[
https://issues.apache.org/jira/browse/ZOOKEEPER-1045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15627361#comment-15627361
]
Andrew Purtell commented on ZOOKEEPER-1045:
-------------------------------------------
I posted details of a worked example to dev@, using the 3.4 patch on this issue
applied to 3.4.9. The feature seems to basically work in that I can see a
quorum bootstrap with successful authentication, and specifying an incorrect
principal in the configuration of an instance or making the keytab unreadable
will prevent that. Suggestions on a hammer test to try now?
One nit I noticed is with Java 8 (OpenJDK 8u112 specifically) - and I believe
recent versions of Java 7 will have the same behavior - if you do not use
precisely the form <principal>/_HOST for quorum.auth.kerberos.servicePrincipal
the JRE will throw exceptions during configuration file processing. The
instructions in the PDF attached to this issue suggest you can use other name
formats like <principal>@<realm> or <principal>/<fqdn>@<realm> but I had
trouble with those. Could be a local JRE issue or have been operator error I
suppose. You may want to try out a few variations when testing this feature.
> Support Quorum Peer mutual authentication via SASL
> --------------------------------------------------
>
> Key: ZOOKEEPER-1045
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1045
> Project: ZooKeeper
> Issue Type: New Feature
> Components: quorum, security
> Reporter: Eugene Koontz
> Assignee: Rakesh R
> Priority: Critical
> Fix For: 3.4.10, 3.5.3
>
> Attachments: 0001-ZOOKEEPER-1045-br-3-4.patch,
> 1045_failing_phunt.tar.gz, HOST_RESOLVER-ZK-1045.patch, QuorumPeer Mutual
> Authentication Via Sasl Feature Doc - 2016-Sep-25.pdf,
> TEST-org.apache.zookeeper.server.quorum.auth.QuorumAuthUpgradeTest.txt,
> ZK-1045-test-case-failure-logs.zip, ZOOKEEPER-1045 Test Plan.pdf,
> ZOOKEEPER-1045-00.patch, ZOOKEEPER-1045-Rolling Upgrade Design Proposal.pdf,
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch,
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch,
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch,
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch,
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch,
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045TestValidationDesign.pdf,
> org.apache.zookeeper.server.quorum.auth.QuorumAuthUpgradeTest.testRollingUpgrade.log
>
>
> ZOOKEEPER-938 addresses mutual authentication between clients and servers.
> This bug, on the other hand, is for authentication among quorum peers.
> Hopefully much of the work done on SASL integration with Zookeeper for
> ZOOKEEPER-938 can be used as a foundation for this enhancement.
> Review board: https://reviews.apache.org/r/47354/
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
