Hi,
Thanks for the pointers. I was playing a bit with the code and I see no
easy way to improve this. The limitation looks to be in
the com.sun.security.sasl.gsskerb.GssKrb5Server. It needs to have a
specific principal.
It is an interesting feature to use * for the principal but it looks like
it can't be used with the sasl server.
I have to make a decision on deployment which principal to use. It is not
the end of the world fortunately.
I am now looking for the same thing in kafka and it has a similar problem
with * principal.
Anyway, thanks for taking the time and help.
Regards,
Botond
On Wed, Feb 7, 2018 at 6:03 PM, Martin Gainty <mgai...@hotmail.com> wrote:
> MG>i agree.. DIGEST-MD5 (and not kerberos) seems to be default
> authentication for zookeeper
>
> SaslServer saslServer = Sasl.createSaslServer("DIGEST-
> MD5","zookeeper","zk-sasl-md5",null, login.callbackHandler)
>
> MG>to ask a dumb question..where is DIGEST-MD5.conf located in zookeeper
> binary distro?
> MG>or is it sufficient to supply DIGEST-MD5.conf parameters in jaas.conf?
>
> ________________________________
> From: Andor Molnar <an...@cloudera.com>
> Sent: Wednesday, February 7, 2018 10:29 AM
> To: user@zookeeper.apache.org
> Subject: Re: SASL jaas.conf principal="*" problem
>
> Hi Botond,
>
> I believe the guy who originally implemented this (Rakesh) can give some
> color to your question, but until that you could dig the original Jira:
> https://issues.apache.org/jira/browse/ZOOKEEPER-1045
> [ZOOKEEPER-1045] Support Quorum Peer mutual authentication ...<
> https://issues.apache.org/jira/browse/ZOOKEEPER-1045>
> issues.apache.org
> ZOOKEEPER-938 addresses mutual authentication between clients and servers.
> This bug, on the other hand, is for authentication among quorum peers.
>
>
>
> for more information.
>
> Other than that, if you believe that you can either fix the issue or
> implement it in a better way, your contribution will be highly
> appreciated and it would be very kind of you to open new Jira and new pull
> request on GitHub.
>
> We can discuss further details there.
>
> Thanks,
> Andor
>
>
>
>
>
> On Mon, Feb 5, 2018 at 7:21 PM, Botond Hejj <botond.h...@morganstanley.com
> >
> wrote:
>
> > Hi,
> >
> > Java 8 introduced the possibility to use * for the principal in treadmill
> > which is great and would allow us to run treadmill behind multiple
> > interfaces and SASL would pick the right keytab.
> >
> > Unfortunately this doesn't work in ZooKeeper I have dived in the code a
> bit
> > and what I have found is that ZooKeeper is using DIGEST-MD5 in that case
> > even though I don't use the DigestLoginModule. The reason for that is
> line
> > 251 here:
> > https://github.com/apache/zookeeper/blob/master/src/
> java/main/org/apache/
> [https://avatars3.githubusercontent.com/u/47359?s=400&v=4]<
> https://github.com/apache/zookeeper/blob/master/src/java/main/org/apache/>
>
> apache/zookeeper<https://github.com/apache/zookeeper/
> blob/master/src/java/main/org/apache/>
> github.com
> zookeeper - Mirror of Apache Hadoop ZooKeeper
>
>
>
> > zookeeper/util/SecurityUtils.java
> >
> > It falls back to Digest if the principal list is empty which is the case
> > when * is specified.
> > Why is that and why not the login type is checked?
> > Anyway this can only be fixed in a nonbackward compatible way or with a
> > flag in a backward compatible way.
> >
> > I could prepare a patch.
> > I would just like to understand the reason behind the implementation. Is
> > there any particular reason why this fallback is there? What would the
> > implication if I remove that? If I understand the reason maybe I could
> > patch it without breaking backward compatibility.
> >
> > There is also a comment: TODO: use 'authMech=' value in zoo.cfg.
> >
> > Is there any jira or patch for that?
> >
> > Regards,
> > Botond Hejj
> > Morgan Stanley | Technology
> > Lechner Odon fasor 8 | Floor 07
> > Budapest, 1095
> > Phone: +36 1 881-3962
> > botond.h...@morganstanley.com
> >
>
--
Botond Hejj
Morgan Stanley | Technology
Lechner Odon fasor 8 | Floor 07
Budapest, 1095
Phone: +36 1 881-3962
botond.h...@morganstanley.com
