Hi Ram, ZooKeeper Quorum authentication support two schemes, Kerberos or DIGEST-MD5. User has to configure either Kerb or digest configuration values. Both together not required.
I'd recommend you to go through Kerberos, digest simulation unit test cases where we have valid and invalid scenarios. Hope this would get idea about the required configs. https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumDigestAuthTest.java https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumKerberosHostBasedAuthTest.java Could you describe the issues that troubles you in setting up quorum auth, if any. Thanks, Rakesh On Fri, Dec 13, 2019 at 3:49 AM rammohan ganapavarapu < [email protected]> wrote: > Hi, > > Even if i enable sasl but md5-diget what should be this property set to, > this property only take effect for kerberos or for both? > > Ram > > On Fri, Dec 6, 2019 at 7:55 AM rammohan ganapavarapu < > [email protected]> wrote: > > > Mate, > > > > Thank you, I did search source code found the same, I am trying to create > > a zoo conf with all default properties. > > > > Ram > > > > On Fri, Dec 6, 2019, 2:44 AM Mate Szalay-Beko > <[email protected]> > > wrote: > > > >> Hi Ram, > >> > >> this parameter is needed to be defined when you want to enable secure > >> authentication in the communication between ZooKeeper servers. In > general, > >> the 'principal' is a 'username' what you want your ZooKeeper servers to > >> use > >> when they talk with each other. Ideally you have a central Kereros > service > >> somewhere where this principal is already registered. > >> A kerberos principal is usually in the form of > >> "user_or_service_name/host@realm" (some more explanation: > >> https://ssimo.org/blog/id_016.html) > >> > >> According to the source code, the default value of > >> quorum.auth.kerberos.servicePrincipal is "zkquorum/localhost". But I > think > >> if you don't enable the quorum SASL in ZooKeeper, then this property > will > >> never be actually used. > >> > >> Please see this page about SASL in ZooKeeper: > >> > https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+and+SASL > >> > >> I also found a Cloudera blogpost on the topic: > >> > >> > https://blog.cloudera.com/hardening-apache-zookeeper-security-sasl-quorum-peer-mutual-authentication-and-authorization/ > >> > >> Cheers, > >> Mate > >> > >> > >> On Thu, Dec 5, 2019 at 11:50 PM rammohan ganapavarapu < > >> [email protected]> wrote: > >> > >> > Hi, > >> > > >> > What is the default value for this property, if i don't enable sasl > >> and if > >> > i don't define what will be the value? > >> > > >> > quorum.auth.kerberos.servicePrincipal > >> > > >> > Also what does this means "servicename/_HOST" > >> > > >> > Thanks, > >> > Ram > >> > > >> > > >
