[jira] [Commented] (ZOOKEEPER-3482) SASL (Kerberos) Authentication with SSL for clients and Quorum

Mon, 13 Jan 2020 04:44:52 -0800 


    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-3482?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17014286#comment-17014286
 ] 

Andor Molnar commented on ZOOKEEPER-3482:
-----------------------------------------

[~symat]  [~jornfranke]

I repeated my test with another cluster and I was able to use SSL and Kerberos 
in conjunction successfully. I'm still looking at my original report to see the 
difference, but unfortunately the test cluster has already been destroyed and I 
cannot see anything obvious now.

Anyway we can say that ZooKeeper supports Kerberized client connection on the 
secure port as of version 3.5.5

Adding new tests is a very good idea and also some sort of documentation about 
how to set this up properly would also be useful. Thanks.

> SASL (Kerberos) Authentication with SSL for clients and Quorum
> --------------------------------------------------------------
>
>                 Key: ZOOKEEPER-3482
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3482
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: server
>    Affects Versions: 3.5.5
>            Reporter: Jörn Franke
>            Assignee: Mate Szalay-Beko
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> It seems that Kerberos authentication does not work for encrypted connections 
> of clients and quorum. It seems that only X509 Authentication works.
> What I would have expected:
> ClientSecurePort is defined
> A keystore and truststore are deployed on the ZooKeeper servers
> Only a truststore is deployed with the client (to validate the CA of the 
> server certificate)
> Client can authenticate with SASL (Kerberos)
> Similarly, it should work for the Quorum SSL connection.
> Is there a way to configure this in ZooKeeper?
>  
> Note: Kerberos Authentication for SSL encrypted connection should be used 
> instead of X509 authentication for this case and not in addition. However, if 
> it only works in 3.5.5 in addition then I would be interested and willing to 
> test it.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to