OK, got it.
>>>> Even if i enable sasl but md5-diget what should be this property set
to,
Could you please name the specific property you are referring.
Hope you are talking about "DIGEST-MD5" mechanism ? String[] mechs = {
"DIGEST-MD5" };
Presently the execution flow is that, if there is
no subject.getPrincipals() in jaas config then it must not be GSSAPI and
fallback to check DIGEST-MD5 details in jaas config.
Whenever user want to enable DIGEST-MD5, they have to define the JAAS
configuration file with DIGEST-MD5 configs like below and there is no
default value for this mechanism.
QuorumServer {
org.apache.zookeeper.server.auth.DigestLoginModule required
user_test1="mypassword";
};
QuorumLearner {
org.apache.zookeeper.server.auth.DigestLoginModule required
user_test2=" mypassword";
};
Populate DIGEST-MD5 user -> password map for the "QuorumServer",
"QuorumLearner" section.
Usernames are distinguished from other options by prefixing the username
with a "user_" prefix.
Hope its clear to you.
Thanks,
Rakesh
On Fri, Dec 13, 2019 at 9:45 PM rammohan ganapavarapu <
rammohanga...@gmail.com> wrote:
> Hi Rakesh,
>
> Right now i am not enabling sasl but i am trying to define all default
> properties and should be able to use them once sasl is enabled with
> override values. So my question is for digest auth do we even need this
> property? i remember seeing i don't set that property it was using the
> default value "zkquorum/localhost".
>
> Thanks,
> Ram
>
> On Thu, Dec 12, 2019 at 11:06 PM Rakesh Radhakrishnan <rake...@apache.org>
> wrote:
>
> > Hi Ram,
> >
> > ZooKeeper Quorum authentication support two schemes, Kerberos or
> > DIGEST-MD5. User has to configure either Kerb or digest configuration
> > values. Both together not required.
> >
> > I'd recommend you to go through Kerberos, digest simulation unit test
> cases
> > where we have valid and invalid scenarios. Hope this would get idea about
> > the required configs.
> >
> >
> >
> https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumDigestAuthTest.java
> >
> >
> https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumKerberosHostBasedAuthTest.java
> >
> > Could you describe the issues that troubles you in setting up quorum
> auth,
> > if any.
> >
> > Thanks,
> > Rakesh
> >
> > On Fri, Dec 13, 2019 at 3:49 AM rammohan ganapavarapu <
> > rammohanga...@gmail.com> wrote:
> >
> > > Hi,
> > >
> > > Even if i enable sasl but md5-diget what should be this property set
> to,
> > > this property only take effect for kerberos or for both?
> > >
> > > Ram
> > >
> > > On Fri, Dec 6, 2019 at 7:55 AM rammohan ganapavarapu <
> > > rammohanga...@gmail.com> wrote:
> > >
> > > > Mate,
> > > >
> > > > Thank you, I did search source code found the same, I am trying to
> > create
> > > > a zoo conf with all default properties.
> > > >
> > > > Ram
> > > >
> > > > On Fri, Dec 6, 2019, 2:44 AM Mate Szalay-Beko
> > > <msza...@cloudera.com.invalid>
> > > > wrote:
> > > >
> > > >> Hi Ram,
> > > >>
> > > >> this parameter is needed to be defined when you want to enable
> secure
> > > >> authentication in the communication between ZooKeeper servers. In
> > > general,
> > > >> the 'principal' is a 'username' what you want your ZooKeeper servers
> > to
> > > >> use
> > > >> when they talk with each other. Ideally you have a central Kereros
> > > service
> > > >> somewhere where this principal is already registered.
> > > >> A kerberos principal is usually in the form of
> > > >> "user_or_service_name/host@realm" (some more explanation:
> > > >> https://ssimo.org/blog/id_016.html)
> > > >>
> > > >> According to the source code, the default value of
> > > >> quorum.auth.kerberos.servicePrincipal is "zkquorum/localhost". But I
> > > think
> > > >> if you don't enable the quorum SASL in ZooKeeper, then this property
> > > will
> > > >> never be actually used.
> > > >>
> > > >> Please see this page about SASL in ZooKeeper:
> > > >>
> > >
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+and+SASL
> > > >>
> > > >> I also found a Cloudera blogpost on the topic:
> > > >>
> > > >>
> > >
> >
> https://blog.cloudera.com/hardening-apache-zookeeper-security-sasl-quorum-peer-mutual-authentication-and-authorization/
> > > >>
> > > >> Cheers,
> > > >> Mate
> > > >>
> > > >>
> > > >> On Thu, Dec 5, 2019 at 11:50 PM rammohan ganapavarapu <
> > > >> rammohanga...@gmail.com> wrote:
> > > >>
> > > >> > Hi,
> > > >> >
> > > >> > What is the default value for this property, if i don't enable
> sasl
> > > >> and if
> > > >> > i don't define what will be the value?
> > > >> >
> > > >> > quorum.auth.kerberos.servicePrincipal
> > > >> >
> > > >> > Also what does this means "servicename/_HOST"
> > > >> >
> > > >> > Thanks,
> > > >> > Ram
> > > >> >
> > > >>
> > > >
> > >
> >
>
