As the name says, "quorum.auth.kerberos.servicePrincipal" property is specifically for Kerberos based quorum authentication and no need to set anything if you are enabling digest-md5.
Like mentioned earlier, its default value is "zkquorum/localhost" and it will never be used if you configure/enable digest-md5. Thanks, Rakesh On Mon, Dec 16, 2019 at 7:14 PM rammohan ganapavarapu < rammohanga...@gmail.com> wrote: > "quorum.auth.kerberos.servicePrincipal" this one > > On Sun, Dec 15, 2019, 9:33 PM Rakesh Radhakrishnan <rake...@apache.org> > wrote: > > > OK, got it. > > > > >>>> Even if i enable sasl but md5-diget what should be this property set > > to, > > Could you please name the specific property you are referring. > > > > Hope you are talking about "DIGEST-MD5" mechanism ? String[] mechs = { > > "DIGEST-MD5" }; > > > > Presently the execution flow is that, if there is > > no subject.getPrincipals() in jaas config then it must not be GSSAPI and > > fallback to check DIGEST-MD5 details in jaas config. > > Whenever user want to enable DIGEST-MD5, they have to define the JAAS > > configuration file with DIGEST-MD5 configs like below and there is no > > default value for this mechanism. > > QuorumServer { > > org.apache.zookeeper.server.auth.DigestLoginModule required > > user_test1="mypassword"; > > }; > > > > QuorumLearner { > > org.apache.zookeeper.server.auth.DigestLoginModule required > > user_test2=" mypassword"; > > }; > > > > Populate DIGEST-MD5 user -> password map for the "QuorumServer", > > "QuorumLearner" section. > > Usernames are distinguished from other options by prefixing the username > > with a "user_" prefix. > > > > Hope its clear to you. > > > > Thanks, > > Rakesh > > > > On Fri, Dec 13, 2019 at 9:45 PM rammohan ganapavarapu < > > rammohanga...@gmail.com> wrote: > > > > > Hi Rakesh, > > > > > > Right now i am not enabling sasl but i am trying to define all default > > > properties and should be able to use them once sasl is enabled with > > > override values. So my question is for digest auth do we even need this > > > property? i remember seeing i don't set that property it was using the > > > default value "zkquorum/localhost". > > > > > > Thanks, > > > Ram > > > > > > On Thu, Dec 12, 2019 at 11:06 PM Rakesh Radhakrishnan < > > rake...@apache.org> > > > wrote: > > > > > > > Hi Ram, > > > > > > > > ZooKeeper Quorum authentication support two schemes, Kerberos or > > > > DIGEST-MD5. User has to configure either Kerb or digest configuration > > > > values. Both together not required. > > > > > > > > I'd recommend you to go through Kerberos, digest simulation unit test > > > cases > > > > where we have valid and invalid scenarios. Hope this would get idea > > about > > > > the required configs. > > > > > > > > > > > > > > > > > > https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumDigestAuthTest.java > > > > > > > > > > > > > > https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumKerberosHostBasedAuthTest.java > > > > > > > > Could you describe the issues that troubles you in setting up quorum > > > auth, > > > > if any. > > > > > > > > Thanks, > > > > Rakesh > > > > > > > > On Fri, Dec 13, 2019 at 3:49 AM rammohan ganapavarapu < > > > > rammohanga...@gmail.com> wrote: > > > > > > > > > Hi, > > > > > > > > > > Even if i enable sasl but md5-diget what should be this property > set > > > to, > > > > > this property only take effect for kerberos or for both? > > > > > > > > > > Ram > > > > > > > > > > On Fri, Dec 6, 2019 at 7:55 AM rammohan ganapavarapu < > > > > > rammohanga...@gmail.com> wrote: > > > > > > > > > > > Mate, > > > > > > > > > > > > Thank you, I did search source code found the same, I am trying > to > > > > create > > > > > > a zoo conf with all default properties. > > > > > > > > > > > > Ram > > > > > > > > > > > > On Fri, Dec 6, 2019, 2:44 AM Mate Szalay-Beko > > > > > <msza...@cloudera.com.invalid> > > > > > > wrote: > > > > > > > > > > > >> Hi Ram, > > > > > >> > > > > > >> this parameter is needed to be defined when you want to enable > > > secure > > > > > >> authentication in the communication between ZooKeeper servers. > In > > > > > general, > > > > > >> the 'principal' is a 'username' what you want your ZooKeeper > > servers > > > > to > > > > > >> use > > > > > >> when they talk with each other. Ideally you have a central > Kereros > > > > > service > > > > > >> somewhere where this principal is already registered. > > > > > >> A kerberos principal is usually in the form of > > > > > >> "user_or_service_name/host@realm" (some more explanation: > > > > > >> https://ssimo.org/blog/id_016.html) > > > > > >> > > > > > >> According to the source code, the default value of > > > > > >> quorum.auth.kerberos.servicePrincipal is "zkquorum/localhost". > > But I > > > > > think > > > > > >> if you don't enable the quorum SASL in ZooKeeper, then this > > property > > > > > will > > > > > >> never be actually used. > > > > > >> > > > > > >> Please see this page about SASL in ZooKeeper: > > > > > >> > > > > > > > > > https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+and+SASL > > > > > >> > > > > > >> I also found a Cloudera blogpost on the topic: > > > > > >> > > > > > >> > > > > > > > > > > > > > > > https://blog.cloudera.com/hardening-apache-zookeeper-security-sasl-quorum-peer-mutual-authentication-and-authorization/ > > > > > >> > > > > > >> Cheers, > > > > > >> Mate > > > > > >> > > > > > >> > > > > > >> On Thu, Dec 5, 2019 at 11:50 PM rammohan ganapavarapu < > > > > > >> rammohanga...@gmail.com> wrote: > > > > > >> > > > > > >> > Hi, > > > > > >> > > > > > > >> > What is the default value for this property, if i don't > enable > > > sasl > > > > > >> and if > > > > > >> > i don't define what will be the value? > > > > > >> > > > > > > >> > quorum.auth.kerberos.servicePrincipal > > > > > >> > > > > > > >> > Also what does this means "servicename/_HOST" > > > > > >> > > > > > > >> > Thanks, > > > > > >> > Ram > > > > > >> > > > > > > >> > > > > > > > > > > > > > > > > > > > > >