You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@zookeeper.apache.org by Irfan Hamid <ih...@salesforce.com> on 2015/09/10 18:17:03 UTC

Kerberos auth support on the client

Hi,

Here at Salesforce we're trying to roll out ZK to production for
coordinating our search service. One of our requirements is to use Kerberos
auth for ZK <---> client communication. While it seems that on the ZK
server side enabling Kerb auth is straightforward with config options as
given here
<http://www.cloudera.com/content/cloudera/en/documentation/cdh4/v4-2-2/CDH4-Security-Guide/cdh4sg_topic_11_1.html>
by
setting up a JAAS config file with a "Server" section. OTOH I haven't been
able to find anything other than this
<https://ambari.apache.org/1.2.5/installing-hadoop-using-ambari/content/ambari-kerb-2-3-2-2.html>
for the client side, which indicates that having a "Client" section in the
JAAS config might be enough.

Looking at the code I see that the ClientCnxn class does have a switch in
startConnect() that uses ZooKeeperSaslClient. My question is, is setting
the JAAS conf file sufficient to use the ZK client library to connect to a
Kerberised ZK ensemble or is specific code also needed. In the case of the
latter, could someone point me to, e.g., HBase code that does this
authenticated connection?

TIA,
Irfan.