You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by "Himanshu Vashishtha (JIRA)" <ji...@apache.org> on 2012/05/20 08:14:40 UTC
[jira] [Created] (ZOOKEEPER-1469) Adding Cross-Realm support for
secure Zookeeper
Himanshu Vashishtha created ZOOKEEPER-1469:
----------------------------------------------
Summary: Adding Cross-Realm support for secure Zookeeper
Key: ZOOKEEPER-1469
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1469
Project: ZooKeeper
Issue Type: Bug
Components: c client, server
Affects Versions: 3.4.3
Reporter: Himanshu Vashishtha
There is a use case where one needs to support cross realm authentication for zookeeper cluster. One use case is HBase Replication: HBase supports replicating data to multiple slave clusters, where the later might be running in different realms. With current zookeeper security, the region server of master HBase cluster are not able to query the zookeeper quorum members of the slave cluster. This jira is about adding such Xrealm support.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (ZOOKEEPER-1469) Adding Cross-Realm support for
secure Zookeeper
Posted by "Himanshu Vashishtha (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Himanshu Vashishtha resolved ZOOKEEPER-1469.
--------------------------------------------
Resolution: Fixed
I enabled the cross realm hbase replication after adding rules for zookeeper and hadoop.
So, the steps are:
* Add tgt principals for cross realm: add principals krbtgt/FIRST.COM@SECOND.COM and krbtgt/SECOND.COM@FIRST.COM, in both the realms.
* Add rules in the slave zookeeper quorum to let it create the short names based on the incoming principal, using the system property: -Dzookeeper.security.auth_to_local=RULE:[2:\$1@\$0](.*@\\QFIRST.COM\\E$)s/@\\QFIRST.COM\\E$//DEFAULT
* Add rules in the core-site.xml of the slave cluster hadoop setup:
{code}
<property>
<name>hadoop.security.auth_to_local</name>
<value>
RULE:[2:$1@$0](.*@\QFIRST.COM\E$)s/@\QFIRST.COM\E$//
DEFAULT
</value>
{code}
The above rules are for principals which have both service and instance in them (service/instance@REALM).
Regarding -requires_preauth, its documented at the mit docs. But then when I used that, I was getting errors to do the same for zookeeper, and hadoop principals too. So, I went ahead with the default ones (which requires pre_auth). Closing out this jira now.
Thanks to Eugene and Patrick.
> Adding Cross-Realm support for secure Zookeeper
> -----------------------------------------------
>
> Key: ZOOKEEPER-1469
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1469
> Project: ZooKeeper
> Issue Type: Improvement
> Components: c client, server
> Affects Versions: 3.4.3
> Reporter: Himanshu Vashishtha
> Attachments: SaslServerCallBackHandlerException.patch
>
>
> There is a use case where one needs to support cross realm authentication for zookeeper cluster. One use case is HBase Replication: HBase supports replicating data to multiple slave clusters, where the later might be running in different realms. With current zookeeper security, the region server of master HBase cluster are not able to query the zookeeper quorum members of the slave cluster. This jira is about adding such Xrealm support.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (ZOOKEEPER-1469) Adding Cross-Realm support for
secure Zookeeper client authentication
Posted by "Eugene Koontz (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Eugene Koontz updated ZOOKEEPER-1469:
-------------------------------------
Summary: Adding Cross-Realm support for secure Zookeeper client authentication (was: Adding Cross-Realm support for secure Zookeeper)
> Adding Cross-Realm support for secure Zookeeper client authentication
> ---------------------------------------------------------------------
>
> Key: ZOOKEEPER-1469
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1469
> Project: ZooKeeper
> Issue Type: Improvement
> Components: documentation
> Affects Versions: 3.4.3
> Reporter: Himanshu Vashishtha
> Assignee: Eugene Koontz
> Fix For: 3.4.4, 3.5.0
>
> Attachments: SaslServerCallBackHandlerException.patch
>
>
> There is a use case where one needs to support cross realm authentication for zookeeper cluster. One use case is HBase Replication: HBase supports replicating data to multiple slave clusters, where the later might be running in different realms. With current zookeeper security, the region server of master HBase cluster are not able to query the zookeeper quorum members of the slave cluster. This jira is about adding such Xrealm support.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (ZOOKEEPER-1469) Adding Cross-Realm support for
secure Zookeeper
Posted by "Himanshu Vashishtha (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13280624#comment-13280624 ]
Himanshu Vashishtha commented on ZOOKEEPER-1469:
------------------------------------------------
The exception is:
{code}
2012-05-21 16:35:11,283 [myid:] - ERROR [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:SaslServerCallbackHandler@137] - Failed to set name based on Kerberos authentication rules.org.apache.zookeeper.server.auth.KerberosName$NoMatchingRule: No rules applied to hbase/c0319.hal.cloudera.com@CLOUDERA.COM
{code}
> Adding Cross-Realm support for secure Zookeeper
> -----------------------------------------------
>
> Key: ZOOKEEPER-1469
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1469
> Project: ZooKeeper
> Issue Type: Improvement
> Components: c client, server
> Affects Versions: 3.4.3
> Reporter: Himanshu Vashishtha
> Attachments: SaslServerCallBackHandlerException.patch
>
>
> There is a use case where one needs to support cross realm authentication for zookeeper cluster. One use case is HBase Replication: HBase supports replicating data to multiple slave clusters, where the later might be running in different realms. With current zookeeper security, the region server of master HBase cluster are not able to query the zookeeper quorum members of the slave cluster. This jira is about adding such Xrealm support.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (ZOOKEEPER-1469) Adding Cross-Realm support for
secure Zookeeper
Posted by "Jeff Hammerbacher (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jeff Hammerbacher updated ZOOKEEPER-1469:
-----------------------------------------
Issue Type: Improvement (was: Bug)
> Adding Cross-Realm support for secure Zookeeper
> -----------------------------------------------
>
> Key: ZOOKEEPER-1469
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1469
> Project: ZooKeeper
> Issue Type: Improvement
> Components: c client, server
> Affects Versions: 3.4.3
> Reporter: Himanshu Vashishtha
>
> There is a use case where one needs to support cross realm authentication for zookeeper cluster. One use case is HBase Replication: HBase supports replicating data to multiple slave clusters, where the later might be running in different realms. With current zookeeper security, the region server of master HBase cluster are not able to query the zookeeper quorum members of the slave cluster. This jira is about adding such Xrealm support.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (ZOOKEEPER-1469) Adding Cross-Realm support for
secure Zookeeper
Posted by "Patrick Hunt (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13280463#comment-13280463 ]
Patrick Hunt commented on ZOOKEEPER-1469:
-----------------------------------------
ZooKeeper supports rule specification for short name mapping similar to Hadoop via "zookeeper.security.auth_to_local" - I'm wondering if we could take advantage of that here?
> Adding Cross-Realm support for secure Zookeeper
> -----------------------------------------------
>
> Key: ZOOKEEPER-1469
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1469
> Project: ZooKeeper
> Issue Type: Improvement
> Components: c client, server
> Affects Versions: 3.4.3
> Reporter: Himanshu Vashishtha
>
> There is a use case where one needs to support cross realm authentication for zookeeper cluster. One use case is HBase Replication: HBase supports replicating data to multiple slave clusters, where the later might be running in different realms. With current zookeeper security, the region server of master HBase cluster are not able to query the zookeeper quorum members of the slave cluster. This jira is about adding such Xrealm support.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (ZOOKEEPER-1469) Adding Cross-Realm support for
secure Zookeeper
Posted by "Eugene Koontz (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13280637#comment-13280637 ]
Eugene Koontz commented on ZOOKEEPER-1469:
------------------------------------------
Thanks Himanshu - can you try setting zookeeper.security.auth_to_local to [2:$1] - see : https://ccp.cloudera.com/display/CDHDOC/Appendix+C+-+Configuring+the+Mapping+from+Kerberos+Principals+to+Short+Names
-Eugene
> Adding Cross-Realm support for secure Zookeeper
> -----------------------------------------------
>
> Key: ZOOKEEPER-1469
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1469
> Project: ZooKeeper
> Issue Type: Improvement
> Components: c client, server
> Affects Versions: 3.4.3
> Reporter: Himanshu Vashishtha
> Attachments: SaslServerCallBackHandlerException.patch
>
>
> There is a use case where one needs to support cross realm authentication for zookeeper cluster. One use case is HBase Replication: HBase supports replicating data to multiple slave clusters, where the later might be running in different realms. With current zookeeper security, the region server of master HBase cluster are not able to query the zookeeper quorum members of the slave cluster. This jira is about adding such Xrealm support.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (ZOOKEEPER-1469) Adding Cross-Realm support for
secure Zookeeper
Posted by "Himanshu Vashishtha (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13280663#comment-13280663 ]
Himanshu Vashishtha commented on ZOOKEEPER-1469:
------------------------------------------------
Thanks Eugene.
Adding rule for that realm worked, and I am able to connect a Regionserver of a slave cluster (which means request 'ls /hbase/rs') was served successfully.
@Eugene: It will be good to know the repercussions for setting -requires_preauth attribute to the zookeeper principal. Without this change, it was getting No PREAUTH error in the kerberos logs.
> Adding Cross-Realm support for secure Zookeeper
> -----------------------------------------------
>
> Key: ZOOKEEPER-1469
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1469
> Project: ZooKeeper
> Issue Type: Improvement
> Components: c client, server
> Affects Versions: 3.4.3
> Reporter: Himanshu Vashishtha
> Attachments: SaslServerCallBackHandlerException.patch
>
>
> There is a use case where one needs to support cross realm authentication for zookeeper cluster. One use case is HBase Replication: HBase supports replicating data to multiple slave clusters, where the later might be running in different realms. With current zookeeper security, the region server of master HBase cluster are not able to query the zookeeper quorum members of the slave cluster. This jira is about adding such Xrealm support.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (ZOOKEEPER-1469) Adding Cross-Realm support for
secure Zookeeper
Posted by "Eugene Koontz (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13280581#comment-13280581 ]
Eugene Koontz commented on ZOOKEEPER-1469:
------------------------------------------
Hi Himanshu, I'm adding a patch to this JIRA to print out the exception that was thrown in your log statement above; could you try applying this patch and let me know what addition information is shown in your testing scenario?
Thanks, Eugene
> Adding Cross-Realm support for secure Zookeeper
> -----------------------------------------------
>
> Key: ZOOKEEPER-1469
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1469
> Project: ZooKeeper
> Issue Type: Improvement
> Components: c client, server
> Affects Versions: 3.4.3
> Reporter: Himanshu Vashishtha
> Attachments: SaslServerCallBackHandlerException.patch
>
>
> There is a use case where one needs to support cross realm authentication for zookeeper cluster. One use case is HBase Replication: HBase supports replicating data to multiple slave clusters, where the later might be running in different realms. With current zookeeper security, the region server of master HBase cluster are not able to query the zookeeper quorum members of the slave cluster. This jira is about adding such Xrealm support.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (ZOOKEEPER-1469) Adding Cross-Realm support for
secure Zookeeper client authentication
Posted by "Mahadev konar (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Mahadev konar updated ZOOKEEPER-1469:
-------------------------------------
Fix Version/s: (was: 3.4.4)
Moving it out of 3.4 release.
> Adding Cross-Realm support for secure Zookeeper client authentication
> ---------------------------------------------------------------------
>
> Key: ZOOKEEPER-1469
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1469
> Project: ZooKeeper
> Issue Type: Improvement
> Components: documentation
> Affects Versions: 3.4.3
> Reporter: Himanshu Vashishtha
> Assignee: Eugene Koontz
> Fix For: 3.5.0
>
> Attachments: SaslServerCallBackHandlerException.patch
>
>
> There is a use case where one needs to support cross realm authentication for zookeeper cluster. One use case is HBase Replication: HBase supports replicating data to multiple slave clusters, where the later might be running in different realms. With current zookeeper security, the region server of master HBase cluster are not able to query the zookeeper quorum members of the slave cluster. This jira is about adding such Xrealm support.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Reopened] (ZOOKEEPER-1469) Adding Cross-Realm support for
secure Zookeeper
Posted by "Patrick Hunt (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Patrick Hunt reopened ZOOKEEPER-1469:
-------------------------------------
Assignee: Eugene Koontz
We should document this. Eugene can you do this? thx.
> Adding Cross-Realm support for secure Zookeeper
> -----------------------------------------------
>
> Key: ZOOKEEPER-1469
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1469
> Project: ZooKeeper
> Issue Type: Improvement
> Components: documentation
> Affects Versions: 3.4.3
> Reporter: Himanshu Vashishtha
> Assignee: Eugene Koontz
> Fix For: 3.4.4, 3.5.0
>
> Attachments: SaslServerCallBackHandlerException.patch
>
>
> There is a use case where one needs to support cross realm authentication for zookeeper cluster. One use case is HBase Replication: HBase supports replicating data to multiple slave clusters, where the later might be running in different realms. With current zookeeper security, the region server of master HBase cluster are not able to query the zookeeper quorum members of the slave cluster. This jira is about adding such Xrealm support.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (ZOOKEEPER-1469) Adding Cross-Realm support for
secure Zookeeper
Posted by "Patrick Hunt (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13286134#comment-13286134 ]
Patrick Hunt commented on ZOOKEEPER-1469:
-----------------------------------------
Yes, seems like updating the cwiki with a new section would work.
> Adding Cross-Realm support for secure Zookeeper
> -----------------------------------------------
>
> Key: ZOOKEEPER-1469
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1469
> Project: ZooKeeper
> Issue Type: Improvement
> Components: documentation
> Affects Versions: 3.4.3
> Reporter: Himanshu Vashishtha
> Assignee: Eugene Koontz
> Fix For: 3.4.4, 3.5.0
>
> Attachments: SaslServerCallBackHandlerException.patch
>
>
> There is a use case where one needs to support cross realm authentication for zookeeper cluster. One use case is HBase Replication: HBase supports replicating data to multiple slave clusters, where the later might be running in different realms. With current zookeeper security, the region server of master HBase cluster are not able to query the zookeeper quorum members of the slave cluster. This jira is about adding such Xrealm support.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (ZOOKEEPER-1469) Adding Cross-Realm support for
secure Zookeeper
Posted by "Eugene Koontz (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13286120#comment-13286120 ]
Eugene Koontz commented on ZOOKEEPER-1469:
------------------------------------------
No problem to document this (this would be in the cwiki, I assume, like https://cwiki.apache.org/ZOOKEEPER/zookeeper-and-sasl.html).
Thanks Himanshu for the writeup of your working configuration!
> Adding Cross-Realm support for secure Zookeeper
> -----------------------------------------------
>
> Key: ZOOKEEPER-1469
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1469
> Project: ZooKeeper
> Issue Type: Improvement
> Components: documentation
> Affects Versions: 3.4.3
> Reporter: Himanshu Vashishtha
> Assignee: Eugene Koontz
> Fix For: 3.4.4, 3.5.0
>
> Attachments: SaslServerCallBackHandlerException.patch
>
>
> There is a use case where one needs to support cross realm authentication for zookeeper cluster. One use case is HBase Replication: HBase supports replicating data to multiple slave clusters, where the later might be running in different realms. With current zookeeper security, the region server of master HBase cluster are not able to query the zookeeper quorum members of the slave cluster. This jira is about adding such Xrealm support.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (ZOOKEEPER-1469) Adding Cross-Realm support for
secure Zookeeper client authentication
Posted by "Mahadev konar (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13451641#comment-13451641 ]
Mahadev konar commented on ZOOKEEPER-1469:
------------------------------------------
Eugene,
Looks like you forgot to add to the wiki. Can you please do that? We can go ahead and close this jira then.
thanks
> Adding Cross-Realm support for secure Zookeeper client authentication
> ---------------------------------------------------------------------
>
> Key: ZOOKEEPER-1469
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1469
> Project: ZooKeeper
> Issue Type: Improvement
> Components: documentation
> Affects Versions: 3.4.3
> Reporter: Himanshu Vashishtha
> Assignee: Eugene Koontz
> Fix For: 3.4.4, 3.5.0
>
> Attachments: SaslServerCallBackHandlerException.patch
>
>
> There is a use case where one needs to support cross realm authentication for zookeeper cluster. One use case is HBase Replication: HBase supports replicating data to multiple slave clusters, where the later might be running in different realms. With current zookeeper security, the region server of master HBase cluster are not able to query the zookeeper quorum members of the slave cluster. This jira is about adding such Xrealm support.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (ZOOKEEPER-1469) Adding Cross-Realm support for
secure Zookeeper
Posted by "Himanshu Vashishtha (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13279676#comment-13279676 ]
Himanshu Vashishtha commented on ZOOKEEPER-1469:
------------------------------------------------
Let's say we have two REALMs: ABC.COM, and XYZ.COM. To enable Xrealm authentication, I added principals krbtgt/ABC.COM@XYZ.COM and krbtgt/XYZ.COM@ABC.COM with -require_preauth attribute, on both the clusters. Apart from that, I needed to modify the zookeeper principal to have -require_preauth attribute as it was giving a NO PREAUTH error:
{code}
May 19 14:36:46 c1230.hal.cloudera.com krb5kdc[21238](info): TGS_REQ (5 etypes {3 1 23 16 17}) 172.29.81.100: NO PREAUTH: authtime 0, hbase/c0318.hal.cloudera.com@CLOUDERA.COM for zookeeper/c1230.hal.cloudera.com@HAL.CLOUDERA.COM, Generic error (see e-text)
{code}
I wonder whether this is the right approach, safe or unsafe? Please not that for HBase replication use case, there can be many to many relation... one cluster replicating data to multiple clusters and vice versa.
After enabling Xrealm, I get the following exception:
{code}
2012-05-19 22:47:26,529 [myid:] - ERROR [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:SaslServerCallbackHandler@137] - Failed to set name based on Kerberos authentication rules.
{code}
This is because of the difference in the realm of client and server, and the RULE is set to DEFAULT: In the SaslServerCallbackHandler->handleAuthorizeCallback, kerberosName.getShortName() throws an IOException.
> Adding Cross-Realm support for secure Zookeeper
> -----------------------------------------------
>
> Key: ZOOKEEPER-1469
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1469
> Project: ZooKeeper
> Issue Type: Bug
> Components: c client, server
> Affects Versions: 3.4.3
> Reporter: Himanshu Vashishtha
>
> There is a use case where one needs to support cross realm authentication for zookeeper cluster. One use case is HBase Replication: HBase supports replicating data to multiple slave clusters, where the later might be running in different realms. With current zookeeper security, the region server of master HBase cluster are not able to query the zookeeper quorum members of the slave cluster. This jira is about adding such Xrealm support.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (ZOOKEEPER-1469) Adding Cross-Realm support for
secure Zookeeper
Posted by "Eugene Koontz (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Eugene Koontz updated ZOOKEEPER-1469:
-------------------------------------
Attachment: SaslServerCallBackHandlerException.patch
print exception thrown from kerberosName.getShortName().
> Adding Cross-Realm support for secure Zookeeper
> -----------------------------------------------
>
> Key: ZOOKEEPER-1469
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1469
> Project: ZooKeeper
> Issue Type: Improvement
> Components: c client, server
> Affects Versions: 3.4.3
> Reporter: Himanshu Vashishtha
> Attachments: SaslServerCallBackHandlerException.patch
>
>
> There is a use case where one needs to support cross realm authentication for zookeeper cluster. One use case is HBase Replication: HBase supports replicating data to multiple slave clusters, where the later might be running in different realms. With current zookeeper security, the region server of master HBase cluster are not able to query the zookeeper quorum members of the slave cluster. This jira is about adding such Xrealm support.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (ZOOKEEPER-1469) Adding Cross-Realm support for
secure Zookeeper
Posted by "Patrick Hunt (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Patrick Hunt updated ZOOKEEPER-1469:
------------------------------------
Component/s: (was: server)
(was: c client)
documentation
Fix Version/s: 3.5.0
3.4.4
> Adding Cross-Realm support for secure Zookeeper
> -----------------------------------------------
>
> Key: ZOOKEEPER-1469
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1469
> Project: ZooKeeper
> Issue Type: Improvement
> Components: documentation
> Affects Versions: 3.4.3
> Reporter: Himanshu Vashishtha
> Assignee: Eugene Koontz
> Fix For: 3.4.4, 3.5.0
>
> Attachments: SaslServerCallBackHandlerException.patch
>
>
> There is a use case where one needs to support cross realm authentication for zookeeper cluster. One use case is HBase Replication: HBase supports replicating data to multiple slave clusters, where the later might be running in different realms. With current zookeeper security, the region server of master HBase cluster are not able to query the zookeeper quorum members of the slave cluster. This jira is about adding such Xrealm support.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (ZOOKEEPER-1469) Adding Cross-Realm support for
secure Zookeeper
Posted by "Eugene Koontz (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13280672#comment-13280672 ]
Eugene Koontz commented on ZOOKEEPER-1469:
------------------------------------------
With regard to -requires_preauth, I need to study it further and try to reproduce your secure HBase replication setup. We should document within the HBase docs what you've accomplished - perhaps an HBase JIRA is warranted similar to https://issues.apache.org/jira/browse/HBASE-4960.
> Adding Cross-Realm support for secure Zookeeper
> -----------------------------------------------
>
> Key: ZOOKEEPER-1469
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1469
> Project: ZooKeeper
> Issue Type: Improvement
> Components: c client, server
> Affects Versions: 3.4.3
> Reporter: Himanshu Vashishtha
> Attachments: SaslServerCallBackHandlerException.patch
>
>
> There is a use case where one needs to support cross realm authentication for zookeeper cluster. One use case is HBase Replication: HBase supports replicating data to multiple slave clusters, where the later might be running in different realms. With current zookeeper security, the region server of master HBase cluster are not able to query the zookeeper quorum members of the slave cluster. This jira is about adding such Xrealm support.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (ZOOKEEPER-1469) Adding Cross-Realm support for
secure Zookeeper
Posted by "Andrew Purtell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13279818#comment-13279818 ]
Andrew Purtell commented on ZOOKEEPER-1469:
-------------------------------------------
I think this issue should be an improvement, not a bug. The proposal extends current functionality to handle additional use cases not scoped for the initial work.
> Adding Cross-Realm support for secure Zookeeper
> -----------------------------------------------
>
> Key: ZOOKEEPER-1469
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1469
> Project: ZooKeeper
> Issue Type: Bug
> Components: c client, server
> Affects Versions: 3.4.3
> Reporter: Himanshu Vashishtha
>
> There is a use case where one needs to support cross realm authentication for zookeeper cluster. One use case is HBase Replication: HBase supports replicating data to multiple slave clusters, where the later might be running in different realms. With current zookeeper security, the region server of master HBase cluster are not able to query the zookeeper quorum members of the slave cluster. This jira is about adding such Xrealm support.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (ZOOKEEPER-1469) Adding Cross-Realm support for
secure Zookeeper
Posted by "Eugene Koontz (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/ZOOKEEPER-1469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13280666#comment-13280666 ]
Eugene Koontz commented on ZOOKEEPER-1469:
------------------------------------------
Hey, great to hear that! Patrick deserves the credit for suggesting setting auth_to_local. :)
What shall we do with this JIRA now?
> Adding Cross-Realm support for secure Zookeeper
> -----------------------------------------------
>
> Key: ZOOKEEPER-1469
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1469
> Project: ZooKeeper
> Issue Type: Improvement
> Components: c client, server
> Affects Versions: 3.4.3
> Reporter: Himanshu Vashishtha
> Attachments: SaslServerCallBackHandlerException.patch
>
>
> There is a use case where one needs to support cross realm authentication for zookeeper cluster. One use case is HBase Replication: HBase supports replicating data to multiple slave clusters, where the later might be running in different realms. With current zookeeper security, the region server of master HBase cluster are not able to query the zookeeper quorum members of the slave cluster. This jira is about adding such Xrealm support.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira