Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
3.4.13
-
None
-
None
Description
We're using Active Directory, and created service principals this way:
ktpass -princ ZOOKEEPER/host-1@TEST -mapuser zookeeper -mapOp add -Target TEST ktpass -princ ZOOKEEPER/host-2@TEST -mapuser zookeeper -mapOp add -Target TEST ktpass -princ ZOOKEEPER/host-3@TEST -mapuser zookeeper -mapOp add -Target TEST
Using this format, one is not able to do
kinit ZOOKEEPER/host-1@TEST
, but one is able to do
kinit zookeeper@TEST -S ZOOKEEPER/host-1@TEST
to obtain a service ticket.
In the Kafka project, it is fine for the JAAS file to have
principal="kafka@TEST"
, and automatically it seems it acquires the correct service ticket (I"m not sure how).
In zookeeper, things fail when a client tries to connect, due to this line:
https://github.com/apache/zookeeper/blob/master/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java#L170
It'd be great for Zookeeper server to have the same kind of mechanism as Kafka for accepting client connections. This would allow us to have
principal="zookeeper@TEST"
in JAAS. Otherwise, maybe support a JAAS new option so we can explicitly name the service ?
FYI - trying
principal="zookeeper/host-1@TEST"
does not work as due to how Active Directory works, it complains that the credentials cannot be found in the database (as we try to authenticate using the service name, not the user name)
I'm attaching some documentation I find relevant: https://serverfault.com/questions/682374/client-not-found-in-kerberos-database-while-getting-initial/683058#683058