Small followup/clarification. If a client needs to connect to two separate, Kerberos-authenticated ZK ensembles, it should be possible since the client side Kerberos ticket is generated as [email protected] and does not indicate which ZK ensemble it is for?
Thanks, Irfan. On Sat, Jan 30, 2016 at 10:22 AM, Irfan Hamid <[email protected]> wrote: > Thanks Flavio. That's good news, and I'm especially grateful for that > second link, which inexplicably eluded me during my searches for this topic. > > Regards, > Irfan. > > On Fri, Jan 29, 2016 at 9:10 PM, Flavio Junqueira <[email protected]> wrote: > >> Hi Irfan, >> >> Your description sounds right to me. I'd add that you can check that your >> client watcher is getting a SaslConnected event. >> >> There is some more information here in the case you haven't seen this >> page: >> >> https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zookeeper+and+SASL >> <https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zookeeper+and+SASL >> > >> >> -Flavio >> >> > On 29 Jan 2016, at 14:51, Irfan Hamid <[email protected]> wrote: >> > >> > Hi, >> > >> > We're trying to set up ZooKeeper with Kerberos authentication in our >> setup. >> > The documentation about setting this up is a bit complicated. The steps >> for >> > the ZooKeeper quorum servers are quite clear: >> > >> > *ZooKeeper quorum servers* >> > 1. Create zookeeper service principals as described here >> > < >> http://www.cloudera.com/documentation/archive/cdh/4-x/4-2-0/CDH4-Security-Guide/cdh4sg_topic_11_1.html >> >. >> > I am creating them as zookeeper/[email protected] >> > 2. Copy the keytab files created in (1) to the respective ZooKeeper >> quorum >> > servers and place it in the ZooKeeper conf directory >> > 3. Add the configs indicated to the zoo.cfg file >> > 4. Add a jaas.conf file (and point to it as part of the jvm params) as >> > indicated >> > >> > *ZooKeeper client side* >> > This part is throwing me for a loop. We are using the basic ZooKeeper >> API >> > (not Curator) in our client side code and creating connections using the >> > vanilla new ZooKeeper(cxnString, ...) constructor. The only >> documentation >> > on how to set this up I could find is here >> > < >> http://www.cloudera.com/documentation/archive/cdh/4-x/4-3-0/CDH4-Security-Guide/cdh4sg_topic_11_2.html >> >. >> > I was wondering if the linked steps would work for my use-case or if >> these >> > are for a specific Cloudera ZooKeeper client tool? >> > >> > 1. Create zookeeper client principals using [email protected] (the >> client's >> > FQDN isn't needed here?) >> > 2. Copy the keytab file to the machine running our client app >> > 3. Make the necessary modifications to jaas.conf >> > 4. Run our client app with the JVM param pointing to the jaas.conf file >> > from (2) >> > >> > Is my understanding correct or are these steps only for the Cloudera >> client >> > shell? >> > >> > Regards, >> > Irfan. >> >> >
