[
https://issues.apache.org/jira/browse/ZOOKEEPER-3206?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stephane Maarek updated ZOOKEEPER-3206:
---------------------------------------
Description:
We're using Active Directory, and created service principals this way:
{code}
ktpass -princ ZOOKEEPER/host-1@TEST -mapuser zookeeper -mapOp add -Target TEST
ktpass -princ ZOOKEEPER/host-2@TEST -mapuser zookeeper -mapOp add -Target TEST
ktpass -princ ZOOKEEPER/host-3@TEST -mapuser zookeeper -mapOp add -Target TEST
{code}
Using this format, one is not able to do {code}kinit
ZOOKEEPER/host-1@TEST{code}, but one is able to do {code}kinit zookeeper@TEST
-S ZOOKEEPER/host-1@TEST{code} to obtain a service ticket.
In the Kafka project, it is fine for the JAAS file to have
{code}principal="kafka@TEST"{code}, and automatically it seems it acquires the
correct service ticket (I"m not sure how).
In zookeeper, things fail when a client tries to connect, due to this line:
https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java#L170
It'd be great for Zookeeper server to have the same kind of mechanism as Kafka
for accepting client connections. This would allow us to have
{code}principal="zookeeper@TEST"{code} in JAAS. Otherwise, maybe support a JAAS
new option so we can explicitly name the service ?
FYI - trying {code}principal="zookeeper/host-1@TEST"{code} does not work as due
to how Active Directory works, it complains that the credentials cannot be
found in the database (as we try to authenticate using the service name, not
the user name)
I'm attaching some documentation I find relevant:
https://serverfault.com/questions/682374/client-not-found-in-kerberos-database-while-getting-initial/683058#683058
was:
We're using Active Directory, and created service principals this way:
{code}
ktpass -princ ZOOKEEPER/host-1@TEST -mapuser zookeeper -mapOp add -Target TEST
ktpass -princ ZOOKEEPER/host-2@TEST -mapuser zookeeper -mapOp add -Target TEST
ktpass -princ ZOOKEEPER/host-3@TEST -mapuser zookeeper -mapOp add -Target TEST
{code}
Using this format, one is not able to do {code}kinit
ZOOKEEPER/host-1@TEST{code}, but one is able to do {code}kinit zookeeper@TEST
-S ZOOKEEPER/host-1@TEST{code} to obtain a service ticket.
In the Kafka project, it is fine for the SASL file to have
{code}principal="kafka@TEST"{code}, and automatically it seems it acquires the
correct service ticket (I"m not sure how).
In zookeeper, things fail when a client tries to connect, due to this line:
https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java#L170
It'd be great for Zookeeper server to have the same kind of mechanism as Kafka
for accepting client connections. This would allow us to have
{code}principal="zookeeper@TEST"{code} in SASL. Otherwise, maybe support a JAAS
new option so we can explicitly name the service ?
FYI - trying {code}principal="zookeeper/host-1@TEST"{code} does not work as due
to how Active Directory works, it complains that the credentials cannot be
found in the database (as we try to authenticate using the service name, not
the user name)
I'm attaching some documentation I find relevant:
https://serverfault.com/questions/682374/client-not-found-in-kerberos-database-while-getting-initial/683058#683058
> Can't use Active Directory for Kerberos Authentication
> ------------------------------------------------------
>
> Key: ZOOKEEPER-3206
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3206
> Project: ZooKeeper
> Issue Type: Bug
> Components: kerberos
> Affects Versions: 3.4.13
> Reporter: Stephane Maarek
> Priority: Major
>
> We're using Active Directory, and created service principals this way:
> {code}
> ktpass -princ ZOOKEEPER/host-1@TEST -mapuser zookeeper -mapOp add -Target
> TEST
> ktpass -princ ZOOKEEPER/host-2@TEST -mapuser zookeeper -mapOp add -Target
> TEST
> ktpass -princ ZOOKEEPER/host-3@TEST -mapuser zookeeper -mapOp add -Target
> TEST
> {code}
> Using this format, one is not able to do {code}kinit
> ZOOKEEPER/host-1@TEST{code}, but one is able to do {code}kinit zookeeper@TEST
> -S ZOOKEEPER/host-1@TEST{code} to obtain a service ticket.
> In the Kafka project, it is fine for the JAAS file to have
> {code}principal="kafka@TEST"{code}, and automatically it seems it acquires
> the correct service ticket (I"m not sure how).
> In zookeeper, things fail when a client tries to connect, due to this line:
> https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java#L170
> It'd be great for Zookeeper server to have the same kind of mechanism as
> Kafka for accepting client connections. This would allow us to have
> {code}principal="zookeeper@TEST"{code} in JAAS. Otherwise, maybe support a
> JAAS new option so we can explicitly name the service ?
> FYI - trying {code}principal="zookeeper/host-1@TEST"{code} does not work as
> due to how Active Directory works, it complains that the credentials cannot
> be found in the database (as we try to authenticate using the service name,
> not the user name)
> I'm attaching some documentation I find relevant:
> https://serverfault.com/questions/682374/client-not-found-in-kerberos-database-while-getting-initial/683058#683058
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
