-
zookeeper 3.4 sasl questionsBotond Hejj 2012-02-20, 13:00
Hi zookeeper users,
We use currently zookeeper with our custom patch to add kerberos
authentication. You can find to jira that I've created for that here:
https://issues.apache.org/jira/browse/ZOOKEEPER-896
I was glad to hear that a support for kerberos authentication was added to
zookeeper 3.4 with sasl and now I finally could allocate some time to test
how this implementation fits in our environment.
What I noticed that couple of configuration bits are hard coded and thus
couldn't work for us. Namely:
- server/client logincontext. I see that client logincontext is now
configurable in 3.4.3. The same would be good for server
- server principal on client side. This is set constantly to "zookeeper"
and can't be changed. We run different zookeeper ensembles with different
principals so this should be set separately for each zookeeper connection
for us. This could be implemented in different ways. Maybe the principal
can be a ZooKeeper constructor argument or we can pass this with the
connectionstring like: principal@foo1:1223,foo2:1223,foo3:1223. The
advantage of the later method that it doesn't require to change the
existing code.
- requirement to have a sasl config file. We usually set the kerberos
config in code based on the environment where the code is running and we
doesn't use config file. This is not a big problem actually. We can use an
empty conf file and setup the config in code.
After changing this hardcoded values we could use zookeeper sasl/kerberos
authentication in java but we use zookeeper from c/perl/python/.Net as well
and sasl is not implemented in those languages.
Are there any plans to integrate the sasl authentication mechanism to other
client languages as well?
Regards,
Botond Hejj
Morgan Stanley | Technology
Lechner Odon fasor 8 | Floor 07
Budapest, 1095
Phone: +36 1 881-3962
[EMAIL PROTECTED]
We use currently zookeeper with our custom patch to add kerberos
authentication. You can find to jira that I've created for that here:
https://issues.apache.org/jira/browse/ZOOKEEPER-896
I was glad to hear that a support for kerberos authentication was added to
zookeeper 3.4 with sasl and now I finally could allocate some time to test
how this implementation fits in our environment.
What I noticed that couple of configuration bits are hard coded and thus
couldn't work for us. Namely:
- server/client logincontext. I see that client logincontext is now
configurable in 3.4.3. The same would be good for server
- server principal on client side. This is set constantly to "zookeeper"
and can't be changed. We run different zookeeper ensembles with different
principals so this should be set separately for each zookeeper connection
for us. This could be implemented in different ways. Maybe the principal
can be a ZooKeeper constructor argument or we can pass this with the
connectionstring like: principal@foo1:1223,foo2:1223,foo3:1223. The
advantage of the later method that it doesn't require to change the
existing code.
- requirement to have a sasl config file. We usually set the kerberos
config in code based on the environment where the code is running and we
doesn't use config file. This is not a big problem actually. We can use an
empty conf file and setup the config in code.
After changing this hardcoded values we could use zookeeper sasl/kerberos
authentication in java but we use zookeeper from c/perl/python/.Net as well
and sasl is not implemented in those languages.
Are there any plans to integrate the sasl authentication mechanism to other
client languages as well?
Regards,
Botond Hejj
Morgan Stanley | Technology
Lechner Odon fasor 8 | Floor 07
Budapest, 1095
Phone: +36 1 881-3962
[EMAIL PROTECTED]
