I would like to relay a working example of a patched 3.4.9 ZK cluster
running on one host (without containers). I can confirm mutual SASL auth
among the quorum is required and enforced because when instances were
slightly misconfigured with incorrect principal strings they couldn't
participate in the quorum.
1. Assign extra loopback addresses. Example below is what you need to do
for FreeBSD:
$ sudo ifconfig lo0 127.0.1.1 netmask 255.255.255.0 alias
$ sudo ifconfig lo0 127.0.2.1 netmask 255.255.255.0 alias
$ sudo ifconfig lo0 127.0.3.1 netmask 255.255.255.0 alias
2. Create Kerberos principals. Example below is for Heimdal, MIT will be
similar:
$ sudo kadmin -l
> add --random-key zookeeper
> add --random-key zookeeper/127.0.1.1
> add --random-key zookeeper/127.0.2.1
> add --random-key zookeeper/127.0.3.1
> ext_keytab --keytab /var/tmp/test/zookeeper.keytab zookeeper
> ext_keytab --keytab /var/tmp/test/zookeeper.keytab zookeeper/127.0.1.1
> ext_keytab --keytab /var/tmp/test/zookeeper.keytab zookeeper/127.0.2.1
> ext_keytab --keytab /var/tmp/test/zookeeper.keytab zookeeper/127.0.3.1
> exit
3. Patch ZK with 1045, build a tarball, then unpack it into three install
directories. Mine are /var/tmp/test/{1,2,3}.
4. Initialize 'myid' files:
$ mkdir /var/tmp/test/1/data
$ echo 1 > /var/tmp/test/1/data/myid
$ mkdir /var/tmp/test/2/data
$ echo 2 > /var/tmp/test/2/data/myid
$ mkdir /var/tmp/test/3/data
$ echo 3 > /var/tmp/test/3/data/myid
5. Create configuration files for each instance. Below are examples for
instance 1. You will need to make substitutions for your Kerberos realm
(mine is LOCAL), and for instances 2 and 3 change the path to the JAAS
configuration file, path to data directory, and bind address for
clientPortAddress as appropriate.
conf/java.env:
export
JVMFLAGS="-Djava.security.auth.login.config=/var/tmp/test/1/conf/jaas.conf
-Djavax.security.auth.useSubjectCredsOnly=false"
conf/jaas.conf:
QuorumServer {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/var/tmp/test/zookeeper.keytab"
storeKey=true
useTicketCache=false
debug=false
principal="zookeeper/127.0.1.1@LOCAL";
};
QuorumLearner {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/var/tmp/test/zookeeper.keytab"
storeKey=true
useTicketCache=false
debug=false
principal="zookeeper/127.0.1.1@LOCAL";
};
conf/zoo.cfg:
tickTime=2000
initLimit=10
syncLimit=5
dataDir=/var/tmp/test/zk/1/data
clientPort=2181
clientPortAddress=127.0.1.1
quorum.auth.enableSasl=true
quorum.auth.learnerRequireSasl=true
quorum.auth.serverRequireSasl=true
quorum.auth.learner.loginContext=QuorumLearner
quorum.auth.server.loginContext=QuorumServer
quorum.auth.kerberos.servicePrincipal=zookeeper/_HOST
server.1=127.0.1.1:2888:3888
server.2=127.0.2.1:2888:3888
server.3=127.0.3.1:2888:3888
5. Launch the three instances in the foreground in separate terminals.
Example for instance 1:
$ cd /var/tmp/test/1
$ bash ./bin/zkServer.sh start-foreground
Having done all this, I can see successful authentication and bootstrap of
a quorum.
This example shares a keytab. No need to do that if you'd like to be
pedantic. Clone the keytab file into the separate conf directories and
update the jaas.conf files.
I like how Hadoop programmatically builds the JAAS context from its
configuration such that the JAAS configuration file and definition of
system property pointing to same are not needed. Would be nice if ZK could
optionally do the same, that would be one fewer config file to get
precisely right.
Any suggestions on some kind of hammer test to apply now ?
On Fri, Oct 21, 2016 at 7:34 AM, Flavio Junqueira <[email protected]> wrote:
> Michael Han posted an update to the test plan to the jira and I want to
> call the attention of the community to it. It is a big change that we need
> to be extra careful about because it is supposed to go to the 3.4 branch.
> It'd be great to have more folks in the community involved with the
> testing. If you have cycles and interest, please help with testing.
>
> -Flavio
--
Best regards,
- Andy
Problems worthy of attack prove their worth by hitting back. - Piet Hein
(via Tom White)
