Re: ZooKeeper cwiki - Updated ZooKeeper and SASL auth 1045 work
Rakesh, send me your cwiki ID and I'll add the proper permissions for you. Patrick On Tue, Jan 17, 2017 at 5:58 PM, Rakesh Radhakrishnanwrote: > Hi PMCs, > > I don't have permission to delete cwiki page. Presently, I have renamed our > old sasl page to "https://cwiki.apache.org/confluence/display/ZOOKEEPER/ > Zookeeper+and+SASL-Backup". Could you please delete this page from > ZooKeeper project cwiki pages. Thanks! > > Thanks, > Rakesh > > On Mon, Jan 16, 2017 at 10:31 PM, Rakesh Radhakrishnan > > wrote: > > > Hi All, > > > > FYI, I'm planning to delete our existing "https://cwiki.apache.org/conf > > luence/display/ZOOKEEPER/Zookeeper+and+SASL" web page by tomorrow (IST). > > > > Then rename https://cwiki.apache.org/confluence/display/ > > ZOOKEEPER/ZooKeeper+and+SASL+authentication web page to " > > https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zookeeper+and+SASL > " > > in place of the deleted page. > > > > Please let me know if you have any comments. Thanks! > > > > Regards, > > Rakesh > > > > On Tue, Dec 20, 2016 at 6:03 PM, Rakesh Radhakrishnan < > rake...@apache.org> > > wrote: > > > >> Like I mentioned at the beginning of this mail thread, presently I've > >> maintained this original page as a history. How about deleting this old > >> page now and rename the newly added "https://cwiki.apache.org/conf > >> luence/display/ZOOKEEPER/ZooKeeper+and+SASL+authentication" in place of > >> the old page? I think, that will help the existing webpages to continue > >> referring to a valid cwiki ZK sasl page. Otw those links becomes stale. > >> > >> I could see many blogs, wiki already have a reference link to our > >> existing "https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zooke > >> eper+and+SASL" page. > >> > >> Following are few blogs/sites which has a reference to the ZK SASL > page:- > >> https://cwiki.apache.org/confluence/display/KAFKA/KIP-38%3A+ > >> ZooKeeper+Authentication > >> http://blog.intelligencecomputing.io/security/12409/repost-z > >> ookeeper-and-sasl > >> > >> Thanks, > >> Rakesh > >> > >> > >> On Tue, Dec 20, 2016 at 7:02 AM, Patrick Hunt wrote: > >> > >>> LGTM. Those changes are very helpful, thanks Rakesh! > >>> > >>> Patrick > >>> > >>> On Mon, Dec 19, 2016 at 12:04 PM, Rakesh Radhakrishnan < > >>> rake...@apache.org> > >>> wrote: > >>> > >>> > Thanks a lot Patrick Hunt for the review comments. Please take > another > >>> look > >>> > at the wiki page when you get a chance. > >>> > > >>> > I've updated the wiki page addressing these,. > >>> > > >>> > 1) ===> DONE. Added JCE encryption part. > >>> > 2) ===> DONE. Corrected case. > >>> > 3) ===> DONE. Included version. > >>> > 4) ===> DONE. Corrected numbering format. > >>> > 5) ===> DONE. Added an example case to understand the tuning > mechanism. > >>> > 6) ===> DONE. I've removed this part because it can be discussed > >>> separately > >>> > and added if someone has a use case. > >>> > 7) ===> DONE. Rephrased upgrade feature section > >>> > > >>> > Thanks, > >>> > Rakesh > >>> > > >>> > On Wed, Dec 14, 2016 at 9:03 AM, Patrick Hunt > >>> wrote: > >>> > > >>> > > Nice job Rakesh, some comments: > >>> > > > >>> > > 1) the appendix is a great idea, should be useful for many people. > >>> One > >>> > > thing I noticed > >>> > > "There is no additional dependencies needed to use SASL with Java > >>> since > >>> > it > >>> > > is part of the the Java Standard Edition." - you might want to > >>> > mention/link > >>> > > the JCE? The JVM doesn't come with very modern encryption - some of > >>> the > >>> > > distros use more strong encryption out of the box with kerberos. > >>> I've run > >>> > > into this a number of times (need to also install JCE). > >>> > > > >>> > > 2) consistently use "ZooKeeper" rather than "Zookeeper". Only > noticed > >>> > this > >>> > > in a few places... > >>> > > > >>> > > 3) on client-server it would be good to mention when it was added > >>> > (3.4.0+), > >>> > > similar to what you did with 1045. > >>> > > > >>> > > 4) on "ZooKeeper SASL configurations" the numbering of the bullets > >>> starts > >>> > > at 2.1. and finishes at 2.4. I suspect the formatting didn't copy > >>> over > >>> > > quite right? > >>> > > > >>> > > 5) similar formatting issue for "# Defaulting to > >>> > > 20quorum.cnxn.threads.size=20" > >>> > > > >>> > > Can we give any insight into how this value should be set? i.e. why > >>> is 20 > >>> > > the default and when should it be raised/lowered? > >>> > > > >>> > > 6) can the doc shed any light on why we are recommending > >>> > > "javax.security.auth.useSubjectCredsOnly=false" ? I'm not familiar > >>> with > >>> > > this myself. > >>> > > > >>> > > 7) "This feature is supported in 3.4 branch" is ambiguous - perhaps > >>> > > rephrase. What "feature" are you referring to, 1045 or to rolling > >>> > upgrade? > >>> > > Also the ref to 3.4 itself is ambiguous - perhaps change to > 3.4.10+? >
Re: ZooKeeper cwiki - Updated ZooKeeper and SASL auth 1045 work
Hi PMCs, I don't have permission to delete cwiki page. Presently, I have renamed our old sasl page to "https://cwiki.apache.org/confluence/display/ZOOKEEPER/ Zookeeper+and+SASL-Backup". Could you please delete this page from ZooKeeper project cwiki pages. Thanks! Thanks, Rakesh On Mon, Jan 16, 2017 at 10:31 PM, Rakesh Radhakrishnanwrote: > Hi All, > > FYI, I'm planning to delete our existing "https://cwiki.apache.org/conf > luence/display/ZOOKEEPER/Zookeeper+and+SASL" web page by tomorrow (IST). > > Then rename https://cwiki.apache.org/confluence/display/ > ZOOKEEPER/ZooKeeper+and+SASL+authentication web page to " > https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zookeeper+and+SASL; > in place of the deleted page. > > Please let me know if you have any comments. Thanks! > > Regards, > Rakesh > > On Tue, Dec 20, 2016 at 6:03 PM, Rakesh Radhakrishnan > wrote: > >> Like I mentioned at the beginning of this mail thread, presently I've >> maintained this original page as a history. How about deleting this old >> page now and rename the newly added "https://cwiki.apache.org/conf >> luence/display/ZOOKEEPER/ZooKeeper+and+SASL+authentication" in place of >> the old page? I think, that will help the existing webpages to continue >> referring to a valid cwiki ZK sasl page. Otw those links becomes stale. >> >> I could see many blogs, wiki already have a reference link to our >> existing "https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zooke >> eper+and+SASL" page. >> >> Following are few blogs/sites which has a reference to the ZK SASL page:- >> https://cwiki.apache.org/confluence/display/KAFKA/KIP-38%3A+ >> ZooKeeper+Authentication >> http://blog.intelligencecomputing.io/security/12409/repost-z >> ookeeper-and-sasl >> >> Thanks, >> Rakesh >> >> >> On Tue, Dec 20, 2016 at 7:02 AM, Patrick Hunt wrote: >> >>> LGTM. Those changes are very helpful, thanks Rakesh! >>> >>> Patrick >>> >>> On Mon, Dec 19, 2016 at 12:04 PM, Rakesh Radhakrishnan < >>> rake...@apache.org> >>> wrote: >>> >>> > Thanks a lot Patrick Hunt for the review comments. Please take another >>> look >>> > at the wiki page when you get a chance. >>> > >>> > I've updated the wiki page addressing these,. >>> > >>> > 1) ===> DONE. Added JCE encryption part. >>> > 2) ===> DONE. Corrected case. >>> > 3) ===> DONE. Included version. >>> > 4) ===> DONE. Corrected numbering format. >>> > 5) ===> DONE. Added an example case to understand the tuning mechanism. >>> > 6) ===> DONE. I've removed this part because it can be discussed >>> separately >>> > and added if someone has a use case. >>> > 7) ===> DONE. Rephrased upgrade feature section >>> > >>> > Thanks, >>> > Rakesh >>> > >>> > On Wed, Dec 14, 2016 at 9:03 AM, Patrick Hunt >>> wrote: >>> > >>> > > Nice job Rakesh, some comments: >>> > > >>> > > 1) the appendix is a great idea, should be useful for many people. >>> One >>> > > thing I noticed >>> > > "There is no additional dependencies needed to use SASL with Java >>> since >>> > it >>> > > is part of the the Java Standard Edition." - you might want to >>> > mention/link >>> > > the JCE? The JVM doesn't come with very modern encryption - some of >>> the >>> > > distros use more strong encryption out of the box with kerberos. >>> I've run >>> > > into this a number of times (need to also install JCE). >>> > > >>> > > 2) consistently use "ZooKeeper" rather than "Zookeeper". Only noticed >>> > this >>> > > in a few places... >>> > > >>> > > 3) on client-server it would be good to mention when it was added >>> > (3.4.0+), >>> > > similar to what you did with 1045. >>> > > >>> > > 4) on "ZooKeeper SASL configurations" the numbering of the bullets >>> starts >>> > > at 2.1. and finishes at 2.4. I suspect the formatting didn't copy >>> over >>> > > quite right? >>> > > >>> > > 5) similar formatting issue for "# Defaulting to >>> > > 20quorum.cnxn.threads.size=20" >>> > > >>> > > Can we give any insight into how this value should be set? i.e. why >>> is 20 >>> > > the default and when should it be raised/lowered? >>> > > >>> > > 6) can the doc shed any light on why we are recommending >>> > > "javax.security.auth.useSubjectCredsOnly=false" ? I'm not familiar >>> with >>> > > this myself. >>> > > >>> > > 7) "This feature is supported in 3.4 branch" is ambiguous - perhaps >>> > > rephrase. What "feature" are you referring to, 1045 or to rolling >>> > upgrade? >>> > > Also the ref to 3.4 itself is ambiguous - perhaps change to 3.4.10+? >>> > > >>> > > These are some minor nits, overall impressive effort -- thanks again >>> > > Rakesh! >>> > > >>> > > Patrick >>> > > >>> > > >>> > > >>> > > On Tue, Dec 13, 2016 at 6:56 PM, Rakesh Radhakrishnan < >>> > rake...@apache.org> >>> > > wrote: >>> > > >>> > > > Hi All, >>> > > > >>> > > > I've incorporated ZK-1045 feature details into the Apache ZooKeeper >>> > > project >>> > > > cwiki. Since "ZooKeeper and SASL" section is quite
Re: ZooKeeper cwiki - Updated ZooKeeper and SASL auth 1045 work
Hi All, FYI, I'm planning to delete our existing "https://cwiki.apache.org/ confluence/display/ZOOKEEPER/Zookeeper+and+SASL" web page by tomorrow (IST). Then rename https://cwiki.apache.org/confluence/display/ZOOKEEPER/ ZooKeeper+and+SASL+authentication web page to "https://cwiki.apache.org/ confluence/display/ZOOKEEPER/Zookeeper+and+SASL" in place of the deleted page. Please let me know if you have any comments. Thanks! Regards, Rakesh On Tue, Dec 20, 2016 at 6:03 PM, Rakesh Radhakrishnanwrote: > Like I mentioned at the beginning of this mail thread, presently I've > maintained this original page as a history. How about deleting this old > page now and rename the newly added "https://cwiki.apache.org/ > confluence/display/ZOOKEEPER/ZooKeeper+and+SASL+authentication" in place > of the old page? I think, that will help the existing webpages to continue > referring to a valid cwiki ZK sasl page. Otw those links becomes stale. > > I could see many blogs, wiki already have a reference link to our existing > "https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zookeeper+and+SASL; > page. > > Following are few blogs/sites which has a reference to the ZK SASL page:- > https://cwiki.apache.org/confluence/display/KAFKA/KIP- > 38%3A+ZooKeeper+Authentication > http://blog.intelligencecomputing.io/security/12409/repost- > zookeeper-and-sasl > > Thanks, > Rakesh > > > On Tue, Dec 20, 2016 at 7:02 AM, Patrick Hunt wrote: > >> LGTM. Those changes are very helpful, thanks Rakesh! >> >> Patrick >> >> On Mon, Dec 19, 2016 at 12:04 PM, Rakesh Radhakrishnan < >> rake...@apache.org> >> wrote: >> >> > Thanks a lot Patrick Hunt for the review comments. Please take another >> look >> > at the wiki page when you get a chance. >> > >> > I've updated the wiki page addressing these,. >> > >> > 1) ===> DONE. Added JCE encryption part. >> > 2) ===> DONE. Corrected case. >> > 3) ===> DONE. Included version. >> > 4) ===> DONE. Corrected numbering format. >> > 5) ===> DONE. Added an example case to understand the tuning mechanism. >> > 6) ===> DONE. I've removed this part because it can be discussed >> separately >> > and added if someone has a use case. >> > 7) ===> DONE. Rephrased upgrade feature section >> > >> > Thanks, >> > Rakesh >> > >> > On Wed, Dec 14, 2016 at 9:03 AM, Patrick Hunt wrote: >> > >> > > Nice job Rakesh, some comments: >> > > >> > > 1) the appendix is a great idea, should be useful for many people. One >> > > thing I noticed >> > > "There is no additional dependencies needed to use SASL with Java >> since >> > it >> > > is part of the the Java Standard Edition." - you might want to >> > mention/link >> > > the JCE? The JVM doesn't come with very modern encryption - some of >> the >> > > distros use more strong encryption out of the box with kerberos. I've >> run >> > > into this a number of times (need to also install JCE). >> > > >> > > 2) consistently use "ZooKeeper" rather than "Zookeeper". Only noticed >> > this >> > > in a few places... >> > > >> > > 3) on client-server it would be good to mention when it was added >> > (3.4.0+), >> > > similar to what you did with 1045. >> > > >> > > 4) on "ZooKeeper SASL configurations" the numbering of the bullets >> starts >> > > at 2.1. and finishes at 2.4. I suspect the formatting didn't copy over >> > > quite right? >> > > >> > > 5) similar formatting issue for "# Defaulting to >> > > 20quorum.cnxn.threads.size=20" >> > > >> > > Can we give any insight into how this value should be set? i.e. why >> is 20 >> > > the default and when should it be raised/lowered? >> > > >> > > 6) can the doc shed any light on why we are recommending >> > > "javax.security.auth.useSubjectCredsOnly=false" ? I'm not familiar >> with >> > > this myself. >> > > >> > > 7) "This feature is supported in 3.4 branch" is ambiguous - perhaps >> > > rephrase. What "feature" are you referring to, 1045 or to rolling >> > upgrade? >> > > Also the ref to 3.4 itself is ambiguous - perhaps change to 3.4.10+? >> > > >> > > These are some minor nits, overall impressive effort -- thanks again >> > > Rakesh! >> > > >> > > Patrick >> > > >> > > >> > > >> > > On Tue, Dec 13, 2016 at 6:56 PM, Rakesh Radhakrishnan < >> > rake...@apache.org> >> > > wrote: >> > > >> > > > Hi All, >> > > > >> > > > I've incorporated ZK-1045 feature details into the Apache ZooKeeper >> > > project >> > > > cwiki. Since "ZooKeeper and SASL" section is quite large I've >> splitted >> > > > ZooKeeper client-server and server-server sections into sub-pages. >> > Please >> > > > read the following page, >> > > > >> > > > https://cwiki.apache.org/confluence/display/ZOOKEEPER/ >> > > ZooKeeper+and+SASL+ >> > > > authentication >> > > > >> > > > *ZooKeeper and SASL authentication* >> > > > >> > > >- Client-Server mutual authentication >> > > >- Server-Server mutual authentication >> > > >- Appendix: Kerberos, GSSAPI, SASL, and JAAS >> > > > >> > > > I have reused the
Re: ZooKeeper cwiki - Updated ZooKeeper and SASL auth 1045 work
Like I mentioned at the beginning of this mail thread, presently I've maintained this original page as a history. How about deleting this old page now and rename the newly added " https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+and+SASL+authentication; in place of the old page? I think, that will help the existing webpages to continue referring to a valid cwiki ZK sasl page. Otw those links becomes stale. I could see many blogs, wiki already have a reference link to our existing " https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zookeeper+and+SASL; page. Following are few blogs/sites which has a reference to the ZK SASL page:- https://cwiki.apache.org/confluence/display/KAFKA/KIP-38%3A+ZooKeeper+Authentication http://blog.intelligencecomputing.io/security/12409/repost-zookeeper-and-sasl Thanks, Rakesh On Tue, Dec 20, 2016 at 7:02 AM, Patrick Huntwrote: > LGTM. Those changes are very helpful, thanks Rakesh! > > Patrick > > On Mon, Dec 19, 2016 at 12:04 PM, Rakesh Radhakrishnan > > wrote: > > > Thanks a lot Patrick Hunt for the review comments. Please take another > look > > at the wiki page when you get a chance. > > > > I've updated the wiki page addressing these,. > > > > 1) ===> DONE. Added JCE encryption part. > > 2) ===> DONE. Corrected case. > > 3) ===> DONE. Included version. > > 4) ===> DONE. Corrected numbering format. > > 5) ===> DONE. Added an example case to understand the tuning mechanism. > > 6) ===> DONE. I've removed this part because it can be discussed > separately > > and added if someone has a use case. > > 7) ===> DONE. Rephrased upgrade feature section > > > > Thanks, > > Rakesh > > > > On Wed, Dec 14, 2016 at 9:03 AM, Patrick Hunt wrote: > > > > > Nice job Rakesh, some comments: > > > > > > 1) the appendix is a great idea, should be useful for many people. One > > > thing I noticed > > > "There is no additional dependencies needed to use SASL with Java since > > it > > > is part of the the Java Standard Edition." - you might want to > > mention/link > > > the JCE? The JVM doesn't come with very modern encryption - some of the > > > distros use more strong encryption out of the box with kerberos. I've > run > > > into this a number of times (need to also install JCE). > > > > > > 2) consistently use "ZooKeeper" rather than "Zookeeper". Only noticed > > this > > > in a few places... > > > > > > 3) on client-server it would be good to mention when it was added > > (3.4.0+), > > > similar to what you did with 1045. > > > > > > 4) on "ZooKeeper SASL configurations" the numbering of the bullets > starts > > > at 2.1. and finishes at 2.4. I suspect the formatting didn't copy over > > > quite right? > > > > > > 5) similar formatting issue for "# Defaulting to > > > 20quorum.cnxn.threads.size=20" > > > > > > Can we give any insight into how this value should be set? i.e. why is > 20 > > > the default and when should it be raised/lowered? > > > > > > 6) can the doc shed any light on why we are recommending > > > "javax.security.auth.useSubjectCredsOnly=false" ? I'm not familiar > with > > > this myself. > > > > > > 7) "This feature is supported in 3.4 branch" is ambiguous - perhaps > > > rephrase. What "feature" are you referring to, 1045 or to rolling > > upgrade? > > > Also the ref to 3.4 itself is ambiguous - perhaps change to 3.4.10+? > > > > > > These are some minor nits, overall impressive effort -- thanks again > > > Rakesh! > > > > > > Patrick > > > > > > > > > > > > On Tue, Dec 13, 2016 at 6:56 PM, Rakesh Radhakrishnan < > > rake...@apache.org> > > > wrote: > > > > > > > Hi All, > > > > > > > > I've incorporated ZK-1045 feature details into the Apache ZooKeeper > > > project > > > > cwiki. Since "ZooKeeper and SASL" section is quite large I've > splitted > > > > ZooKeeper client-server and server-server sections into sub-pages. > > Please > > > > read the following page, > > > > > > > > https://cwiki.apache.org/confluence/display/ZOOKEEPER/ > > > ZooKeeper+and+SASL+ > > > > authentication > > > > > > > > *ZooKeeper and SASL authentication* > > > > > > > >- Client-Server mutual authentication > > > >- Server-Server mutual authentication > > > >- Appendix: Kerberos, GSSAPI, SASL, and JAAS > > > > > > > > I have reused the content from the "Client-Server" and "Appendix" > > > sections > > > > from the existing page > > > > https://cwiki.apache.org/confluence/display/ZOOKEEPER/ > > Zookeeper+and+SASL > > > > Presently I've maintained this original page as a history, probably > we > > > need > > > > to delete this page after everyone agrees on the changes. > > > > > > > > Appreciate your feedback, thanks! > > > > > > > > Regards, > > > > Rakesh > > > > > > > > > >
Re: ZooKeeper cwiki - Updated ZooKeeper and SASL auth 1045 work
LGTM. Those changes are very helpful, thanks Rakesh! Patrick On Mon, Dec 19, 2016 at 12:04 PM, Rakesh Radhakrishnanwrote: > Thanks a lot Patrick Hunt for the review comments. Please take another look > at the wiki page when you get a chance. > > I've updated the wiki page addressing these,. > > 1) ===> DONE. Added JCE encryption part. > 2) ===> DONE. Corrected case. > 3) ===> DONE. Included version. > 4) ===> DONE. Corrected numbering format. > 5) ===> DONE. Added an example case to understand the tuning mechanism. > 6) ===> DONE. I've removed this part because it can be discussed separately > and added if someone has a use case. > 7) ===> DONE. Rephrased upgrade feature section > > Thanks, > Rakesh > > On Wed, Dec 14, 2016 at 9:03 AM, Patrick Hunt wrote: > > > Nice job Rakesh, some comments: > > > > 1) the appendix is a great idea, should be useful for many people. One > > thing I noticed > > "There is no additional dependencies needed to use SASL with Java since > it > > is part of the the Java Standard Edition." - you might want to > mention/link > > the JCE? The JVM doesn't come with very modern encryption - some of the > > distros use more strong encryption out of the box with kerberos. I've run > > into this a number of times (need to also install JCE). > > > > 2) consistently use "ZooKeeper" rather than "Zookeeper". Only noticed > this > > in a few places... > > > > 3) on client-server it would be good to mention when it was added > (3.4.0+), > > similar to what you did with 1045. > > > > 4) on "ZooKeeper SASL configurations" the numbering of the bullets starts > > at 2.1. and finishes at 2.4. I suspect the formatting didn't copy over > > quite right? > > > > 5) similar formatting issue for "# Defaulting to > > 20quorum.cnxn.threads.size=20" > > > > Can we give any insight into how this value should be set? i.e. why is 20 > > the default and when should it be raised/lowered? > > > > 6) can the doc shed any light on why we are recommending > > "javax.security.auth.useSubjectCredsOnly=false" ? I'm not familiar with > > this myself. > > > > 7) "This feature is supported in 3.4 branch" is ambiguous - perhaps > > rephrase. What "feature" are you referring to, 1045 or to rolling > upgrade? > > Also the ref to 3.4 itself is ambiguous - perhaps change to 3.4.10+? > > > > These are some minor nits, overall impressive effort -- thanks again > > Rakesh! > > > > Patrick > > > > > > > > On Tue, Dec 13, 2016 at 6:56 PM, Rakesh Radhakrishnan < > rake...@apache.org> > > wrote: > > > > > Hi All, > > > > > > I've incorporated ZK-1045 feature details into the Apache ZooKeeper > > project > > > cwiki. Since "ZooKeeper and SASL" section is quite large I've splitted > > > ZooKeeper client-server and server-server sections into sub-pages. > Please > > > read the following page, > > > > > > https://cwiki.apache.org/confluence/display/ZOOKEEPER/ > > ZooKeeper+and+SASL+ > > > authentication > > > > > > *ZooKeeper and SASL authentication* > > > > > >- Client-Server mutual authentication > > >- Server-Server mutual authentication > > >- Appendix: Kerberos, GSSAPI, SASL, and JAAS > > > > > > I have reused the content from the "Client-Server" and "Appendix" > > sections > > > from the existing page > > > https://cwiki.apache.org/confluence/display/ZOOKEEPER/ > Zookeeper+and+SASL > > > Presently I've maintained this original page as a history, probably we > > need > > > to delete this page after everyone agrees on the changes. > > > > > > Appreciate your feedback, thanks! > > > > > > Regards, > > > Rakesh > > > > > >
Re: ZooKeeper cwiki - Updated ZooKeeper and SASL auth 1045 work
Thanks a lot Patrick Hunt for the review comments. Please take another look at the wiki page when you get a chance. I've updated the wiki page addressing these,. 1) ===> DONE. Added JCE encryption part. 2) ===> DONE. Corrected case. 3) ===> DONE. Included version. 4) ===> DONE. Corrected numbering format. 5) ===> DONE. Added an example case to understand the tuning mechanism. 6) ===> DONE. I've removed this part because it can be discussed separately and added if someone has a use case. 7) ===> DONE. Rephrased upgrade feature section Thanks, Rakesh On Wed, Dec 14, 2016 at 9:03 AM, Patrick Huntwrote: > Nice job Rakesh, some comments: > > 1) the appendix is a great idea, should be useful for many people. One > thing I noticed > "There is no additional dependencies needed to use SASL with Java since it > is part of the the Java Standard Edition." - you might want to mention/link > the JCE? The JVM doesn't come with very modern encryption - some of the > distros use more strong encryption out of the box with kerberos. I've run > into this a number of times (need to also install JCE). > > 2) consistently use "ZooKeeper" rather than "Zookeeper". Only noticed this > in a few places... > > 3) on client-server it would be good to mention when it was added (3.4.0+), > similar to what you did with 1045. > > 4) on "ZooKeeper SASL configurations" the numbering of the bullets starts > at 2.1. and finishes at 2.4. I suspect the formatting didn't copy over > quite right? > > 5) similar formatting issue for "# Defaulting to > 20quorum.cnxn.threads.size=20" > > Can we give any insight into how this value should be set? i.e. why is 20 > the default and when should it be raised/lowered? > > 6) can the doc shed any light on why we are recommending > "javax.security.auth.useSubjectCredsOnly=false" ? I'm not familiar with > this myself. > > 7) "This feature is supported in 3.4 branch" is ambiguous - perhaps > rephrase. What "feature" are you referring to, 1045 or to rolling upgrade? > Also the ref to 3.4 itself is ambiguous - perhaps change to 3.4.10+? > > These are some minor nits, overall impressive effort -- thanks again > Rakesh! > > Patrick > > > > On Tue, Dec 13, 2016 at 6:56 PM, Rakesh Radhakrishnan > wrote: > > > Hi All, > > > > I've incorporated ZK-1045 feature details into the Apache ZooKeeper > project > > cwiki. Since "ZooKeeper and SASL" section is quite large I've splitted > > ZooKeeper client-server and server-server sections into sub-pages. Please > > read the following page, > > > > https://cwiki.apache.org/confluence/display/ZOOKEEPER/ > ZooKeeper+and+SASL+ > > authentication > > > > *ZooKeeper and SASL authentication* > > > >- Client-Server mutual authentication > >- Server-Server mutual authentication > >- Appendix: Kerberos, GSSAPI, SASL, and JAAS > > > > I have reused the content from the "Client-Server" and "Appendix" > sections > > from the existing page > > https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zookeeper+and+SASL > > Presently I've maintained this original page as a history, probably we > need > > to delete this page after everyone agrees on the changes. > > > > Appreciate your feedback, thanks! > > > > Regards, > > Rakesh > > >
Re: ZooKeeper cwiki - Updated ZooKeeper and SASL auth 1045 work
Nice job Rakesh, some comments: 1) the appendix is a great idea, should be useful for many people. One thing I noticed "There is no additional dependencies needed to use SASL with Java since it is part of the the Java Standard Edition." - you might want to mention/link the JCE? The JVM doesn't come with very modern encryption - some of the distros use more strong encryption out of the box with kerberos. I've run into this a number of times (need to also install JCE). 2) consistently use "ZooKeeper" rather than "Zookeeper". Only noticed this in a few places... 3) on client-server it would be good to mention when it was added (3.4.0+), similar to what you did with 1045. 4) on "ZooKeeper SASL configurations" the numbering of the bullets starts at 2.1. and finishes at 2.4. I suspect the formatting didn't copy over quite right? 5) similar formatting issue for "# Defaulting to 20quorum.cnxn.threads.size=20" Can we give any insight into how this value should be set? i.e. why is 20 the default and when should it be raised/lowered? 6) can the doc shed any light on why we are recommending "javax.security.auth.useSubjectCredsOnly=false" ? I'm not familiar with this myself. 7) "This feature is supported in 3.4 branch" is ambiguous - perhaps rephrase. What "feature" are you referring to, 1045 or to rolling upgrade? Also the ref to 3.4 itself is ambiguous - perhaps change to 3.4.10+? These are some minor nits, overall impressive effort -- thanks again Rakesh! Patrick On Tue, Dec 13, 2016 at 6:56 PM, Rakesh Radhakrishnanwrote: > Hi All, > > I've incorporated ZK-1045 feature details into the Apache ZooKeeper project > cwiki. Since "ZooKeeper and SASL" section is quite large I've splitted > ZooKeeper client-server and server-server sections into sub-pages. Please > read the following page, > > https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+and+SASL+ > authentication > > *ZooKeeper and SASL authentication* > >- Client-Server mutual authentication >- Server-Server mutual authentication >- Appendix: Kerberos, GSSAPI, SASL, and JAAS > > I have reused the content from the "Client-Server" and "Appendix" sections > from the existing page > https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zookeeper+and+SASL > Presently I've maintained this original page as a history, probably we need > to delete this page after everyone agrees on the changes. > > Appreciate your feedback, thanks! > > Regards, > Rakesh >
ZooKeeper cwiki - Updated ZooKeeper and SASL auth 1045 work
Hi All, I've incorporated ZK-1045 feature details into the Apache ZooKeeper project cwiki. Since "ZooKeeper and SASL" section is quite large I've splitted ZooKeeper client-server and server-server sections into sub-pages. Please read the following page, https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+and+SASL+authentication *ZooKeeper and SASL authentication* - Client-Server mutual authentication - Server-Server mutual authentication - Appendix: Kerberos, GSSAPI, SASL, and JAAS I have reused the content from the "Client-Server" and "Appendix" sections from the existing page https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zookeeper+and+SASL Presently I've maintained this original page as a history, probably we need to delete this page after everyone agrees on the changes. Appreciate your feedback, thanks! Regards, Rakesh