Skip to content

Commit

Permalink
SASL Digest-MD5 for the ZK Quorum
Browse files Browse the repository at this point in the history
  • Loading branch information
thibaud.coueffe committed Mar 30, 2023
1 parent 7b4443b commit 1dd84c3
Show file tree
Hide file tree
Showing 4 changed files with 37 additions and 0 deletions.
6 changes: 6 additions & 0 deletions manifests/init.pp
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,12 @@
Boolean $use_ticket_cache = $zookeeper::params::use_ticket_cache,
Boolean $remove_host_principal = $zookeeper::params::remove_host_principal,
Boolean $remove_realm_principal = $zookeeper::params::remove_realm_principal,
# Quorum SASL /!\ Only works with ZK 3.4.10 or more recent; disabled by default /!\
Boolean $quorum_auth_enable_sasl = $zookeeper::quorum_auth_enable_sasl,
Boolean $quorum_auth_learner_require_sasl = $zookeeper::quorum_auth_learner_require_sasl,
Boolean $quorum_auth_server_require_sasl = $zookeeper::quorum_auth_server_require_sasl,
String $quorum_sasl_user = $zookeeper::quorum_sasl_user,
String $quorum_sasl_password = $zookeeper::quorum_sasl_password,
# four letter words whitelist
Array[String] $whitelist_4lw = $zookeeper::params::whitelist_4lw,
# Metrics Providers
Expand Down
7 changes: 7 additions & 0 deletions manifests/params.pp
Original file line number Diff line number Diff line change
Expand Up @@ -210,6 +210,13 @@
# whitelist of Four Letter Words commands, see https://zookeeper.apache.org/doc/r3.4.12/zookeeperAdmin.html#sc_zkCommands
$whitelist_4lw = []

# quorum SASL
$quorum_auth_enable_sasl = false
$quorum_auth_learner_require_sasl = false
$quorum_auth_server_require_sasl = false
$quorum_sasl_user = undef
$quorum_sasl_password = undef

# Metrics Providers
$metrics_provider_classname = undef
$metrics_provider_http_port = 7000
Expand Down
14 changes: 14 additions & 0 deletions templates/conf/jaas.conf.erb
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,17 @@ Server {
<% end %>;
<% end -%>
};

<% if scope.lookupvar("zookeeper::quorum_auth_enable_sasl") -%>
<%# Only tested with Digest-MD5 authentication scheme but it can also work with Kerberos -%>
QuorumServer {
org.apache.zookeeper.server.auth.DigestLoginModule required
user_<%= scope.lookupvar("zookeeper::quorum_sasl_user") %>="<%= scope.lookupvar("zookeeper::quorum_sasl_password") %>";
};

QuorumLearner {
org.apache.zookeeper.server.auth.DigestLoginModule required
username="<%= scope.lookupvar("zookeeper::quorum_sasl_user") %>"
password="<%= scope.lookupvar("zookeeper::quorum_sasl_password") %>";
};
<% end -%>
10 changes: 10 additions & 0 deletions templates/conf/zoo.cfg.erb
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,16 @@ kerberos.removeRealmFromPrincipal=true
<% end -%>
<% end -%>

<% if scope.lookupvar("zookeeper::quorum_auth_enable_sasl") -%>
quorum.auth.enableSasl=true
<% end -%>
<% if scope.lookupvar("zookeeper::quorum_auth_learner_require_sasl") -%>
quorum.auth.learnerRequireSasl=true
<% end -%>
<% if scope.lookupvar("zookeeper::quorum_auth_server_require_sasl") -%>
quorum.auth.serverRequireSasl=true
<% end -%>

<% if scope.lookupvar("zookeeper::ssl") -%>
# Supported since 3.5.1
<% if ! [nil, :undefined, :undef].include?(scope.lookupvar("zookeeper::secure_client_port")) -%>
Expand Down

0 comments on commit 1dd84c3

Please sign in to comment.