[
https://issues.apache.org/jira/browse/BOOKKEEPER-391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15601175#comment-15601175
]
Enrico Olivelli edited comment on BOOKKEEPER-391 at 10/24/16 7:01 AM:
----------------------------------------------------------------------
My idea is to support SASL auth as ZooKeeper,
using a JAAS configuration file like this for simple MD5 login (using the same
class as ZooKeeper, which is the defacto standard in Hadoop ecosystem)
{code}
Bookie {
org.apache.zookeeper.server.auth.DigestLoginModule required
user_user1="testpwd";
user_user2="testpwd";
};
BookKeeper {
org.apache.zookeeper.server.auth.DigestLoginModule required
username="user1"
password="testpwd";
};
{code}
and for Kerberos you have olny to use the standard JDK Kerberos JAAS module
{code}
Bookie {
com.sun.security.auth.module.Krb5LoginModule required debug=true
useKeyTab=true
keyTab=/path/to/server.keytab
storeKey=true
useTicketCache=false
principal=bookkeeper/HOSTNAME@REALM
};
BookKeeper {
com.sun.security.auth.module.Krb5LoginModule required debug=true
useKeyTab=true
keyTab=/path/to/client.keytab
storeKey=true
useTicketCache=false
principal=username/HOSTNAME@REALM
};
{code}
Following the convertions the "Bookie" principal needs to be
bookeeper/HOSTNAME@REALM (for instance in zookeeper it has to be
zookeeper/HOSTNAME@REALM and for kafka it is kafka/HOSTNAME@REALM) as the
'username' reflect the 'protocol'.
Maybe we are going to perform only authentication and so we do not care about
dealing with principal manipulations, like removing HOSTNAME and REALM, as it
it possible in ZooKeeper
Beware that as Bookies are 'clients' for inter-bookie communications the client
section (BookKeeper) is to be configured on bookies too
In this implementation there is no support to rolling upgrades in order to
switch from an auth-type to another one, but maybe this is another issue
was (Author: eolivelli):
My idea is to support SASL auth as ZooKeeper,
using a JAAS configuration file like this for simple MD5 login (using the same
class as ZooKeeper, which is the defacto standard in Hadoop ecosystem)
{code}
Bookie {
org.apache.zookeeper.server.auth.DigestLoginModule required
user_user1="testpwd";
user_user2="testpwd";
};
BookKeeper {
org.apache.zookeeper.server.auth.DigestLoginModule required
username="user1"
password="testpwd";
};
{code}
and for Kerberos you have olny to use the standard JDK Kerberos JAAS module
{code}
Bookie {
com.sun.security.auth.module.Krb5LoginModule required debug=true
useKeyTab=true
keyTab=/path/to/server.keytab
storeKey=true
useTicketCache=false
principal=bookkeeper/HOSTNAME@REALM
};
BookKeeper {
com.sun.security.auth.module.Krb5LoginModule required debug=true
useKeyTab=true
keyTab=/path/to/client.keytab
storeKey=true
useTicketCache=false
principal=usernamee/HOSTNAME@REALM
};
{code}
Following the convertions the "Bookie" principal needs to be
bookeeper/HOSTNAME@REALM (for instance in zookeeper it has to be
zookeeper/HOSTNAME@REALM and for kafka it is kafka/HOSTNAME@REALM) as the
'username' reflect the 'protocol'.
Maybe we are going to perform only authentication and so we do not care about
dealing with principal manipulations, like removing HOSTNAME and REALM, as it
it possible in ZooKeeper
Beware that as Bookies are 'clients' for inter-bookie communications the client
section (BookKeeper) is to be configured on bookies too
> Support Kerberos authentication of bookkeeper
> ---------------------------------------------
>
> Key: BOOKKEEPER-391
> URL: https://issues.apache.org/jira/browse/BOOKKEEPER-391
> Project: Bookkeeper
> Issue Type: New Feature
> Components: bookkeeper-client, bookkeeper-server
> Reporter: Rakesh R
> Assignee: Rakesh R
>
> This JIRA to discuss authentication mechanism of bookie clients and server.
> Assume ZK provides fully secured communication channel using Kerberos based
> authentication and authorization model. We could also manage and renew users
> authenticated to BK via Kerberos. There is currently no configuration or
> hooks for the Bookie process to obtain Kerberos credentials.
> Today an unauthenticated bookie client can easily establish connection with
> the bookkeeper server.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
