You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by "Himanshu Vashishtha (JIRA)" <ji...@apache.org> on 2012/05/20 08:26:40 UTC
[jira] [Commented] (ZOOKEEPER-1469) Adding Cross-Realm support for
secure Zookeeper
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13279676#comment-13279676 ]
Himanshu Vashishtha commented on ZOOKEEPER-1469:
------------------------------------------------
Let's say we have two REALMs: ABC.COM, and XYZ.COM. To enable Xrealm authentication, I added principals krbtgt/ABC.COM@XYZ.COM and krbtgt/XYZ.COM@ABC.COM with -require_preauth attribute, on both the clusters. Apart from that, I needed to modify the zookeeper principal to have -require_preauth attribute as it was giving a NO PREAUTH error:
{code}
May 19 14:36:46 c1230.hal.cloudera.com krb5kdc[21238](info): TGS_REQ (5 etypes {3 1 23 16 17}) 172.29.81.100: NO PREAUTH: authtime 0, hbase/c0318.hal.cloudera.com@CLOUDERA.COM for zookeeper/c1230.hal.cloudera.com@HAL.CLOUDERA.COM, Generic error (see e-text)
{code}
I wonder whether this is the right approach, safe or unsafe? Please not that for HBase replication use case, there can be many to many relation... one cluster replicating data to multiple clusters and vice versa.
After enabling Xrealm, I get the following exception:
{code}
2012-05-19 22:47:26,529 [myid:] - ERROR [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:SaslServerCallbackHandler@137] - Failed to set name based on Kerberos authentication rules.
{code}
This is because of the difference in the realm of client and server, and the RULE is set to DEFAULT: In the SaslServerCallbackHandler->handleAuthorizeCallback, kerberosName.getShortName() throws an IOException.
> Adding Cross-Realm support for secure Zookeeper
> -----------------------------------------------
>
> Key: ZOOKEEPER-1469
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1469
> Project: ZooKeeper
> Issue Type: Bug
> Components: c client, server
> Affects Versions: 3.4.3
> Reporter: Himanshu Vashishtha
>
> There is a use case where one needs to support cross realm authentication for zookeeper cluster. One use case is HBase Replication: HBase supports replicating data to multiple slave clusters, where the later might be running in different realms. With current zookeeper security, the region server of master HBase cluster are not able to query the zookeeper quorum members of the slave cluster. This jira is about adding such Xrealm support.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira