[jira] [Commented] (BOOKKEEPER-391) Support Kerberos authentication of bookkeeper

Mon, 24 Oct 2016 00:00:07 -0700 

    [ 
https://issues.apache.org/jira/browse/BOOKKEEPER-391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15601175#comment-15601175
 ] 

Enrico Olivelli commented on BOOKKEEPER-391:
--------------------------------------------

My idea is to support SASL auth as ZooKeeper,
using a JAAS configuration file like this for simple MD5 login (using the same 
class as ZooKeeper, which is the defacto standard in Hadoop ecosystem)

{code}

Bookie {
       org.apache.zookeeper.server.auth.DigestLoginModule required
       user_user1="testpwd";
       user_user2="testpwd";
};

BookKeeper {
       org.apache.zookeeper.server.auth.DigestLoginModule required
       username="user1"
       password="testpwd";
};
{code}

and for Kerberos you have olny to use the standard JDK Kerberos JAAS module

{code}

Bookie {
       com.sun.security.auth.module.Krb5LoginModule required debug=true
       useKeyTab=true
       keyTab=/path/to/server.keytab
       storeKey=true
       useTicketCache=false
       principal=bookkeeper/HOSTNAME@REALM
};

BookKeeper {
 
       com.sun.security.auth.module.Krb5LoginModule required debug=true
       useKeyTab=true
       keyTab=/path/to/client.keytab
       storeKey=true
       useTicketCache=false
       principal=usernamee/HOSTNAME@REALM
};
{code}

Following the convertions the "Bookie" principal needs to be 
bookeeper/HOSTNAME@REALM (for instance in zookeeper it has to be 
zookeeper/HOSTNAME@REALM and for kafka it is kafka/HOSTNAME@REALM) as the 
'username' reflect the 'protocol'.

Maybe we are going to perform only authentication and so we do not care about 
dealing with principal manipulations, like removing HOSTNAME and REALM, as it 
it possible in ZooKeeper

Beware that as Bookies are 'clients' for inter-bookie communications the client 
section (BookKeeper) is to be configured on bookies too

> Support Kerberos authentication of bookkeeper
> ---------------------------------------------
>
>                 Key: BOOKKEEPER-391
>                 URL: https://issues.apache.org/jira/browse/BOOKKEEPER-391
>             Project: Bookkeeper
>          Issue Type: New Feature
>          Components: bookkeeper-client, bookkeeper-server
>            Reporter: Rakesh R
>            Assignee: Rakesh R
>
> This JIRA to discuss authentication mechanism of bookie clients and server. 
> Assume ZK provides fully secured communication channel using Kerberos based 
> authentication and authorization model. We could also manage and renew users 
> authenticated to BK via Kerberos. There is currently no configuration or 
> hooks for the Bookie process to obtain Kerberos credentials.
> Today an unauthenticated bookie client can easily establish connection with 
> the bookkeeper server. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to