[jira] [Commented] (ZOOKEEPER-3482) SASL (Kerberos) Authentication with SSL for clients and Quorum

Tue, 17 Dec 2019 07:21:51 -0800 


    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-3482?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16998314#comment-16998314
 ] 

Mate Szalay-Beko commented on ZOOKEEPER-3482:
---------------------------------------------

So AFAICS the expected behaviour would be:
1) be able to use SSL without actual authentication (no keystore in client 
side, only truststore)
2) use Kerberos authentication on top of the SSL session

Actually for issue 1 there is an undocumented feature I just found in the code. 
But maybe it was trivial for everyone else but me :) 
https://github.com/apache/zookeeper/blob/48e5eaadffd8e23d2f47fe3eb0d0437b172dcd39/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java#L116

It looks like setting {{zookeeper.ssl.clientAuth}} and 
{{zookeeper.ssl.quorum.clientAuth}} to {{none}} in the server config should 
solve issue 1.

But still it is a question for me if the same configuration parameter would 
enable to use SASL on top of SSL. I guess not...

I am happy to work on this ticket after the Holidays. But if someone would like 
to start it before, feel free (and please assign the ticket to herself/himself 
avoiding double-work).

> SASL (Kerberos) Authentication with SSL for clients and Quorum
> --------------------------------------------------------------
>
>                 Key: ZOOKEEPER-3482
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3482
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: server
>    Affects Versions: 3.5.5
>            Reporter: Jörn Franke
>            Priority: Major
>
> It seems that Kerberos authentication does not work for encrypted connections 
> of clients and quorum. It seems that only X509 Authentication works.
> What I would have expected:
> ClientSecurePort is defined
> A keystore and truststore are deployed on the ZooKeeper servers
> Only a truststore is deployed with the client (to validate the CA of the 
> server certificate)
> Client can authenticate with SASL (Kerberos)
> Similarly, it should work for the Quorum SSL connection.
> Is there a way to configure this in ZooKeeper?
>  
> Note: Kerberos Authentication for SSL encrypted connection should be used 
> instead of X509 authentication for this case and not in addition. However, if 
> it only works in 3.5.5 in addition then I would be interested and willing to 
> test it.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to