You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@zookeeper.apache.org by Irfan Hamid <ih...@salesforce.com> on 2016/01/29 23:51:01 UTC
Kerberos authentication setup question
Hi,
We're trying to set up ZooKeeper with Kerberos authentication in our setup.
The documentation about setting this up is a bit complicated. The steps for
the ZooKeeper quorum servers are quite clear:
*ZooKeeper quorum servers*
1. Create zookeeper service principals as described here
<http://www.cloudera.com/documentation/archive/cdh/4-x/4-2-0/CDH4-Security-Guide/cdh4sg_topic_11_1.html>.
I am creating them as zookeeper/fqdn.of.my.zk.quorum.server@MYREAL.COM
2. Copy the keytab files created in (1) to the respective ZooKeeper quorum
servers and place it in the ZooKeeper conf directory
3. Add the configs indicated to the zoo.cfg file
4. Add a jaas.conf file (and point to it as part of the jvm params) as
indicated
*ZooKeeper client side*
This part is throwing me for a loop. We are using the basic ZooKeeper API
(not Curator) in our client side code and creating connections using the
vanilla new ZooKeeper(cxnString, ...) constructor. The only documentation
on how to set this up I could find is here
<http://www.cloudera.com/documentation/archive/cdh/4-x/4-3-0/CDH4-Security-Guide/cdh4sg_topic_11_2.html>.
I was wondering if the linked steps would work for my use-case or if these
are for a specific Cloudera ZooKeeper client tool?
1. Create zookeeper client principals using zkcli@MYREAL.COM (the client's
FQDN isn't needed here?)
2. Copy the keytab file to the machine running our client app
3. Make the necessary modifications to jaas.conf
4. Run our client app with the JVM param pointing to the jaas.conf file
from (2)
Is my understanding correct or are these steps only for the Cloudera client
shell?
Regards,
Irfan.
Re: Kerberos authentication setup question
Posted by Irfan Hamid <ih...@salesforce.com>.
Small followup/clarification. If a client needs to connect to two separate,
Kerberos-authenticated ZK ensembles, it should be possible since the client
side Kerberos ticket is generated as zkcli@MYREALM.COM and does not
indicate which ZK ensemble it is for?
Thanks,
Irfan.
On Sat, Jan 30, 2016 at 10:22 AM, Irfan Hamid <ih...@salesforce.com> wrote:
> Thanks Flavio. That's good news, and I'm especially grateful for that
> second link, which inexplicably eluded me during my searches for this topic.
>
> Regards,
> Irfan.
>
> On Fri, Jan 29, 2016 at 9:10 PM, Flavio Junqueira <fp...@apache.org> wrote:
>
>> Hi Irfan,
>>
>> Your description sounds right to me. I'd add that you can check that your
>> client watcher is getting a SaslConnected event.
>>
>> There is some more information here in the case you haven't seen this
>> page:
>>
>> https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zookeeper+and+SASL
>> <https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zookeeper+and+SASL
>> >
>>
>> -Flavio
>>
>> > On 29 Jan 2016, at 14:51, Irfan Hamid <ih...@salesforce.com> wrote:
>> >
>> > Hi,
>> >
>> > We're trying to set up ZooKeeper with Kerberos authentication in our
>> setup.
>> > The documentation about setting this up is a bit complicated. The steps
>> for
>> > the ZooKeeper quorum servers are quite clear:
>> >
>> > *ZooKeeper quorum servers*
>> > 1. Create zookeeper service principals as described here
>> > <
>> http://www.cloudera.com/documentation/archive/cdh/4-x/4-2-0/CDH4-Security-Guide/cdh4sg_topic_11_1.html
>> >.
>> > I am creating them as zookeeper/fqdn.of.my.zk.quorum.server@MYREAL.COM
>> > 2. Copy the keytab files created in (1) to the respective ZooKeeper
>> quorum
>> > servers and place it in the ZooKeeper conf directory
>> > 3. Add the configs indicated to the zoo.cfg file
>> > 4. Add a jaas.conf file (and point to it as part of the jvm params) as
>> > indicated
>> >
>> > *ZooKeeper client side*
>> > This part is throwing me for a loop. We are using the basic ZooKeeper
>> API
>> > (not Curator) in our client side code and creating connections using the
>> > vanilla new ZooKeeper(cxnString, ...) constructor. The only
>> documentation
>> > on how to set this up I could find is here
>> > <
>> http://www.cloudera.com/documentation/archive/cdh/4-x/4-3-0/CDH4-Security-Guide/cdh4sg_topic_11_2.html
>> >.
>> > I was wondering if the linked steps would work for my use-case or if
>> these
>> > are for a specific Cloudera ZooKeeper client tool?
>> >
>> > 1. Create zookeeper client principals using zkcli@MYREAL.COM (the
>> client's
>> > FQDN isn't needed here?)
>> > 2. Copy the keytab file to the machine running our client app
>> > 3. Make the necessary modifications to jaas.conf
>> > 4. Run our client app with the JVM param pointing to the jaas.conf file
>> > from (2)
>> >
>> > Is my understanding correct or are these steps only for the Cloudera
>> client
>> > shell?
>> >
>> > Regards,
>> > Irfan.
>>
>>
>
Re: Kerberos authentication setup question
Posted by Irfan Hamid <ih...@salesforce.com>.
Thanks Flavio. That's good news, and I'm especially grateful for that
second link, which inexplicably eluded me during my searches for this topic.
Regards,
Irfan.
On Fri, Jan 29, 2016 at 9:10 PM, Flavio Junqueira <fp...@apache.org> wrote:
> Hi Irfan,
>
> Your description sounds right to me. I'd add that you can check that your
> client watcher is getting a SaslConnected event.
>
> There is some more information here in the case you haven't seen this page:
>
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zookeeper+and+SASL <
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zookeeper+and+SASL>
>
> -Flavio
>
> > On 29 Jan 2016, at 14:51, Irfan Hamid <ih...@salesforce.com> wrote:
> >
> > Hi,
> >
> > We're trying to set up ZooKeeper with Kerberos authentication in our
> setup.
> > The documentation about setting this up is a bit complicated. The steps
> for
> > the ZooKeeper quorum servers are quite clear:
> >
> > *ZooKeeper quorum servers*
> > 1. Create zookeeper service principals as described here
> > <
> http://www.cloudera.com/documentation/archive/cdh/4-x/4-2-0/CDH4-Security-Guide/cdh4sg_topic_11_1.html
> >.
> > I am creating them as zookeeper/fqdn.of.my.zk.quorum.server@MYREAL.COM
> > 2. Copy the keytab files created in (1) to the respective ZooKeeper
> quorum
> > servers and place it in the ZooKeeper conf directory
> > 3. Add the configs indicated to the zoo.cfg file
> > 4. Add a jaas.conf file (and point to it as part of the jvm params) as
> > indicated
> >
> > *ZooKeeper client side*
> > This part is throwing me for a loop. We are using the basic ZooKeeper API
> > (not Curator) in our client side code and creating connections using the
> > vanilla new ZooKeeper(cxnString, ...) constructor. The only documentation
> > on how to set this up I could find is here
> > <
> http://www.cloudera.com/documentation/archive/cdh/4-x/4-3-0/CDH4-Security-Guide/cdh4sg_topic_11_2.html
> >.
> > I was wondering if the linked steps would work for my use-case or if
> these
> > are for a specific Cloudera ZooKeeper client tool?
> >
> > 1. Create zookeeper client principals using zkcli@MYREAL.COM (the
> client's
> > FQDN isn't needed here?)
> > 2. Copy the keytab file to the machine running our client app
> > 3. Make the necessary modifications to jaas.conf
> > 4. Run our client app with the JVM param pointing to the jaas.conf file
> > from (2)
> >
> > Is my understanding correct or are these steps only for the Cloudera
> client
> > shell?
> >
> > Regards,
> > Irfan.
>
>
Re: Kerberos authentication setup question
Posted by Flavio Junqueira <fp...@apache.org>.
Hi Irfan,
Your description sounds right to me. I'd add that you can check that your client watcher is getting a SaslConnected event.
There is some more information here in the case you haven't seen this page:
https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zookeeper+and+SASL <https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zookeeper+and+SASL>
-Flavio
> On 29 Jan 2016, at 14:51, Irfan Hamid <ih...@salesforce.com> wrote:
>
> Hi,
>
> We're trying to set up ZooKeeper with Kerberos authentication in our setup.
> The documentation about setting this up is a bit complicated. The steps for
> the ZooKeeper quorum servers are quite clear:
>
> *ZooKeeper quorum servers*
> 1. Create zookeeper service principals as described here
> <http://www.cloudera.com/documentation/archive/cdh/4-x/4-2-0/CDH4-Security-Guide/cdh4sg_topic_11_1.html>.
> I am creating them as zookeeper/fqdn.of.my.zk.quorum.server@MYREAL.COM
> 2. Copy the keytab files created in (1) to the respective ZooKeeper quorum
> servers and place it in the ZooKeeper conf directory
> 3. Add the configs indicated to the zoo.cfg file
> 4. Add a jaas.conf file (and point to it as part of the jvm params) as
> indicated
>
> *ZooKeeper client side*
> This part is throwing me for a loop. We are using the basic ZooKeeper API
> (not Curator) in our client side code and creating connections using the
> vanilla new ZooKeeper(cxnString, ...) constructor. The only documentation
> on how to set this up I could find is here
> <http://www.cloudera.com/documentation/archive/cdh/4-x/4-3-0/CDH4-Security-Guide/cdh4sg_topic_11_2.html>.
> I was wondering if the linked steps would work for my use-case or if these
> are for a specific Cloudera ZooKeeper client tool?
>
> 1. Create zookeeper client principals using zkcli@MYREAL.COM (the client's
> FQDN isn't needed here?)
> 2. Copy the keytab file to the machine running our client app
> 3. Make the necessary modifications to jaas.conf
> 4. Run our client app with the JVM param pointing to the jaas.conf file
> from (2)
>
> Is my understanding correct or are these steps only for the Cloudera client
> shell?
>
> Regards,
> Irfan.