You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@zookeeper.apache.org by rammohan ganapavarapu <ra...@gmail.com> on 2019/12/05 22:49:47 UTC
default value for quorum.auth.kerberos.servicePrincipal
Hi,
What is the default value for this property, if i don't enable sasl and if
i don't define what will be the value?
quorum.auth.kerberos.servicePrincipal
Also what does this means "servicename/_HOST"
Thanks,
Ram
Re: default value for quorum.auth.kerberos.servicePrincipal
Posted by rammohan ganapavarapu <ra...@gmail.com>.
OK, thank you!
On Tue, Dec 17, 2019 at 7:32 PM Rakesh Radhakrishnan <ra...@apache.org>
wrote:
> As the name says, "quorum.auth.kerberos.servicePrincipal" property is
> specifically for Kerberos based quorum authentication and no need to set
> anything if you are enabling digest-md5.
>
> Like mentioned earlier, its default value is "zkquorum/localhost" and it
> will never be used if you configure/enable digest-md5.
>
> Thanks,
> Rakesh
>
> On Mon, Dec 16, 2019 at 7:14 PM rammohan ganapavarapu <
> rammohanganap@gmail.com> wrote:
>
> > "quorum.auth.kerberos.servicePrincipal" this one
> >
> > On Sun, Dec 15, 2019, 9:33 PM Rakesh Radhakrishnan <ra...@apache.org>
> > wrote:
> >
> > > OK, got it.
> > >
> > > >>>> Even if i enable sasl but md5-diget what should be this property
> set
> > > to,
> > > Could you please name the specific property you are referring.
> > >
> > > Hope you are talking about "DIGEST-MD5" mechanism ? String[] mechs = {
> > > "DIGEST-MD5" };
> > >
> > > Presently the execution flow is that, if there is
> > > no subject.getPrincipals() in jaas config then it must not be GSSAPI
> and
> > > fallback to check DIGEST-MD5 details in jaas config.
> > > Whenever user want to enable DIGEST-MD5, they have to define the JAAS
> > > configuration file with DIGEST-MD5 configs like below and there is no
> > > default value for this mechanism.
> > > QuorumServer {
> > > org.apache.zookeeper.server.auth.DigestLoginModule required
> > > user_test1="mypassword";
> > > };
> > >
> > > QuorumLearner {
> > > org.apache.zookeeper.server.auth.DigestLoginModule required
> > > user_test2=" mypassword";
> > > };
> > >
> > > Populate DIGEST-MD5 user -> password map for the "QuorumServer",
> > > "QuorumLearner" section.
> > > Usernames are distinguished from other options by prefixing the
> username
> > > with a "user_" prefix.
> > >
> > > Hope its clear to you.
> > >
> > > Thanks,
> > > Rakesh
> > >
> > > On Fri, Dec 13, 2019 at 9:45 PM rammohan ganapavarapu <
> > > rammohanganap@gmail.com> wrote:
> > >
> > > > Hi Rakesh,
> > > >
> > > > Right now i am not enabling sasl but i am trying to define all
> default
> > > > properties and should be able to use them once sasl is enabled with
> > > > override values. So my question is for digest auth do we even need
> this
> > > > property? i remember seeing i don't set that property it was using
> the
> > > > default value "zkquorum/localhost".
> > > >
> > > > Thanks,
> > > > Ram
> > > >
> > > > On Thu, Dec 12, 2019 at 11:06 PM Rakesh Radhakrishnan <
> > > rakeshr@apache.org>
> > > > wrote:
> > > >
> > > > > Hi Ram,
> > > > >
> > > > > ZooKeeper Quorum authentication support two schemes, Kerberos or
> > > > > DIGEST-MD5. User has to configure either Kerb or digest
> configuration
> > > > > values. Both together not required.
> > > > >
> > > > > I'd recommend you to go through Kerberos, digest simulation unit
> test
> > > > cases
> > > > > where we have valid and invalid scenarios. Hope this would get idea
> > > about
> > > > > the required configs.
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >
> https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumDigestAuthTest.java
> > > > >
> > > > >
> > > >
> > >
> >
> https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumKerberosHostBasedAuthTest.java
> > > > >
> > > > > Could you describe the issues that troubles you in setting up
> quorum
> > > > auth,
> > > > > if any.
> > > > >
> > > > > Thanks,
> > > > > Rakesh
> > > > >
> > > > > On Fri, Dec 13, 2019 at 3:49 AM rammohan ganapavarapu <
> > > > > rammohanganap@gmail.com> wrote:
> > > > >
> > > > > > Hi,
> > > > > >
> > > > > > Even if i enable sasl but md5-diget what should be this property
> > set
> > > > to,
> > > > > > this property only take effect for kerberos or for both?
> > > > > >
> > > > > > Ram
> > > > > >
> > > > > > On Fri, Dec 6, 2019 at 7:55 AM rammohan ganapavarapu <
> > > > > > rammohanganap@gmail.com> wrote:
> > > > > >
> > > > > > > Mate,
> > > > > > >
> > > > > > > Thank you, I did search source code found the same, I am trying
> > to
> > > > > create
> > > > > > > a zoo conf with all default properties.
> > > > > > >
> > > > > > > Ram
> > > > > > >
> > > > > > > On Fri, Dec 6, 2019, 2:44 AM Mate Szalay-Beko
> > > > > > <ms...@cloudera.com.invalid>
> > > > > > > wrote:
> > > > > > >
> > > > > > >> Hi Ram,
> > > > > > >>
> > > > > > >> this parameter is needed to be defined when you want to enable
> > > > secure
> > > > > > >> authentication in the communication between ZooKeeper servers.
> > In
> > > > > > general,
> > > > > > >> the 'principal' is a 'username' what you want your ZooKeeper
> > > servers
> > > > > to
> > > > > > >> use
> > > > > > >> when they talk with each other. Ideally you have a central
> > Kereros
> > > > > > service
> > > > > > >> somewhere where this principal is already registered.
> > > > > > >> A kerberos principal is usually in the form of
> > > > > > >> "user_or_service_name/host@realm" (some more explanation:
> > > > > > >> https://ssimo.org/blog/id_016.html)
> > > > > > >>
> > > > > > >> According to the source code, the default value of
> > > > > > >> quorum.auth.kerberos.servicePrincipal is "zkquorum/localhost".
> > > But I
> > > > > > think
> > > > > > >> if you don't enable the quorum SASL in ZooKeeper, then this
> > > property
> > > > > > will
> > > > > > >> never be actually used.
> > > > > > >>
> > > > > > >> Please see this page about SASL in ZooKeeper:
> > > > > > >>
> > > > > >
> > > >
> > https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+and+SASL
> > > > > > >>
> > > > > > >> I also found a Cloudera blogpost on the topic:
> > > > > > >>
> > > > > > >>
> > > > > >
> > > > >
> > > >
> > >
> >
> https://blog.cloudera.com/hardening-apache-zookeeper-security-sasl-quorum-peer-mutual-authentication-and-authorization/
> > > > > > >>
> > > > > > >> Cheers,
> > > > > > >> Mate
> > > > > > >>
> > > > > > >>
> > > > > > >> On Thu, Dec 5, 2019 at 11:50 PM rammohan ganapavarapu <
> > > > > > >> rammohanganap@gmail.com> wrote:
> > > > > > >>
> > > > > > >> > Hi,
> > > > > > >> >
> > > > > > >> > What is the default value for this property, if i don't
> > enable
> > > > sasl
> > > > > > >> and if
> > > > > > >> > i don't define what will be the value?
> > > > > > >> >
> > > > > > >> > quorum.auth.kerberos.servicePrincipal
> > > > > > >> >
> > > > > > >> > Also what does this means "servicename/_HOST"
> > > > > > >> >
> > > > > > >> > Thanks,
> > > > > > >> > Ram
> > > > > > >> >
> > > > > > >>
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
Re: default value for quorum.auth.kerberos.servicePrincipal
Posted by Rakesh Radhakrishnan <ra...@apache.org>.
As the name says, "quorum.auth.kerberos.servicePrincipal" property is
specifically for Kerberos based quorum authentication and no need to set
anything if you are enabling digest-md5.
Like mentioned earlier, its default value is "zkquorum/localhost" and it
will never be used if you configure/enable digest-md5.
Thanks,
Rakesh
On Mon, Dec 16, 2019 at 7:14 PM rammohan ganapavarapu <
rammohanganap@gmail.com> wrote:
> "quorum.auth.kerberos.servicePrincipal" this one
>
> On Sun, Dec 15, 2019, 9:33 PM Rakesh Radhakrishnan <ra...@apache.org>
> wrote:
>
> > OK, got it.
> >
> > >>>> Even if i enable sasl but md5-diget what should be this property set
> > to,
> > Could you please name the specific property you are referring.
> >
> > Hope you are talking about "DIGEST-MD5" mechanism ? String[] mechs = {
> > "DIGEST-MD5" };
> >
> > Presently the execution flow is that, if there is
> > no subject.getPrincipals() in jaas config then it must not be GSSAPI and
> > fallback to check DIGEST-MD5 details in jaas config.
> > Whenever user want to enable DIGEST-MD5, they have to define the JAAS
> > configuration file with DIGEST-MD5 configs like below and there is no
> > default value for this mechanism.
> > QuorumServer {
> > org.apache.zookeeper.server.auth.DigestLoginModule required
> > user_test1="mypassword";
> > };
> >
> > QuorumLearner {
> > org.apache.zookeeper.server.auth.DigestLoginModule required
> > user_test2=" mypassword";
> > };
> >
> > Populate DIGEST-MD5 user -> password map for the "QuorumServer",
> > "QuorumLearner" section.
> > Usernames are distinguished from other options by prefixing the username
> > with a "user_" prefix.
> >
> > Hope its clear to you.
> >
> > Thanks,
> > Rakesh
> >
> > On Fri, Dec 13, 2019 at 9:45 PM rammohan ganapavarapu <
> > rammohanganap@gmail.com> wrote:
> >
> > > Hi Rakesh,
> > >
> > > Right now i am not enabling sasl but i am trying to define all default
> > > properties and should be able to use them once sasl is enabled with
> > > override values. So my question is for digest auth do we even need this
> > > property? i remember seeing i don't set that property it was using the
> > > default value "zkquorum/localhost".
> > >
> > > Thanks,
> > > Ram
> > >
> > > On Thu, Dec 12, 2019 at 11:06 PM Rakesh Radhakrishnan <
> > rakeshr@apache.org>
> > > wrote:
> > >
> > > > Hi Ram,
> > > >
> > > > ZooKeeper Quorum authentication support two schemes, Kerberos or
> > > > DIGEST-MD5. User has to configure either Kerb or digest configuration
> > > > values. Both together not required.
> > > >
> > > > I'd recommend you to go through Kerberos, digest simulation unit test
> > > cases
> > > > where we have valid and invalid scenarios. Hope this would get idea
> > about
> > > > the required configs.
> > > >
> > > >
> > > >
> > >
> >
> https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumDigestAuthTest.java
> > > >
> > > >
> > >
> >
> https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumKerberosHostBasedAuthTest.java
> > > >
> > > > Could you describe the issues that troubles you in setting up quorum
> > > auth,
> > > > if any.
> > > >
> > > > Thanks,
> > > > Rakesh
> > > >
> > > > On Fri, Dec 13, 2019 at 3:49 AM rammohan ganapavarapu <
> > > > rammohanganap@gmail.com> wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > > Even if i enable sasl but md5-diget what should be this property
> set
> > > to,
> > > > > this property only take effect for kerberos or for both?
> > > > >
> > > > > Ram
> > > > >
> > > > > On Fri, Dec 6, 2019 at 7:55 AM rammohan ganapavarapu <
> > > > > rammohanganap@gmail.com> wrote:
> > > > >
> > > > > > Mate,
> > > > > >
> > > > > > Thank you, I did search source code found the same, I am trying
> to
> > > > create
> > > > > > a zoo conf with all default properties.
> > > > > >
> > > > > > Ram
> > > > > >
> > > > > > On Fri, Dec 6, 2019, 2:44 AM Mate Szalay-Beko
> > > > > <ms...@cloudera.com.invalid>
> > > > > > wrote:
> > > > > >
> > > > > >> Hi Ram,
> > > > > >>
> > > > > >> this parameter is needed to be defined when you want to enable
> > > secure
> > > > > >> authentication in the communication between ZooKeeper servers.
> In
> > > > > general,
> > > > > >> the 'principal' is a 'username' what you want your ZooKeeper
> > servers
> > > > to
> > > > > >> use
> > > > > >> when they talk with each other. Ideally you have a central
> Kereros
> > > > > service
> > > > > >> somewhere where this principal is already registered.
> > > > > >> A kerberos principal is usually in the form of
> > > > > >> "user_or_service_name/host@realm" (some more explanation:
> > > > > >> https://ssimo.org/blog/id_016.html)
> > > > > >>
> > > > > >> According to the source code, the default value of
> > > > > >> quorum.auth.kerberos.servicePrincipal is "zkquorum/localhost".
> > But I
> > > > > think
> > > > > >> if you don't enable the quorum SASL in ZooKeeper, then this
> > property
> > > > > will
> > > > > >> never be actually used.
> > > > > >>
> > > > > >> Please see this page about SASL in ZooKeeper:
> > > > > >>
> > > > >
> > >
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+and+SASL
> > > > > >>
> > > > > >> I also found a Cloudera blogpost on the topic:
> > > > > >>
> > > > > >>
> > > > >
> > > >
> > >
> >
> https://blog.cloudera.com/hardening-apache-zookeeper-security-sasl-quorum-peer-mutual-authentication-and-authorization/
> > > > > >>
> > > > > >> Cheers,
> > > > > >> Mate
> > > > > >>
> > > > > >>
> > > > > >> On Thu, Dec 5, 2019 at 11:50 PM rammohan ganapavarapu <
> > > > > >> rammohanganap@gmail.com> wrote:
> > > > > >>
> > > > > >> > Hi,
> > > > > >> >
> > > > > >> > What is the default value for this property, if i don't
> enable
> > > sasl
> > > > > >> and if
> > > > > >> > i don't define what will be the value?
> > > > > >> >
> > > > > >> > quorum.auth.kerberos.servicePrincipal
> > > > > >> >
> > > > > >> > Also what does this means "servicename/_HOST"
> > > > > >> >
> > > > > >> > Thanks,
> > > > > >> > Ram
> > > > > >> >
> > > > > >>
> > > > > >
> > > > >
> > > >
> > >
> >
>
Re: default value for quorum.auth.kerberos.servicePrincipal
Posted by rammohan ganapavarapu <ra...@gmail.com>.
"quorum.auth.kerberos.servicePrincipal" this one
On Sun, Dec 15, 2019, 9:33 PM Rakesh Radhakrishnan <ra...@apache.org>
wrote:
> OK, got it.
>
> >>>> Even if i enable sasl but md5-diget what should be this property set
> to,
> Could you please name the specific property you are referring.
>
> Hope you are talking about "DIGEST-MD5" mechanism ? String[] mechs = {
> "DIGEST-MD5" };
>
> Presently the execution flow is that, if there is
> no subject.getPrincipals() in jaas config then it must not be GSSAPI and
> fallback to check DIGEST-MD5 details in jaas config.
> Whenever user want to enable DIGEST-MD5, they have to define the JAAS
> configuration file with DIGEST-MD5 configs like below and there is no
> default value for this mechanism.
> QuorumServer {
> org.apache.zookeeper.server.auth.DigestLoginModule required
> user_test1="mypassword";
> };
>
> QuorumLearner {
> org.apache.zookeeper.server.auth.DigestLoginModule required
> user_test2=" mypassword";
> };
>
> Populate DIGEST-MD5 user -> password map for the "QuorumServer",
> "QuorumLearner" section.
> Usernames are distinguished from other options by prefixing the username
> with a "user_" prefix.
>
> Hope its clear to you.
>
> Thanks,
> Rakesh
>
> On Fri, Dec 13, 2019 at 9:45 PM rammohan ganapavarapu <
> rammohanganap@gmail.com> wrote:
>
> > Hi Rakesh,
> >
> > Right now i am not enabling sasl but i am trying to define all default
> > properties and should be able to use them once sasl is enabled with
> > override values. So my question is for digest auth do we even need this
> > property? i remember seeing i don't set that property it was using the
> > default value "zkquorum/localhost".
> >
> > Thanks,
> > Ram
> >
> > On Thu, Dec 12, 2019 at 11:06 PM Rakesh Radhakrishnan <
> rakeshr@apache.org>
> > wrote:
> >
> > > Hi Ram,
> > >
> > > ZooKeeper Quorum authentication support two schemes, Kerberos or
> > > DIGEST-MD5. User has to configure either Kerb or digest configuration
> > > values. Both together not required.
> > >
> > > I'd recommend you to go through Kerberos, digest simulation unit test
> > cases
> > > where we have valid and invalid scenarios. Hope this would get idea
> about
> > > the required configs.
> > >
> > >
> > >
> >
> https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumDigestAuthTest.java
> > >
> > >
> >
> https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumKerberosHostBasedAuthTest.java
> > >
> > > Could you describe the issues that troubles you in setting up quorum
> > auth,
> > > if any.
> > >
> > > Thanks,
> > > Rakesh
> > >
> > > On Fri, Dec 13, 2019 at 3:49 AM rammohan ganapavarapu <
> > > rammohanganap@gmail.com> wrote:
> > >
> > > > Hi,
> > > >
> > > > Even if i enable sasl but md5-diget what should be this property set
> > to,
> > > > this property only take effect for kerberos or for both?
> > > >
> > > > Ram
> > > >
> > > > On Fri, Dec 6, 2019 at 7:55 AM rammohan ganapavarapu <
> > > > rammohanganap@gmail.com> wrote:
> > > >
> > > > > Mate,
> > > > >
> > > > > Thank you, I did search source code found the same, I am trying to
> > > create
> > > > > a zoo conf with all default properties.
> > > > >
> > > > > Ram
> > > > >
> > > > > On Fri, Dec 6, 2019, 2:44 AM Mate Szalay-Beko
> > > > <ms...@cloudera.com.invalid>
> > > > > wrote:
> > > > >
> > > > >> Hi Ram,
> > > > >>
> > > > >> this parameter is needed to be defined when you want to enable
> > secure
> > > > >> authentication in the communication between ZooKeeper servers. In
> > > > general,
> > > > >> the 'principal' is a 'username' what you want your ZooKeeper
> servers
> > > to
> > > > >> use
> > > > >> when they talk with each other. Ideally you have a central Kereros
> > > > service
> > > > >> somewhere where this principal is already registered.
> > > > >> A kerberos principal is usually in the form of
> > > > >> "user_or_service_name/host@realm" (some more explanation:
> > > > >> https://ssimo.org/blog/id_016.html)
> > > > >>
> > > > >> According to the source code, the default value of
> > > > >> quorum.auth.kerberos.servicePrincipal is "zkquorum/localhost".
> But I
> > > > think
> > > > >> if you don't enable the quorum SASL in ZooKeeper, then this
> property
> > > > will
> > > > >> never be actually used.
> > > > >>
> > > > >> Please see this page about SASL in ZooKeeper:
> > > > >>
> > > >
> > https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+and+SASL
> > > > >>
> > > > >> I also found a Cloudera blogpost on the topic:
> > > > >>
> > > > >>
> > > >
> > >
> >
> https://blog.cloudera.com/hardening-apache-zookeeper-security-sasl-quorum-peer-mutual-authentication-and-authorization/
> > > > >>
> > > > >> Cheers,
> > > > >> Mate
> > > > >>
> > > > >>
> > > > >> On Thu, Dec 5, 2019 at 11:50 PM rammohan ganapavarapu <
> > > > >> rammohanganap@gmail.com> wrote:
> > > > >>
> > > > >> > Hi,
> > > > >> >
> > > > >> > What is the default value for this property, if i don't enable
> > sasl
> > > > >> and if
> > > > >> > i don't define what will be the value?
> > > > >> >
> > > > >> > quorum.auth.kerberos.servicePrincipal
> > > > >> >
> > > > >> > Also what does this means "servicename/_HOST"
> > > > >> >
> > > > >> > Thanks,
> > > > >> > Ram
> > > > >> >
> > > > >>
> > > > >
> > > >
> > >
> >
>
Re: default value for quorum.auth.kerberos.servicePrincipal
Posted by Rakesh Radhakrishnan <ra...@apache.org>.
OK, got it.
>>>> Even if i enable sasl but md5-diget what should be this property set
to,
Could you please name the specific property you are referring.
Hope you are talking about "DIGEST-MD5" mechanism ? String[] mechs = {
"DIGEST-MD5" };
Presently the execution flow is that, if there is
no subject.getPrincipals() in jaas config then it must not be GSSAPI and
fallback to check DIGEST-MD5 details in jaas config.
Whenever user want to enable DIGEST-MD5, they have to define the JAAS
configuration file with DIGEST-MD5 configs like below and there is no
default value for this mechanism.
QuorumServer {
org.apache.zookeeper.server.auth.DigestLoginModule required
user_test1="mypassword";
};
QuorumLearner {
org.apache.zookeeper.server.auth.DigestLoginModule required
user_test2=" mypassword";
};
Populate DIGEST-MD5 user -> password map for the "QuorumServer",
"QuorumLearner" section.
Usernames are distinguished from other options by prefixing the username
with a "user_" prefix.
Hope its clear to you.
Thanks,
Rakesh
On Fri, Dec 13, 2019 at 9:45 PM rammohan ganapavarapu <
rammohanganap@gmail.com> wrote:
> Hi Rakesh,
>
> Right now i am not enabling sasl but i am trying to define all default
> properties and should be able to use them once sasl is enabled with
> override values. So my question is for digest auth do we even need this
> property? i remember seeing i don't set that property it was using the
> default value "zkquorum/localhost".
>
> Thanks,
> Ram
>
> On Thu, Dec 12, 2019 at 11:06 PM Rakesh Radhakrishnan <ra...@apache.org>
> wrote:
>
> > Hi Ram,
> >
> > ZooKeeper Quorum authentication support two schemes, Kerberos or
> > DIGEST-MD5. User has to configure either Kerb or digest configuration
> > values. Both together not required.
> >
> > I'd recommend you to go through Kerberos, digest simulation unit test
> cases
> > where we have valid and invalid scenarios. Hope this would get idea about
> > the required configs.
> >
> >
> >
> https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumDigestAuthTest.java
> >
> >
> https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumKerberosHostBasedAuthTest.java
> >
> > Could you describe the issues that troubles you in setting up quorum
> auth,
> > if any.
> >
> > Thanks,
> > Rakesh
> >
> > On Fri, Dec 13, 2019 at 3:49 AM rammohan ganapavarapu <
> > rammohanganap@gmail.com> wrote:
> >
> > > Hi,
> > >
> > > Even if i enable sasl but md5-diget what should be this property set
> to,
> > > this property only take effect for kerberos or for both?
> > >
> > > Ram
> > >
> > > On Fri, Dec 6, 2019 at 7:55 AM rammohan ganapavarapu <
> > > rammohanganap@gmail.com> wrote:
> > >
> > > > Mate,
> > > >
> > > > Thank you, I did search source code found the same, I am trying to
> > create
> > > > a zoo conf with all default properties.
> > > >
> > > > Ram
> > > >
> > > > On Fri, Dec 6, 2019, 2:44 AM Mate Szalay-Beko
> > > <ms...@cloudera.com.invalid>
> > > > wrote:
> > > >
> > > >> Hi Ram,
> > > >>
> > > >> this parameter is needed to be defined when you want to enable
> secure
> > > >> authentication in the communication between ZooKeeper servers. In
> > > general,
> > > >> the 'principal' is a 'username' what you want your ZooKeeper servers
> > to
> > > >> use
> > > >> when they talk with each other. Ideally you have a central Kereros
> > > service
> > > >> somewhere where this principal is already registered.
> > > >> A kerberos principal is usually in the form of
> > > >> "user_or_service_name/host@realm" (some more explanation:
> > > >> https://ssimo.org/blog/id_016.html)
> > > >>
> > > >> According to the source code, the default value of
> > > >> quorum.auth.kerberos.servicePrincipal is "zkquorum/localhost". But I
> > > think
> > > >> if you don't enable the quorum SASL in ZooKeeper, then this property
> > > will
> > > >> never be actually used.
> > > >>
> > > >> Please see this page about SASL in ZooKeeper:
> > > >>
> > >
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+and+SASL
> > > >>
> > > >> I also found a Cloudera blogpost on the topic:
> > > >>
> > > >>
> > >
> >
> https://blog.cloudera.com/hardening-apache-zookeeper-security-sasl-quorum-peer-mutual-authentication-and-authorization/
> > > >>
> > > >> Cheers,
> > > >> Mate
> > > >>
> > > >>
> > > >> On Thu, Dec 5, 2019 at 11:50 PM rammohan ganapavarapu <
> > > >> rammohanganap@gmail.com> wrote:
> > > >>
> > > >> > Hi,
> > > >> >
> > > >> > What is the default value for this property, if i don't enable
> sasl
> > > >> and if
> > > >> > i don't define what will be the value?
> > > >> >
> > > >> > quorum.auth.kerberos.servicePrincipal
> > > >> >
> > > >> > Also what does this means "servicename/_HOST"
> > > >> >
> > > >> > Thanks,
> > > >> > Ram
> > > >> >
> > > >>
> > > >
> > >
> >
>
Re: default value for quorum.auth.kerberos.servicePrincipal
Posted by rammohan ganapavarapu <ra...@gmail.com>.
Hi Rakesh,
Right now i am not enabling sasl but i am trying to define all default
properties and should be able to use them once sasl is enabled with
override values. So my question is for digest auth do we even need this
property? i remember seeing i don't set that property it was using the
default value "zkquorum/localhost".
Thanks,
Ram
On Thu, Dec 12, 2019 at 11:06 PM Rakesh Radhakrishnan <ra...@apache.org>
wrote:
> Hi Ram,
>
> ZooKeeper Quorum authentication support two schemes, Kerberos or
> DIGEST-MD5. User has to configure either Kerb or digest configuration
> values. Both together not required.
>
> I'd recommend you to go through Kerberos, digest simulation unit test cases
> where we have valid and invalid scenarios. Hope this would get idea about
> the required configs.
>
>
> https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumDigestAuthTest.java
>
> https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumKerberosHostBasedAuthTest.java
>
> Could you describe the issues that troubles you in setting up quorum auth,
> if any.
>
> Thanks,
> Rakesh
>
> On Fri, Dec 13, 2019 at 3:49 AM rammohan ganapavarapu <
> rammohanganap@gmail.com> wrote:
>
> > Hi,
> >
> > Even if i enable sasl but md5-diget what should be this property set to,
> > this property only take effect for kerberos or for both?
> >
> > Ram
> >
> > On Fri, Dec 6, 2019 at 7:55 AM rammohan ganapavarapu <
> > rammohanganap@gmail.com> wrote:
> >
> > > Mate,
> > >
> > > Thank you, I did search source code found the same, I am trying to
> create
> > > a zoo conf with all default properties.
> > >
> > > Ram
> > >
> > > On Fri, Dec 6, 2019, 2:44 AM Mate Szalay-Beko
> > <ms...@cloudera.com.invalid>
> > > wrote:
> > >
> > >> Hi Ram,
> > >>
> > >> this parameter is needed to be defined when you want to enable secure
> > >> authentication in the communication between ZooKeeper servers. In
> > general,
> > >> the 'principal' is a 'username' what you want your ZooKeeper servers
> to
> > >> use
> > >> when they talk with each other. Ideally you have a central Kereros
> > service
> > >> somewhere where this principal is already registered.
> > >> A kerberos principal is usually in the form of
> > >> "user_or_service_name/host@realm" (some more explanation:
> > >> https://ssimo.org/blog/id_016.html)
> > >>
> > >> According to the source code, the default value of
> > >> quorum.auth.kerberos.servicePrincipal is "zkquorum/localhost". But I
> > think
> > >> if you don't enable the quorum SASL in ZooKeeper, then this property
> > will
> > >> never be actually used.
> > >>
> > >> Please see this page about SASL in ZooKeeper:
> > >>
> > https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+and+SASL
> > >>
> > >> I also found a Cloudera blogpost on the topic:
> > >>
> > >>
> >
> https://blog.cloudera.com/hardening-apache-zookeeper-security-sasl-quorum-peer-mutual-authentication-and-authorization/
> > >>
> > >> Cheers,
> > >> Mate
> > >>
> > >>
> > >> On Thu, Dec 5, 2019 at 11:50 PM rammohan ganapavarapu <
> > >> rammohanganap@gmail.com> wrote:
> > >>
> > >> > Hi,
> > >> >
> > >> > What is the default value for this property, if i don't enable sasl
> > >> and if
> > >> > i don't define what will be the value?
> > >> >
> > >> > quorum.auth.kerberos.servicePrincipal
> > >> >
> > >> > Also what does this means "servicename/_HOST"
> > >> >
> > >> > Thanks,
> > >> > Ram
> > >> >
> > >>
> > >
> >
>
Re: default value for quorum.auth.kerberos.servicePrincipal
Posted by Rakesh Radhakrishnan <ra...@apache.org>.
Hi Ram,
ZooKeeper Quorum authentication support two schemes, Kerberos or
DIGEST-MD5. User has to configure either Kerb or digest configuration
values. Both together not required.
I'd recommend you to go through Kerberos, digest simulation unit test cases
where we have valid and invalid scenarios. Hope this would get idea about
the required configs.
https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumDigestAuthTest.java
https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumKerberosHostBasedAuthTest.java
Could you describe the issues that troubles you in setting up quorum auth,
if any.
Thanks,
Rakesh
On Fri, Dec 13, 2019 at 3:49 AM rammohan ganapavarapu <
rammohanganap@gmail.com> wrote:
> Hi,
>
> Even if i enable sasl but md5-diget what should be this property set to,
> this property only take effect for kerberos or for both?
>
> Ram
>
> On Fri, Dec 6, 2019 at 7:55 AM rammohan ganapavarapu <
> rammohanganap@gmail.com> wrote:
>
> > Mate,
> >
> > Thank you, I did search source code found the same, I am trying to create
> > a zoo conf with all default properties.
> >
> > Ram
> >
> > On Fri, Dec 6, 2019, 2:44 AM Mate Szalay-Beko
> <ms...@cloudera.com.invalid>
> > wrote:
> >
> >> Hi Ram,
> >>
> >> this parameter is needed to be defined when you want to enable secure
> >> authentication in the communication between ZooKeeper servers. In
> general,
> >> the 'principal' is a 'username' what you want your ZooKeeper servers to
> >> use
> >> when they talk with each other. Ideally you have a central Kereros
> service
> >> somewhere where this principal is already registered.
> >> A kerberos principal is usually in the form of
> >> "user_or_service_name/host@realm" (some more explanation:
> >> https://ssimo.org/blog/id_016.html)
> >>
> >> According to the source code, the default value of
> >> quorum.auth.kerberos.servicePrincipal is "zkquorum/localhost". But I
> think
> >> if you don't enable the quorum SASL in ZooKeeper, then this property
> will
> >> never be actually used.
> >>
> >> Please see this page about SASL in ZooKeeper:
> >>
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+and+SASL
> >>
> >> I also found a Cloudera blogpost on the topic:
> >>
> >>
> https://blog.cloudera.com/hardening-apache-zookeeper-security-sasl-quorum-peer-mutual-authentication-and-authorization/
> >>
> >> Cheers,
> >> Mate
> >>
> >>
> >> On Thu, Dec 5, 2019 at 11:50 PM rammohan ganapavarapu <
> >> rammohanganap@gmail.com> wrote:
> >>
> >> > Hi,
> >> >
> >> > What is the default value for this property, if i don't enable sasl
> >> and if
> >> > i don't define what will be the value?
> >> >
> >> > quorum.auth.kerberos.servicePrincipal
> >> >
> >> > Also what does this means "servicename/_HOST"
> >> >
> >> > Thanks,
> >> > Ram
> >> >
> >>
> >
>
Re: default value for quorum.auth.kerberos.servicePrincipal
Posted by rammohan ganapavarapu <ra...@gmail.com>.
Hi,
Even if i enable sasl but md5-diget what should be this property set to,
this property only take effect for kerberos or for both?
Ram
On Fri, Dec 6, 2019 at 7:55 AM rammohan ganapavarapu <
rammohanganap@gmail.com> wrote:
> Mate,
>
> Thank you, I did search source code found the same, I am trying to create
> a zoo conf with all default properties.
>
> Ram
>
> On Fri, Dec 6, 2019, 2:44 AM Mate Szalay-Beko <ms...@cloudera.com.invalid>
> wrote:
>
>> Hi Ram,
>>
>> this parameter is needed to be defined when you want to enable secure
>> authentication in the communication between ZooKeeper servers. In general,
>> the 'principal' is a 'username' what you want your ZooKeeper servers to
>> use
>> when they talk with each other. Ideally you have a central Kereros service
>> somewhere where this principal is already registered.
>> A kerberos principal is usually in the form of
>> "user_or_service_name/host@realm" (some more explanation:
>> https://ssimo.org/blog/id_016.html)
>>
>> According to the source code, the default value of
>> quorum.auth.kerberos.servicePrincipal is "zkquorum/localhost". But I think
>> if you don't enable the quorum SASL in ZooKeeper, then this property will
>> never be actually used.
>>
>> Please see this page about SASL in ZooKeeper:
>> https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+and+SASL
>>
>> I also found a Cloudera blogpost on the topic:
>>
>> https://blog.cloudera.com/hardening-apache-zookeeper-security-sasl-quorum-peer-mutual-authentication-and-authorization/
>>
>> Cheers,
>> Mate
>>
>>
>> On Thu, Dec 5, 2019 at 11:50 PM rammohan ganapavarapu <
>> rammohanganap@gmail.com> wrote:
>>
>> > Hi,
>> >
>> > What is the default value for this property, if i don't enable sasl
>> and if
>> > i don't define what will be the value?
>> >
>> > quorum.auth.kerberos.servicePrincipal
>> >
>> > Also what does this means "servicename/_HOST"
>> >
>> > Thanks,
>> > Ram
>> >
>>
>
Re: default value for quorum.auth.kerberos.servicePrincipal
Posted by rammohan ganapavarapu <ra...@gmail.com>.
Mate,
Thank you, I did search source code found the same, I am trying to create a
zoo conf with all default properties.
Ram
On Fri, Dec 6, 2019, 2:44 AM Mate Szalay-Beko <ms...@cloudera.com.invalid>
wrote:
> Hi Ram,
>
> this parameter is needed to be defined when you want to enable secure
> authentication in the communication between ZooKeeper servers. In general,
> the 'principal' is a 'username' what you want your ZooKeeper servers to use
> when they talk with each other. Ideally you have a central Kereros service
> somewhere where this principal is already registered.
> A kerberos principal is usually in the form of
> "user_or_service_name/host@realm" (some more explanation:
> https://ssimo.org/blog/id_016.html)
>
> According to the source code, the default value of
> quorum.auth.kerberos.servicePrincipal is "zkquorum/localhost". But I think
> if you don't enable the quorum SASL in ZooKeeper, then this property will
> never be actually used.
>
> Please see this page about SASL in ZooKeeper:
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+and+SASL
>
> I also found a Cloudera blogpost on the topic:
>
> https://blog.cloudera.com/hardening-apache-zookeeper-security-sasl-quorum-peer-mutual-authentication-and-authorization/
>
> Cheers,
> Mate
>
>
> On Thu, Dec 5, 2019 at 11:50 PM rammohan ganapavarapu <
> rammohanganap@gmail.com> wrote:
>
> > Hi,
> >
> > What is the default value for this property, if i don't enable sasl and
> if
> > i don't define what will be the value?
> >
> > quorum.auth.kerberos.servicePrincipal
> >
> > Also what does this means "servicename/_HOST"
> >
> > Thanks,
> > Ram
> >
>
Re: default value for quorum.auth.kerberos.servicePrincipal
Posted by Mate Szalay-Beko <ms...@cloudera.com.INVALID>.
Hi Ram,
this parameter is needed to be defined when you want to enable secure
authentication in the communication between ZooKeeper servers. In general,
the 'principal' is a 'username' what you want your ZooKeeper servers to use
when they talk with each other. Ideally you have a central Kereros service
somewhere where this principal is already registered.
A kerberos principal is usually in the form of
"user_or_service_name/host@realm" (some more explanation:
https://ssimo.org/blog/id_016.html)
According to the source code, the default value of
quorum.auth.kerberos.servicePrincipal is "zkquorum/localhost". But I think
if you don't enable the quorum SASL in ZooKeeper, then this property will
never be actually used.
Please see this page about SASL in ZooKeeper:
https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+and+SASL
I also found a Cloudera blogpost on the topic:
https://blog.cloudera.com/hardening-apache-zookeeper-security-sasl-quorum-peer-mutual-authentication-and-authorization/
Cheers,
Mate
On Thu, Dec 5, 2019 at 11:50 PM rammohan ganapavarapu <
rammohanganap@gmail.com> wrote:
> Hi,
>
> What is the default value for this property, if i don't enable sasl and if
> i don't define what will be the value?
>
> quorum.auth.kerberos.servicePrincipal
>
> Also what does this means "servicename/_HOST"
>
> Thanks,
> Ram
>