As the name says, "quorum.auth.kerberos.servicePrincipal" property is
specifically for Kerberos based quorum authentication and no need to set
anything if you are enabling digest-md5.
Like mentioned earlier, its default value is "zkquorum/localhost" and it
will never be used if you configure/enable digest-md5.
Thanks,
Rakesh
On Mon, Dec 16, 2019 at 7:14 PM rammohan ganapavarapu <
rammohanga...@gmail.com> wrote:
> "quorum.auth.kerberos.servicePrincipal" this one
>
> On Sun, Dec 15, 2019, 9:33 PM Rakesh Radhakrishnan <rake...@apache.org>
> wrote:
>
> > OK, got it.
> >
> > >>>> Even if i enable sasl but md5-diget what should be this property set
> > to,
> > Could you please name the specific property you are referring.
> >
> > Hope you are talking about "DIGEST-MD5" mechanism ? String[] mechs = {
> > "DIGEST-MD5" };
> >
> > Presently the execution flow is that, if there is
> > no subject.getPrincipals() in jaas config then it must not be GSSAPI and
> > fallback to check DIGEST-MD5 details in jaas config.
> > Whenever user want to enable DIGEST-MD5, they have to define the JAAS
> > configuration file with DIGEST-MD5 configs like below and there is no
> > default value for this mechanism.
> > QuorumServer {
> > org.apache.zookeeper.server.auth.DigestLoginModule required
> > user_test1="mypassword";
> > };
> >
> > QuorumLearner {
> > org.apache.zookeeper.server.auth.DigestLoginModule required
> > user_test2=" mypassword";
> > };
> >
> > Populate DIGEST-MD5 user -> password map for the "QuorumServer",
> > "QuorumLearner" section.
> > Usernames are distinguished from other options by prefixing the username
> > with a "user_" prefix.
> >
> > Hope its clear to you.
> >
> > Thanks,
> > Rakesh
> >
> > On Fri, Dec 13, 2019 at 9:45 PM rammohan ganapavarapu <
> > rammohanga...@gmail.com> wrote:
> >
> > > Hi Rakesh,
> > >
> > > Right now i am not enabling sasl but i am trying to define all default
> > > properties and should be able to use them once sasl is enabled with
> > > override values. So my question is for digest auth do we even need this
> > > property? i remember seeing i don't set that property it was using the
> > > default value "zkquorum/localhost".
> > >
> > > Thanks,
> > > Ram
> > >
> > > On Thu, Dec 12, 2019 at 11:06 PM Rakesh Radhakrishnan <
> > rake...@apache.org>
> > > wrote:
> > >
> > > > Hi Ram,
> > > >
> > > > ZooKeeper Quorum authentication support two schemes, Kerberos or
> > > > DIGEST-MD5. User has to configure either Kerb or digest configuration
> > > > values. Both together not required.
> > > >
> > > > I'd recommend you to go through Kerberos, digest simulation unit test
> > > cases
> > > > where we have valid and invalid scenarios. Hope this would get idea
> > about
> > > > the required configs.
> > > >
> > > >
> > > >
> > >
> >
> https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumDigestAuthTest.java
> > > >
> > > >
> > >
> >
> https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumKerberosHostBasedAuthTest.java
> > > >
> > > > Could you describe the issues that troubles you in setting up quorum
> > > auth,
> > > > if any.
> > > >
> > > > Thanks,
> > > > Rakesh
> > > >
> > > > On Fri, Dec 13, 2019 at 3:49 AM rammohan ganapavarapu <
> > > > rammohanga...@gmail.com> wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > > Even if i enable sasl but md5-diget what should be this property
> set
> > > to,
> > > > > this property only take effect for kerberos or for both?
> > > > >
> > > > > Ram
> > > > >
> > > > > On Fri, Dec 6, 2019 at 7:55 AM rammohan ganapavarapu <
> > > > > rammohanga...@gmail.com> wrote:
> > > > >
> > > > > > Mate,
> > > > > >
> > > > > > Thank you, I did search source code found the same, I am trying
> to
> > > > create
> > > > > > a zoo conf with all default properties.
> > > > > >
> > > > > > Ram
> > > > > >
> > > > > > On Fri, Dec 6, 2019, 2:44 AM Mate Szalay-Beko
> > > > > <msza...@cloudera.com.invalid>
> > > > > > wrote:
> > > > > >
> > > > > >> Hi Ram,
> > > > > >>
> > > > > >> this parameter is needed to be defined when you want to enable
> > > secure
> > > > > >> authentication in the communication between ZooKeeper servers.
> In
> > > > > general,
> > > > > >> the 'principal' is a 'username' what you want your ZooKeeper
> > servers
> > > > to
> > > > > >> use
> > > > > >> when they talk with each other. Ideally you have a central
> Kereros
> > > > > service
> > > > > >> somewhere where this principal is already registered.
> > > > > >> A kerberos principal is usually in the form of
> > > > > >> "user_or_service_name/host@realm" (some more explanation:
> > > > > >> https://ssimo.org/blog/id_016.html)
> > > > > >>
> > > > > >> According to the source code, the default value of
> > > > > >> quorum.auth.kerberos.servicePrincipal is "zkquorum/localhost".
> > But I
> > > > > think
> > > > > >> if you don't enable the quorum SASL in ZooKeeper, then this
> > property
> > > > > will
> > > > > >> never be actually used.
> > > > > >>
> > > > > >> Please see this page about SASL in ZooKeeper:
> > > > > >>
> > > > >
> > >
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+and+SASL
> > > > > >>
> > > > > >> I also found a Cloudera blogpost on the topic:
> > > > > >>
> > > > > >>
> > > > >
> > > >
> > >
> >
> https://blog.cloudera.com/hardening-apache-zookeeper-security-sasl-quorum-peer-mutual-authentication-and-authorization/
> > > > > >>
> > > > > >> Cheers,
> > > > > >> Mate
> > > > > >>
> > > > > >>
> > > > > >> On Thu, Dec 5, 2019 at 11:50 PM rammohan ganapavarapu <
> > > > > >> rammohanga...@gmail.com> wrote:
> > > > > >>
> > > > > >> > Hi,
> > > > > >> >
> > > > > >> > What is the default value for this property, if i don't
> enable
> > > sasl
> > > > > >> and if
> > > > > >> > i don't define what will be the value?
> > > > > >> >
> > > > > >> > quorum.auth.kerberos.servicePrincipal
> > > > > >> >
> > > > > >> > Also what does this means "servicename/_HOST"
> > > > > >> >
> > > > > >> > Thanks,
> > > > > >> > Ram
> > > > > >> >
> > > > > >>
> > > > > >
> > > > >
> > > >
> > >
> >
>
