Hi, Thanks for the pointers. I was playing a bit with the code and I see no easy way to improve this. The limitation looks to be in the com.sun.security.sasl.gsskerb.GssKrb5Server. It needs to have a specific principal. It is an interesting feature to use * for the principal but it looks like it can't be used with the sasl server. I have to make a decision on deployment which principal to use. It is not the end of the world fortunately. I am now looking for the same thing in kafka and it has a similar problem with * principal.
Anyway, thanks for taking the time and help. Regards, Botond On Wed, Feb 7, 2018 at 6:03 PM, Martin Gainty <mgai...@hotmail.com> wrote: > MG>i agree.. DIGEST-MD5 (and not kerberos) seems to be default > authentication for zookeeper > > SaslServer saslServer = Sasl.createSaslServer("DIGEST- > MD5","zookeeper","zk-sasl-md5",null, login.callbackHandler) > > MG>to ask a dumb question..where is DIGEST-MD5.conf located in zookeeper > binary distro? > MG>or is it sufficient to supply DIGEST-MD5.conf parameters in jaas.conf? > > ________________________________ > From: Andor Molnar <an...@cloudera.com> > Sent: Wednesday, February 7, 2018 10:29 AM > To: user@zookeeper.apache.org > Subject: Re: SASL jaas.conf principal="*" problem > > Hi Botond, > > I believe the guy who originally implemented this (Rakesh) can give some > color to your question, but until that you could dig the original Jira: > https://issues.apache.org/jira/browse/ZOOKEEPER-1045 > [ZOOKEEPER-1045] Support Quorum Peer mutual authentication ...< > https://issues.apache.org/jira/browse/ZOOKEEPER-1045> > issues.apache.org > ZOOKEEPER-938 addresses mutual authentication between clients and servers. > This bug, on the other hand, is for authentication among quorum peers. > > > > for more information. > > Other than that, if you believe that you can either fix the issue or > implement it in a better way, your contribution will be highly > appreciated and it would be very kind of you to open new Jira and new pull > request on GitHub. > > We can discuss further details there. > > Thanks, > Andor > > > > > > On Mon, Feb 5, 2018 at 7:21 PM, Botond Hejj <botond.h...@morganstanley.com > > > wrote: > > > Hi, > > > > Java 8 introduced the possibility to use * for the principal in treadmill > > which is great and would allow us to run treadmill behind multiple > > interfaces and SASL would pick the right keytab. > > > > Unfortunately this doesn't work in ZooKeeper I have dived in the code a > bit > > and what I have found is that ZooKeeper is using DIGEST-MD5 in that case > > even though I don't use the DigestLoginModule. The reason for that is > line > > 251 here: > > https://github.com/apache/zookeeper/blob/master/src/ > java/main/org/apache/ > [https://avatars3.githubusercontent.com/u/47359?s=400&v=4]< > https://github.com/apache/zookeeper/blob/master/src/java/main/org/apache/> > > apache/zookeeper<https://github.com/apache/zookeeper/ > blob/master/src/java/main/org/apache/> > github.com > zookeeper - Mirror of Apache Hadoop ZooKeeper > > > > > zookeeper/util/SecurityUtils.java > > > > It falls back to Digest if the principal list is empty which is the case > > when * is specified. > > Why is that and why not the login type is checked? > > Anyway this can only be fixed in a nonbackward compatible way or with a > > flag in a backward compatible way. > > > > I could prepare a patch. > > I would just like to understand the reason behind the implementation. Is > > there any particular reason why this fallback is there? What would the > > implication if I remove that? If I understand the reason maybe I could > > patch it without breaking backward compatibility. > > > > There is also a comment: TODO: use 'authMech=' value in zoo.cfg. > > > > Is there any jira or patch for that? > > > > Regards, > > Botond Hejj > > Morgan Stanley | Technology > > Lechner Odon fasor 8 | Floor 07 > > Budapest, 1095 > > Phone: +36 1 881-3962 > > botond.h...@morganstanley.com > > > -- Botond Hejj Morgan Stanley | Technology Lechner Odon fasor 8 | Floor 07 Budapest, 1095 Phone: +36 1 881-3962 botond.h...@morganstanley.com