[
https://issues.apache.org/jira/browse/ZOOKEEPER-1045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15357990#comment-15357990
]
Michael Han commented on ZOOKEEPER-1045:
----------------------------------------
Hey [~rakeshr],
I've validated that server to server Kerberos SASL auth working, when servers
share same credentials (same service principal name + same full qualified
domain [I was using the DNS name of my KDC/Kadmin server] + same keytabs)
deployed on all nodes.
For the cases where each server has a distinct Kerberos credential, it's not
working yet. The error is consistent ('GSS initiate failed' - with various
categories of errors depends on my combinations of configurations.). I am not
sure if it is a misconfiguration, or it is a bug. I'll try figure out. I think
it would be helpful if we could provide a reference configuration for the use
case where each server has different credential, because this information is
currently not available in either the readme or the test code (which all use
shared credentials). This info could be initially put in the cwiki and
ultimately we might want to bring them back to the in xdoc.
Also during the setup of the cluster and validation process I find out some
issues so I left my comments in review board. One thing worth to address is to
log the exception (and maybe call stack as well) when GSS failed to initialize
- I find that is very useful for me to debug my setup.
My plan next is:
# Validate rolling upgrade (with shared credentials).
# Figure out why none shared credential not working and add more tests to UT to
cover this use case.
# Submit test coverage doc.
> Support Quorum Peer mutual authentication via SASL
> --------------------------------------------------
>
> Key: ZOOKEEPER-1045
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1045
> Project: ZooKeeper
> Issue Type: New Feature
> Components: server
> Reporter: Eugene Koontz
> Assignee: Rakesh R
> Priority: Critical
> Fix For: 3.4.9, 3.5.3
>
> Attachments: 0001-ZOOKEEPER-1045-br-3-4.patch,
> 1045_failing_phunt.tar.gz, ZK-1045-test-case-failure-logs.zip,
> ZOOKEEPER-1045-00.patch, ZOOKEEPER-1045-Rolling Upgrade Design Proposal.pdf,
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch,
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch,
> ZOOKEEPER-1045-br-3-4.patch
>
>
> ZOOKEEPER-938 addresses mutual authentication between clients and servers.
> This bug, on the other hand, is for authentication among quorum peers.
> Hopefully much of the work done on SASL integration with Zookeeper for
> ZOOKEEPER-938 can be used as a foundation for this enhancement.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
