Hi All, FYI, I'm planning to delete our existing "https://cwiki.apache.org/ confluence/display/ZOOKEEPER/Zookeeper+and+SASL" web page by tomorrow (IST).
Then rename https://cwiki.apache.org/confluence/display/ZOOKEEPER/ ZooKeeper+and+SASL+authentication web page to "https://cwiki.apache.org/ confluence/display/ZOOKEEPER/Zookeeper+and+SASL" in place of the deleted page. Please let me know if you have any comments. Thanks! Regards, Rakesh On Tue, Dec 20, 2016 at 6:03 PM, Rakesh Radhakrishnan <rake...@apache.org> wrote: > Like I mentioned at the beginning of this mail thread, presently I've > maintained this original page as a history. How about deleting this old > page now and rename the newly added "https://cwiki.apache.org/ > confluence/display/ZOOKEEPER/ZooKeeper+and+SASL+authentication" in place > of the old page? I think, that will help the existing webpages to continue > referring to a valid cwiki ZK sasl page. Otw those links becomes stale. > > I could see many blogs, wiki already have a reference link to our existing > "https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zookeeper+and+SASL" > page. > > Following are few blogs/sites which has a reference to the ZK SASL page:- > https://cwiki.apache.org/confluence/display/KAFKA/KIP- > 38%3A+ZooKeeper+Authentication > http://blog.intelligencecomputing.io/security/12409/repost- > zookeeper-and-sasl > > Thanks, > Rakesh > > > On Tue, Dec 20, 2016 at 7:02 AM, Patrick Hunt <ph...@apache.org> wrote: > >> LGTM. Those changes are very helpful, thanks Rakesh! >> >> Patrick >> >> On Mon, Dec 19, 2016 at 12:04 PM, Rakesh Radhakrishnan < >> rake...@apache.org> >> wrote: >> >> > Thanks a lot Patrick Hunt for the review comments. Please take another >> look >> > at the wiki page when you get a chance. >> > >> > I've updated the wiki page addressing these,. >> > >> > 1) ===> DONE. Added JCE encryption part. >> > 2) ===> DONE. Corrected case. >> > 3) ===> DONE. Included version. >> > 4) ===> DONE. Corrected numbering format. >> > 5) ===> DONE. Added an example case to understand the tuning mechanism. >> > 6) ===> DONE. I've removed this part because it can be discussed >> separately >> > and added if someone has a use case. >> > 7) ===> DONE. Rephrased upgrade feature section >> > >> > Thanks, >> > Rakesh >> > >> > On Wed, Dec 14, 2016 at 9:03 AM, Patrick Hunt <ph...@apache.org> wrote: >> > >> > > Nice job Rakesh, some comments: >> > > >> > > 1) the appendix is a great idea, should be useful for many people. One >> > > thing I noticed >> > > "There is no additional dependencies needed to use SASL with Java >> since >> > it >> > > is part of the the Java Standard Edition." - you might want to >> > mention/link >> > > the JCE? The JVM doesn't come with very modern encryption - some of >> the >> > > distros use more strong encryption out of the box with kerberos. I've >> run >> > > into this a number of times (need to also install JCE). >> > > >> > > 2) consistently use "ZooKeeper" rather than "Zookeeper". Only noticed >> > this >> > > in a few places... >> > > >> > > 3) on client-server it would be good to mention when it was added >> > (3.4.0+), >> > > similar to what you did with 1045. >> > > >> > > 4) on "ZooKeeper SASL configurations" the numbering of the bullets >> starts >> > > at 2.1. and finishes at 2.4. I suspect the formatting didn't copy over >> > > quite right? >> > > >> > > 5) similar formatting issue for "# Defaulting to >> > > 20quorum.cnxn.threads.size=20" >> > > >> > > Can we give any insight into how this value should be set? i.e. why >> is 20 >> > > the default and when should it be raised/lowered? >> > > >> > > 6) can the doc shed any light on why we are recommending >> > > "javax.security.auth.useSubjectCredsOnly=false" ? I'm not familiar >> with >> > > this myself. >> > > >> > > 7) "This feature is supported in 3.4 branch" is ambiguous - perhaps >> > > rephrase. What "feature" are you referring to, 1045 or to rolling >> > upgrade? >> > > Also the ref to 3.4 itself is ambiguous - perhaps change to 3.4.10+? >> > > >> > > These are some minor nits, overall impressive effort -- thanks again >> > > Rakesh! >> > > >> > > Patrick >> > > >> > > >> > > >> > > On Tue, Dec 13, 2016 at 6:56 PM, Rakesh Radhakrishnan < >> > rake...@apache.org> >> > > wrote: >> > > >> > > > Hi All, >> > > > >> > > > I've incorporated ZK-1045 feature details into the Apache ZooKeeper >> > > project >> > > > cwiki. Since "ZooKeeper and SASL" section is quite large I've >> splitted >> > > > ZooKeeper client-server and server-server sections into sub-pages. >> > Please >> > > > read the following page, >> > > > >> > > > https://cwiki.apache.org/confluence/display/ZOOKEEPER/ >> > > ZooKeeper+and+SASL+ >> > > > authentication >> > > > >> > > > *ZooKeeper and SASL authentication* >> > > > >> > > > - Client-Server mutual authentication >> > > > - Server-Server mutual authentication >> > > > - Appendix: Kerberos, GSSAPI, SASL, and JAAS >> > > > >> > > > I have reused the content from the "Client-Server" and "Appendix" >> > > sections >> > > > from the existing page >> > > > https://cwiki.apache.org/confluence/display/ZOOKEEPER/ >> > Zookeeper+and+SASL >> > > > Presently I've maintained this original page as a history, probably >> we >> > > need >> > > > to delete this page after everyone agrees on the changes. >> > > > >> > > > Appreciate your feedback, thanks! >> > > > >> > > > Regards, >> > > > Rakesh >> > > > >> > > >> > >> > >