[
https://issues.apache.org/jira/browse/BOOKKEEPER-391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15637217#comment-15637217
]
Rakesh R commented on BOOKKEEPER-391:
-------------------------------------
Thanks [~eolivelli] for the explanation.
{quote} About the principal format, Rakesh R do you think that we should
perform any validation on principals ?
IMHO From the bookie side both regular clients and other bookies are seen as
generic clients and so there is no way to validate the principal and tell that
the client MUST be another bookie (I'm thinking about ZOOKEEPER-1045)
{quote}
It would be good to make the Kerb principal name consistent with other Apache
projects like Hadoop, Hbase, ZooKeeper. AFAIK, all these are supporting host
based principal name like {{servicename/_h...@realm.com}}. Also, I'd prefer to
keep BookKeeperClient and BookieAuditor(client used for inter-bookie
communications) sections separately in the {{jaas.config}}. If admin wants then
they are free to configure same Kerb principal for both of them so that they
could avoid creating multiple client Kerb principals. I just named
{{BookieAuditor}}, please feel free to choose a better name.
Below is sample *jaas.config* file and sections,
{code}
BookieServer {
// principal entries
};
BookieAuditor {
// principal entries
};
BookKeeperClient {
// principal entries
}
{code}
If requires you can refer
[ZooKeeperSaslClient|https://github.com/apache/zookeeper/blob/master/src/java/main/org/apache/zookeeper/client/ZooKeeperSaslClient.java#L63]
and
[ZooKeeperSaslServer|https://github.com/apache/zookeeper/blob/master/src/java/main/org/apache/zookeeper/server/ZooKeeperSaslServer.java#L47]
classes to understand ZooKeeper implementations.
> Support Kerberos authentication of bookkeeper
> ---------------------------------------------
>
> Key: BOOKKEEPER-391
> URL: https://issues.apache.org/jira/browse/BOOKKEEPER-391
> Project: Bookkeeper
> Issue Type: New Feature
> Components: bookkeeper-client, bookkeeper-server
> Reporter: Rakesh R
> Assignee: Enrico Olivelli
>
> This JIRA to discuss authentication mechanism of bookie clients and server.
> Assume ZK provides fully secured communication channel using Kerberos based
> authentication and authorization model. We could also manage and renew users
> authenticated to BK via Kerberos. There is currently no configuration or
> hooks for the Bookie process to obtain Kerberos credentials.
> Today an unauthenticated bookie client can easily establish connection with
> the bookkeeper server.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
