arenadata
diff --git a/‎.gitignore‎
Lines changed: 3 additions & 0 deletions b/‎.gitignore‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎docker/kerberos-reconfig/Dockerfile.kdc‎
Lines changed: 17 additions & 0 deletions b/‎docker/kerberos-reconfig/Dockerfile.kdc‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎docker/kerberos-reconfig/Dockerfile.zk‎
Lines changed: 21 additions & 0 deletions b/‎docker/kerberos-reconfig/Dockerfile.zk‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎docker/kerberos-reconfig/README.md‎
Lines changed: 37 additions & 0 deletions b/‎docker/kerberos-reconfig/README.md‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎docker/kerberos-reconfig/docker-compose.yml‎
Lines changed: 202 additions & 0 deletions b/‎docker/kerberos-reconfig/docker-compose.yml‎
Lines changed: 202 additions & 0 deletions
diff --git a/‎docker/kerberos-reconfig/kdc/init-kdc.sh‎
Lines changed: 22 additions & 0 deletions b/‎docker/kerberos-reconfig/kdc/init-kdc.sh‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎docker/kerberos-reconfig/kdc/kadm5.acl‎
Lines changed: 1 addition & 0 deletions b/‎docker/kerberos-reconfig/kdc/kadm5.acl‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docker/kerberos-reconfig/kdc/kdc.conf‎
Lines changed: 14 additions & 0 deletions b/‎docker/kerberos-reconfig/kdc/kdc.conf‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎docker/kerberos-reconfig/kdc/krb5.conf‎
Lines changed: 18 additions & 0 deletions b/‎docker/kerberos-reconfig/kdc/krb5.conf‎
Lines changed: 18 additions & 0 deletions
@@ -101,3 +101,6 @@ zookeeper-client/zookeeper-client-c/generated/
 
 # Python
 *.py[cod]
+
+# docker
+/docker/kerberos-reconfig/zookeeper.tgz
@@ -0,0 +1,17 @@
+FROM debian:bookworm-slim
+
+RUN apt-get update \
+    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+        krb5-kdc krb5-admin-server krb5-user \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY docker/kerberos-reconfig/kdc/krb5.conf /etc/krb5.conf
+COPY docker/kerberos-reconfig/kdc/kdc.conf /etc/krb5kdc/kdc.conf
+COPY docker/kerberos-reconfig/kdc/kadm5.acl /etc/krb5kdc/kadm5.acl
+COPY docker/kerberos-reconfig/kdc/init-kdc.sh /usr/local/bin/init-kdc.sh
+
+RUN chmod +x /usr/local/bin/init-kdc.sh
+
+EXPOSE 88/udp 88/tcp 749/tcp
+
+ENTRYPOINT ["/usr/local/bin/init-kdc.sh"]
@@ -0,0 +1,21 @@
+FROM eclipse-temurin:11-jre
+
+WORKDIR /opt
+
+COPY docker/kerberos-reconfig/zookeeper.tgz /tmp/zookeeper.tgz
+RUN mkdir -p /opt/zookeeper \
+    && tar -xzf /tmp/zookeeper.tgz -C /opt \
+    && rm /tmp/zookeeper.tgz \
+    && ZK_DIR=$(find /opt -maxdepth 1 -type d -name "apache-zookeeper-*") \
+    && mv "$ZK_DIR" /opt/zookeeper
+
+COPY docker/kerberos-reconfig/zk/jaas.conf.template /conf/jaas.conf.template
+COPY docker/kerberos-reconfig/zk/zk-entrypoint.sh /usr/local/bin/zk-entrypoint.sh
+
+RUN chmod +x /usr/local/bin/zk-entrypoint.sh
+
+ENV ZOO_CONF_DIR=/conf
+
+EXPOSE 2181 2888 3888
+
+ENTRYPOINT ["/usr/local/bin/zk-entrypoint.sh"]
@@ -0,0 +1,37 @@
+# Kerberos quorum SASL reconfig (Docker)
+
+## Prereqs
+
+Build a ZooKeeper binary tarball from this repo, then copy it to:
+
+`docker/kerberos-reconfig/zookeeper.tgz`
+
+Example build:
+
+```bash
+mvn clean package -DskipTests
+cp zookeeper-assembly/target/apache-zookeeper-3.8.4-bin.tar.gz \
+  docker/kerberos-reconfig/zookeeper.tgz
+```
+
+## Build images
+
+```bash
+docker compose -f docker/kerberos-reconfig/docker-compose.yml build
+```
+
+## One-shot scripts
+
+3 → 5 → 3 (authz allowlist refresh checks):
+
+```bash
+bash docker/kerberos-reconfig/oneshot-3-5-3.sh
+```
+
+3 → 1 → 3 (allowlist stress):
+
+```bash
+bash docker/kerberos-reconfig/oneshot-3-1-3.sh
+```
+
+Each script tears down the compose stack at the end (`docker compose down -v`).
@@ -0,0 +1,202 @@
+services:
+  kdc:
+    build:
+      context: ../..
+      dockerfile: docker/kerberos-reconfig/Dockerfile.kdc
+    hostname: kdc
+    environment:
+      REALM: EXAMPLE.COM
+      ADMIN_PASS: adminpass
+      HOSTS: "host1 host2 host3 host4 host5"
+    volumes:
+      - keytabs:/keytabs
+      - kdc-data:/var/lib/krb5kdc
+      - ./kdc/krb5.conf:/etc/krb5.conf:ro
+      - ./kdc/kdc.conf:/etc/krb5kdc/kdc.conf:ro
+      - ./kdc/kadm5.acl:/etc/krb5kdc/kadm5.acl:ro
+    networks:
+      zknet:
+        aliases:
+          - kdc
+        ipv4_address: 172.28.0.10
+
+  zk1:
+    build:
+      context: ../..
+      dockerfile: docker/kerberos-reconfig/Dockerfile.zk
+    hostname: host1
+    environment:
+      MYID: "1"
+      CLIENT_PORT: "2181"
+      SUPER_DIGEST: "super:D/InIHSb7yEEbrWz8b9l71RjZJU="
+      SERVER_LIST: |
+        server.1=host1:2888:3888:participant
+        server.2=host2:2888:3888:participant
+        server.3=host3:2888:3888:participant
+    volumes:
+      - keytabs:/keytabs
+      - ./kdc/krb5.conf:/etc/krb5.conf:ro
+      - ./zk/jaas.conf.template:/conf/jaas.conf.template:ro
+      - ./zk/logback.xml:/opt/zookeeper/apache-zookeeper-3.8.4-bin/conf/logback.xml:ro
+    depends_on:
+      - kdc
+    extra_hosts:
+      - "kdc:172.28.0.10"
+      - "host1:172.28.0.11"
+      - "host2:172.28.0.12"
+      - "host3:172.28.0.13"
+      - "host4:172.28.0.14"
+      - "host5:172.28.0.15"
+    networks:
+      zknet:
+        aliases:
+          - host1
+        ipv4_address: 172.28.0.11
+
+  zk2:
+    build:
+      context: ../..
+      dockerfile: docker/kerberos-reconfig/Dockerfile.zk
+    hostname: host2
+    environment:
+      MYID: "2"
+      CLIENT_PORT: "2181"
+      SUPER_DIGEST: "super:D/InIHSb7yEEbrWz8b9l71RjZJU="
+      SERVER_LIST: |
+        server.1=host1:2888:3888:participant
+        server.2=host2:2888:3888:participant
+        server.3=host3:2888:3888:participant
+    volumes:
+      - keytabs:/keytabs
+      - ./kdc/krb5.conf:/etc/krb5.conf:ro
+      - ./zk/jaas.conf.template:/conf/jaas.conf.template:ro
+      - ./zk/logback.xml:/opt/zookeeper/apache-zookeeper-3.8.4-bin/conf/logback.xml:ro
+    depends_on:
+      - kdc
+    extra_hosts:
+      - "kdc:172.28.0.10"
+      - "host1:172.28.0.11"
+      - "host2:172.28.0.12"
+      - "host3:172.28.0.13"
+      - "host4:172.28.0.14"
+      - "host5:172.28.0.15"
+    networks:
+      zknet:
+        aliases:
+          - host2
+        ipv4_address: 172.28.0.12
+
+  zk3:
+    build:
+      context: ../..
+      dockerfile: docker/kerberos-reconfig/Dockerfile.zk
+    hostname: host3
+    environment:
+      MYID: "3"
+      CLIENT_PORT: "2181"
+      SUPER_DIGEST: "super:D/InIHSb7yEEbrWz8b9l71RjZJU="
+      SERVER_LIST: |
+        server.1=host1:2888:3888:participant
+        server.2=host2:2888:3888:participant
+        server.3=host3:2888:3888:participant
+    volumes:
+      - keytabs:/keytabs
+      - ./kdc/krb5.conf:/etc/krb5.conf:ro
+      - ./zk/jaas.conf.template:/conf/jaas.conf.template:ro
+      - ./zk/logback.xml:/opt/zookeeper/apache-zookeeper-3.8.4-bin/conf/logback.xml:ro
+    depends_on:
+      - kdc
+    extra_hosts:
+      - "kdc:172.28.0.10"
+      - "host1:172.28.0.11"
+      - "host2:172.28.0.12"
+      - "host3:172.28.0.13"
+      - "host4:172.28.0.14"
+      - "host5:172.28.0.15"
+    networks:
+      zknet:
+        aliases:
+          - host3
+        ipv4_address: 172.28.0.13
+
+  zk4:
+    build:
+      context: ../..
+      dockerfile: docker/kerberos-reconfig/Dockerfile.zk
+    hostname: host4
+    profiles: ["joiners"]
+    environment:
+      MYID: "4"
+      CLIENT_PORT: "2181"
+      SUPER_DIGEST: "super:D/InIHSb7yEEbrWz8b9l71RjZJU="
+      SERVER_LIST: |
+        server.1=host1:2888:3888:participant
+        server.2=host2:2888:3888:participant
+        server.3=host3:2888:3888:participant
+        server.4=host4:2888:3888:participant
+        server.5=host5:2888:3888:participant
+    volumes:
+      - keytabs:/keytabs
+      - ./kdc/krb5.conf:/etc/krb5.conf:ro
+      - ./zk/jaas.conf.template:/conf/jaas.conf.template:ro
+      - ./zk/logback.xml:/opt/zookeeper/apache-zookeeper-3.8.4-bin/conf/logback.xml:ro
+    depends_on:
+      - kdc
+    extra_hosts:
+      - "kdc:172.28.0.10"
+      - "host1:172.28.0.11"
+      - "host2:172.28.0.12"
+      - "host3:172.28.0.13"
+      - "host4:172.28.0.14"
+      - "host5:172.28.0.15"
+    networks:
+      zknet:
+        aliases:
+          - host4
+        ipv4_address: 172.28.0.14
+
+  zk5:
+    build:
+      context: ../..
+      dockerfile: docker/kerberos-reconfig/Dockerfile.zk
+    hostname: host5
+    profiles: ["joiners"]
+    environment:
+      MYID: "5"
+      CLIENT_PORT: "2181"
+      SUPER_DIGEST: "super:D/InIHSb7yEEbrWz8b9l71RjZJU="
+      SERVER_LIST: |
+        server.1=host1:2888:3888:participant
+        server.2=host2:2888:3888:participant
+        server.3=host3:2888:3888:participant
+        server.4=host4:2888:3888:participant
+        server.5=host5:2888:3888:participant
+    volumes:
+      - keytabs:/keytabs
+      - ./kdc/krb5.conf:/etc/krb5.conf:ro
+      - ./zk/jaas.conf.template:/conf/jaas.conf.template:ro
+      - ./zk/logback.xml:/opt/zookeeper/apache-zookeeper-3.8.4-bin/conf/logback.xml:ro
+    depends_on:
+      - kdc
+    extra_hosts:
+      - "kdc:172.28.0.10"
+      - "host1:172.28.0.11"
+      - "host2:172.28.0.12"
+      - "host3:172.28.0.13"
+      - "host4:172.28.0.14"
+      - "host5:172.28.0.15"
+    networks:
+      zknet:
+        aliases:
+          - host5
+        ipv4_address: 172.28.0.15
+
+volumes:
+  keytabs: {}
+  kdc-data: {}
+
+networks:
+  zknet:
+    ipam:
+      config:
+        - subnet: 172.28.0.0/16
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+REALM="${REALM:-EXAMPLE.COM}"
+ADMIN_PASS="${ADMIN_PASS:-adminpass}"
+HOSTS="${HOSTS:-host1 host2 host3 host4 host5}"
+READY_FILE="/keytabs/READY"
+
+if [ ! -f /var/lib/krb5kdc/principal ]; then
+  echo -e "${ADMIN_PASS}\n${ADMIN_PASS}" | krb5_newrealm
+  kadmin.local -q "addprinc -pw ${ADMIN_PASS} admin/admin@${REALM}"
+  for h in ${HOSTS}; do
+    kadmin.local -q "addprinc -randkey zkquorum/${h}@${REALM}"
+    kadmin.local -q "addprinc -randkey learner/${h}@${REALM}"
+    kadmin.local -q "ktadd -k /keytabs/${h}.keytab zkquorum/${h}@${REALM} learner/${h}@${REALM}"
+  done
+  chmod 600 /keytabs/*.keytab || true
+fi
+
+touch "${READY_FILE}"
+
+krb5kdc -n
@@ -0,0 +1 @@
+*/admin@EXAMPLE.COM *
@@ -0,0 +1,14 @@
+[kdcdefaults]
+ kdc_ports = 88
+ kdc_tcp_ports = 88
+
+[realms]
+ EXAMPLE.COM = {
+  database_name = /var/lib/krb5kdc/principal
+  admin_keytab = /etc/krb5kdc/kadm5.keytab
+  acl_file = /etc/krb5kdc/kadm5.acl
+  key_stash_file = /etc/krb5kdc/stash
+  max_life = 24h
+  max_renewable_life = 7d
+  default_principal_flags = +preauth
+ }
@@ -0,0 +1,18 @@
+[libdefaults]
+ default_realm = EXAMPLE.COM
+ dns_lookup_kdc = false
+ dns_lookup_realm = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ forwardable = true
+ udp_preference_limit = 1
+
+[realms]
+ EXAMPLE.COM = {
+  kdc = kdc
+  admin_server = kdc
+ }
+
+[domain_realm]
+ .example.com = EXAMPLE.COM
+ example.com = EXAMPLE.COM