board: https://reviews.apache.org/r/47354/ -- This message was sent by Atlassian JIRA (v6.3.4#6332)