[
https://issues.apache.org/jira/browse/ZOOKEEPER-3482?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16998033#comment-16998033
]
Andor Molnar commented on ZOOKEEPER-3482:
-----------------------------------------
A little bit more context:
ZooKeeper server has been setup for both Kerberos auth and secure port enabled:
{panel:title=zoo.cfg}
tickTime=2000
initLimit=10
syncLimit=5
4lw.commands.whitelist=conf,cons,crst,dirs,dump,envi,gtmk,ruok,stmk,srst,srvr,stat,wchs,mntr,isro
dataDir=/var/lib/zookeeper
dataLogDir=/var/lib/zookeeper
clientPort=2181
maxClientCnxns=60
minSessionTimeout=4000
maxSessionTimeout=60000
autopurge.purgeInterval=24
autopurge.snapRetainCount=5
quorum.auth.enableSasl=true
quorum.cnxn.threads.size=20
admin.enableServer=false
admin.serverPort=5181
server.1=barbaresco-1.vpc.cloudera.com:3181:4181
leaderServes=yes
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true
quorum.auth.kerberos.servicePrincipal=zookeeper/_HOST
quorum.auth.learnerRequireSasl=true
quorum.auth.serverRequireSasl=true
serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
sslQuorum=true
ssl.quorum.keyStore.location=/var/run/zookeeper/keystore.jks
ssl.quorum.keyStore.password=topSecret
ssl.quorum.trustStore.location=/var/lib/zookeeper/truststore.jks
ssl.quorum.trustStore.password=topSecret
secureClientPort=2182
ssl.keyStore.location=/var/run/zookeeper/keystore.jks
ssl.keyStore.password=topSecret
ssl.trustStore.location=/var/lib/zookeeper/truststore.jks
ssl.trustStore.password=topSecret
{panel}
Client is started as follows:
{panel:title=zookeeper-client}
CLIENT_JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/jaas.conf
-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
-Dzookeeper.ssl.keyStore.location=/var/lib/zookeeper/keystore.jks
-Dzookeeper.ssl.keyStore.password=topSecret
-Dzookeeper.ssl.trustStore.location=/var/lib/zookeeper/truststore.jks
-Dzookeeper.ssl.trustStore.password=topSecret -Dzookeeper.client.secure=true"
zookeeper-client -server barbaresco-1.vpc.cloudera.com:2182
{panel}
> SASL (Kerberos) Authentication with SSL for clients and Quorum
> --------------------------------------------------------------
>
> Key: ZOOKEEPER-3482
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3482
> Project: ZooKeeper
> Issue Type: Bug
> Components: server
> Affects Versions: 3.5.5
> Reporter: Jörn Franke
> Priority: Major
>
> It seems that Kerberos authentication does not work for encrypted connections
> of clients and quorum. It seems that only X509 Authentication works.
> What I would have expected:
> ClientSecurePort is defined
> A keystore and truststore are deployed on the ZooKeeper servers
> Only a truststore is deployed with the client (to validate the CA of the
> server certificate)
> Client can authenticate with SASL (Kerberos)
> Similarly, it should work for the Quorum SSL connection.
> Is there a way to configure this in ZooKeeper?
>
> Note: Kerberos Authentication for SSL encrypted connection should be used
> instead of X509 authentication for this case and not in addition. However, if
> it only works in 3.5.5 in addition then I would be interested and willing to
> test it.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
