[ https://issues.apache.org/jira/browse/ZOOKEEPER-3482?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16998314#comment-16998314 ]
Mate Szalay-Beko commented on ZOOKEEPER-3482: --------------------------------------------- So AFAICS the expected behaviour would be: 1) be able to use SSL without actual authentication (no keystore in client side, only truststore) 2) use Kerberos authentication on top of the SSL session Actually for issue 1 there is an undocumented feature I just found in the code. But maybe it was trivial for everyone else but me :) https://github.com/apache/zookeeper/blob/48e5eaadffd8e23d2f47fe3eb0d0437b172dcd39/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java#L116 It looks like setting {{zookeeper.ssl.clientAuth}} and {{zookeeper.ssl.quorum.clientAuth}} to {{none}} in the server config should solve issue 1. But still it is a question for me if the same configuration parameter would enable to use SASL on top of SSL. I guess not... I am happy to work on this ticket after the Holidays. But if someone would like to start it before, feel free (and please assign the ticket to herself/himself avoiding double-work). > SASL (Kerberos) Authentication with SSL for clients and Quorum > -------------------------------------------------------------- > > Key: ZOOKEEPER-3482 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3482 > Project: ZooKeeper > Issue Type: Bug > Components: server > Affects Versions: 3.5.5 > Reporter: Jörn Franke > Priority: Major > > It seems that Kerberos authentication does not work for encrypted connections > of clients and quorum. It seems that only X509 Authentication works. > What I would have expected: > ClientSecurePort is defined > A keystore and truststore are deployed on the ZooKeeper servers > Only a truststore is deployed with the client (to validate the CA of the > server certificate) > Client can authenticate with SASL (Kerberos) > Similarly, it should work for the Quorum SSL connection. > Is there a way to configure this in ZooKeeper? > > Note: Kerberos Authentication for SSL encrypted connection should be used > instead of X509 authentication for this case and not in addition. However, if > it only works in 3.5.5 in addition then I would be interested and willing to > test it. -- This message was sent by Atlassian Jira (v8.3.4#803005)