[ https://issues.apache.org/jira/browse/BOOKKEEPER-391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15601175#comment-15601175 ]
Enrico Olivelli commented on BOOKKEEPER-391: -------------------------------------------- My idea is to support SASL auth as ZooKeeper, using a JAAS configuration file like this for simple MD5 login (using the same class as ZooKeeper, which is the defacto standard in Hadoop ecosystem) {code} Bookie { org.apache.zookeeper.server.auth.DigestLoginModule required user_user1="testpwd"; user_user2="testpwd"; }; BookKeeper { org.apache.zookeeper.server.auth.DigestLoginModule required username="user1" password="testpwd"; }; {code} and for Kerberos you have olny to use the standard JDK Kerberos JAAS module {code} Bookie { com.sun.security.auth.module.Krb5LoginModule required debug=true useKeyTab=true keyTab=/path/to/server.keytab storeKey=true useTicketCache=false principal=bookkeeper/HOSTNAME@REALM }; BookKeeper { com.sun.security.auth.module.Krb5LoginModule required debug=true useKeyTab=true keyTab=/path/to/client.keytab storeKey=true useTicketCache=false principal=usernamee/HOSTNAME@REALM }; {code} Following the convertions the "Bookie" principal needs to be bookeeper/HOSTNAME@REALM (for instance in zookeeper it has to be zookeeper/HOSTNAME@REALM and for kafka it is kafka/HOSTNAME@REALM) as the 'username' reflect the 'protocol'. Maybe we are going to perform only authentication and so we do not care about dealing with principal manipulations, like removing HOSTNAME and REALM, as it it possible in ZooKeeper Beware that as Bookies are 'clients' for inter-bookie communications the client section (BookKeeper) is to be configured on bookies too > Support Kerberos authentication of bookkeeper > --------------------------------------------- > > Key: BOOKKEEPER-391 > URL: https://issues.apache.org/jira/browse/BOOKKEEPER-391 > Project: Bookkeeper > Issue Type: New Feature > Components: bookkeeper-client, bookkeeper-server > Reporter: Rakesh R > Assignee: Rakesh R > > This JIRA to discuss authentication mechanism of bookie clients and server. > Assume ZK provides fully secured communication channel using Kerberos based > authentication and authorization model. We could also manage and renew users > authenticated to BK via Kerberos. There is currently no configuration or > hooks for the Bookie process to obtain Kerberos credentials. > Today an unauthenticated bookie client can easily establish connection with > the bookkeeper server. -- This message was sent by Atlassian JIRA (v6.3.4#6332)