[jira] [Commented] (ZOOKEEPER-1045) Support Quorum Peer mutual authentication via SASL

Wed, 07 Sep 2016 15:05:41 -0700 

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-1045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15471930#comment-15471930
 ] 

Michael Han commented on ZOOKEEPER-1045:
----------------------------------------

bq. This is kind of a side comment on this topic, but please make sure you 
support the case where all the ZK hosts run as the same Kerberos principal. You 
don't have to support only that case, of course, but it's definitely how I 
would be deploying ZK when using Kerb auth.

Recently I find out a feature of KDC that it will treat repeated attempts to 
log in with the same Kerberos principal within a short period of time as replay 
attacks and will reject such login requests. Since we plan to support shared 
Kerberos credential, we might hit this issue. Not sure how likely we will get 
shot but it would be good to have some retry with backup code in login if we 
don't have now in case this happen.

> Support Quorum Peer mutual authentication via SASL
> --------------------------------------------------
>
>                 Key: ZOOKEEPER-1045
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-1045
>             Project: ZooKeeper
>          Issue Type: New Feature
>          Components: server
>            Reporter: Eugene Koontz
>            Assignee: Rakesh R
>            Priority: Critical
>             Fix For: 3.4.10, 3.5.3
>
>         Attachments: 0001-ZOOKEEPER-1045-br-3-4.patch, 
> 1045_failing_phunt.tar.gz, HOST_RESOLVER-ZK-1045.patch, 
> TEST-org.apache.zookeeper.server.quorum.auth.QuorumAuthUpgradeTest.txt, 
> ZK-1045-test-case-failure-logs.zip, ZOOKEEPER-1045-00.patch, 
> ZOOKEEPER-1045-Rolling Upgrade Design Proposal.pdf, 
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch, 
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch, 
> ZOOKEEPER-1045-br-3-4.patch, ZOOKEEPER-1045-br-3-4.patch, 
> ZOOKEEPER-1045TestValidationDesign.pdf
>
>
> ZOOKEEPER-938 addresses mutual authentication between clients and servers. 
> This bug, on the other hand, is for authentication among quorum peers. 
> Hopefully much of the work done on SASL integration with Zookeeper for 
> ZOOKEEPER-938 can be used as a foundation for this enhancement.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to