This is an automated email from the ASF dual-hosted git repository.
andor pushed a commit to branch branch-3.9
in repository https://gitbox.apache.org/repos/asf/zookeeper.git
The following commit(s) were added to refs/heads/branch-3.9 by this push:
new 555d08d53 ZOOKEEPER-4889: Fallback to DIGEST-MD5 auth mech should be
disabled in Fips mode (#2213)
555d08d53 is described below
commit 555d08d53fd8b4db8a06265e2b63187385029c92
Author: Andor Molnár <[email protected]>
AuthorDate: Mon Nov 25 00:28:26 2024 -0600
ZOOKEEPER-4889: Fallback to DIGEST-MD5 auth mech should be disabled in Fips
mode (#2213)
(cherry picked from commit fe64596e8d58839b98366861a628a3e1d16a7014)
Signed-off-by: Andor Molnar <[email protected]>
---
.../zookeeper/client/ZooKeeperSaslClient.java | 2 +-
.../java/org/apache/zookeeper/common/X509Util.java | 7 ++--
.../server/auth/X509AuthenticationProvider.java | 2 +-
.../server/quorum/auth/SaslQuorumAuthLearner.java | 1 +
.../org/apache/zookeeper/util/SecurityUtils.java | 8 ++++
.../java/org/apache/zookeeper/SaslAuthTest.java | 4 +-
.../ZookeeperServerClusterMutualAuthTest.java | 4 ++
.../server/quorum/auth/DigestSecurityTestcase.java | 44 ++++++++++++++++++++++
.../server/quorum/auth/QuorumAuthUpgradeTest.java | 2 +-
.../server/quorum/auth/QuorumDigestAuthTest.java | 2 +-
.../test/SaslAuthDesignatedClientTest.java | 2 +-
.../test/SaslAuthDesignatedServerTest.java | 2 +-
.../zookeeper/test/SaslAuthDigestTestBase.java | 44 ++++++++++++++++++++++
.../test/SaslAuthFailDesignatedClientTest.java | 2 +-
.../apache/zookeeper/test/SaslAuthFailTest.java | 2 +-
.../test/SaslAuthMissingClientConfigTest.java | 2 +-
.../test/SaslAuthRequiredFailNoSASLTest.java | 2 +-
.../test/SaslAuthRequiredFailWrongSASLTest.java | 2 +-
.../test/SaslAuthRequiredMultiClientTest.java | 2 +-
.../zookeeper/test/SaslAuthRequiredTest.java | 2 +-
.../zookeeper/test/SaslDigestAuthOverSSLTest.java | 2 +-
.../apache/zookeeper/test/SaslSuperUserTest.java | 2 +-
22 files changed, 122 insertions(+), 20 deletions(-)
diff --git
a/zookeeper-server/src/main/java/org/apache/zookeeper/client/ZooKeeperSaslClient.java
b/zookeeper-server/src/main/java/org/apache/zookeeper/client/ZooKeeperSaslClient.java
index f86c41db7..4ec85625d 100644
---
a/zookeeper-server/src/main/java/org/apache/zookeeper/client/ZooKeeperSaslClient.java
+++
b/zookeeper-server/src/main/java/org/apache/zookeeper/client/ZooKeeperSaslClient.java
@@ -250,7 +250,7 @@ public class ZooKeeperSaslClient {
l.startThreadIfNeeded();
}
}
- return SecurityUtils.createSaslClient(loginRef.get().getSubject(),
+ return SecurityUtils.createSaslClient(clientConfig,
loginRef.get().getSubject(),
servicePrincipal, "zookeeper", "zk-sasl-md5", LOG, "Client");
} catch (LoginException e) {
// We throw LoginExceptions...
diff --git
a/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java
b/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java
index dfb3f1191..17818207e 100644
--- a/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java
+++ b/zookeeper-server/src/main/java/org/apache/zookeeper/common/X509Util.java
@@ -73,7 +73,8 @@ public abstract class X509Util implements Closeable,
AutoCloseable {
private static final Logger LOG = LoggerFactory.getLogger(X509Util.class);
private static final String REJECT_CLIENT_RENEGOTIATION_PROPERTY =
"jdk.tls.rejectClientInitiatedRenegotiation";
- private static final String FIPS_MODE_PROPERTY = "zookeeper.fips-mode";
+ public static final String FIPS_MODE_PROPERTY = "zookeeper.fips-mode";
+ private static final boolean FIPS_MODE_DEFAULT = true;
public static final String TLS_1_1 = "TLSv1.1";
public static final String TLS_1_2 = "TLSv1.2";
public static final String TLS_1_3 = "TLSv1.3";
@@ -301,8 +302,8 @@ public abstract class X509Util implements Closeable,
AutoCloseable {
return FIPS_MODE_PROPERTY;
}
- public boolean getFipsMode(ZKConfig config) {
- return config.getBoolean(FIPS_MODE_PROPERTY, true);
+ public static boolean getFipsMode(ZKConfig config) {
+ return config.getBoolean(FIPS_MODE_PROPERTY, FIPS_MODE_DEFAULT);
}
public boolean isServerHostnameVerificationEnabled(ZKConfig config) {
diff --git
a/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/X509AuthenticationProvider.java
b/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/X509AuthenticationProvider.java
index 26c083c3c..4ea925320 100644
---
a/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/X509AuthenticationProvider.java
+++
b/zookeeper-server/src/main/java/org/apache/zookeeper/server/auth/X509AuthenticationProvider.java
@@ -106,7 +106,7 @@ public class X509AuthenticationProvider implements
AuthenticationProvider {
x509Util.getSslTruststorePasswdProperty(),
x509Util.getSslTruststorePasswdPathProperty());
String trustStoreTypeProp =
config.getProperty(x509Util.getSslTruststoreTypeProperty());
- boolean fipsMode = x509Util.getFipsMode(config);
+ boolean fipsMode = X509Util.getFipsMode(config);
if (trustStoreLocation.isEmpty()) {
LOG.warn("Truststore not specified for client connection");
diff --git
a/zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/auth/SaslQuorumAuthLearner.java
b/zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/auth/SaslQuorumAuthLearner.java
index 0b5ac551d..3151a5756 100644
---
a/zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/auth/SaslQuorumAuthLearner.java
+++
b/zookeeper-server/src/main/java/org/apache/zookeeper/server/quorum/auth/SaslQuorumAuthLearner.java
@@ -94,6 +94,7 @@ public class SaslQuorumAuthLearner implements
QuorumAuthLearner {
DataInputStream din = new DataInputStream(sock.getInputStream());
byte[] responseToken = new byte[0];
sc = SecurityUtils.createSaslClient(
+ new ZKConfig(),
learnerLogin.getSubject(),
principalConfig,
QuorumAuth.QUORUM_SERVER_PROTOCOL_NAME,
diff --git
a/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java
b/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java
index 6ac3fff2a..5c44f2116 100644
---
a/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java
+++
b/zookeeper-server/src/main/java/org/apache/zookeeper/util/SecurityUtils.java
@@ -28,6 +28,8 @@ import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import org.apache.zookeeper.SaslClientCallbackHandler;
+import org.apache.zookeeper.common.X509Util;
+import org.apache.zookeeper.common.ZKConfig;
import org.apache.zookeeper.server.auth.KerberosName;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
@@ -55,6 +57,7 @@ public final class SecurityUtils {
* @throws SaslException
*/
public static SaslClient createSaslClient(
+ ZKConfig config,
final Subject subject,
final String servicePrincipal,
final String protocol,
@@ -67,6 +70,11 @@ public final class SecurityUtils {
if (subject.getPrincipals().isEmpty()) {
// no principals: must not be GSSAPI: use DIGEST-MD5 mechanism
// instead.
+ // FIPS-mode: don't try DIGEST-MD5, just return error
+ if (X509Util.getFipsMode(config)) {
+ LOG.warn("{} will not use DIGEST-MD5 as SASL mechanism,
because FIPS mode is enabled.", entity);
+ return null;
+ }
LOG.info("{} will use DIGEST-MD5 as SASL mechanism.", entity);
String[] mechs = {"DIGEST-MD5"};
String username = (String)
(subject.getPublicCredentials().toArray()[0]);
diff --git
a/zookeeper-server/src/test/java/org/apache/zookeeper/SaslAuthTest.java
b/zookeeper-server/src/test/java/org/apache/zookeeper/SaslAuthTest.java
index 8e713e37c..fe9b41dc6 100644
--- a/zookeeper-server/src/test/java/org/apache/zookeeper/SaslAuthTest.java
+++ b/zookeeper-server/src/test/java/org/apache/zookeeper/SaslAuthTest.java
@@ -39,12 +39,12 @@ import org.apache.zookeeper.ZooDefs.Ids;
import org.apache.zookeeper.client.ZooKeeperSaslClient;
import org.apache.zookeeper.data.ACL;
import org.apache.zookeeper.data.Id;
-import org.apache.zookeeper.test.ClientBase;
+import org.apache.zookeeper.test.SaslAuthDigestTestBase;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
-public class SaslAuthTest extends ClientBase {
+public class SaslAuthTest extends SaslAuthDigestTestBase {
@BeforeAll
public static void init() {
diff --git
a/zookeeper-server/src/test/java/org/apache/zookeeper/server/embedded/ZookeeperServerClusterMutualAuthTest.java
b/zookeeper-server/src/test/java/org/apache/zookeeper/server/embedded/ZookeeperServerClusterMutualAuthTest.java
index 1022c25c1..a66e476ce 100644
---
a/zookeeper-server/src/test/java/org/apache/zookeeper/server/embedded/ZookeeperServerClusterMutualAuthTest.java
+++
b/zookeeper-server/src/test/java/org/apache/zookeeper/server/embedded/ZookeeperServerClusterMutualAuthTest.java
@@ -26,6 +26,7 @@ import java.nio.file.Path;
import java.util.Properties;
import javax.security.auth.login.Configuration;
import org.apache.zookeeper.PortAssignment;
+import org.apache.zookeeper.common.X509Util;
import org.apache.zookeeper.test.ClientBase;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.BeforeAll;
@@ -39,6 +40,8 @@ public class ZookeeperServerClusterMutualAuthTest {
@BeforeAll
public static void setUpEnvironment() {
+ // Need to disable Fips-mode, because we use DIGEST-MD5 mech for Sasl
+ System.setProperty(X509Util.FIPS_MODE_PROPERTY, "false");
System.setProperty("java.security.auth.login.config", new
File("src/test/resources/embedded/test_jaas_server_auth.conf")
.getAbsolutePath());
Configuration.getConfiguration().refresh();
@@ -52,6 +55,7 @@ public class ZookeeperServerClusterMutualAuthTest {
System.clearProperty("zookeeper.4lw.commands.whitelist");
System.clearProperty("java.security.auth.login.config");
Configuration.getConfiguration().refresh();
+ System.clearProperty(X509Util.FIPS_MODE_PROPERTY);
}
@TempDir
diff --git
a/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/DigestSecurityTestcase.java
b/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/DigestSecurityTestcase.java
new file mode 100644
index 000000000..a3a206be4
--- /dev/null
+++
b/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/DigestSecurityTestcase.java
@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.zookeeper.server.quorum.auth;
+
+import org.apache.zookeeper.common.X509Util;
+import org.apache.zookeeper.test.SaslAuthDigestTestBase;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.BeforeAll;
+
+/**
+ * Created for test cases which use Digest Auth mech for SASL.
+ * Primary reason is that we have to disable FIPS mode, otherwise DIGEST-MD5
cannot be used.
+ *
+ * @see SaslAuthDigestTestBase
+ */
+public class DigestSecurityTestcase extends QuorumAuthTestBase {
+
+ @BeforeAll
+ public static void setUpClass() throws Exception {
+ // Need to disable Fips-mode, because we use DIGEST-MD5 mech for Sasl
+ System.setProperty(X509Util.FIPS_MODE_PROPERTY, "false");
+ }
+
+ @AfterAll
+ public static void tearDownClass() throws Exception {
+ System.clearProperty(X509Util.FIPS_MODE_PROPERTY);
+ }
+}
diff --git
a/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumAuthUpgradeTest.java
b/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumAuthUpgradeTest.java
index fb03f23d6..aed0c9fe9 100644
---
a/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumAuthUpgradeTest.java
+++
b/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumAuthUpgradeTest.java
@@ -52,7 +52,7 @@ import org.junit.jupiter.api.Timeout;
* quorum.auth.enableSasl=true, quorum.auth.learnerRequireSasl=true and
quorum.auth.serverRequireSasl=true
* Now, all the servers are fully upgraded and running in secured mode.
*/
-public class QuorumAuthUpgradeTest extends QuorumAuthTestBase {
+public class QuorumAuthUpgradeTest extends DigestSecurityTestcase {
static {
String jaasEntries = "QuorumServer {\n"
diff --git
a/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumDigestAuthTest.java
b/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumDigestAuthTest.java
index c70c5c9c3..ecc27772e 100644
---
a/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumDigestAuthTest.java
+++
b/zookeeper-server/src/test/java/org/apache/zookeeper/server/quorum/auth/QuorumDigestAuthTest.java
@@ -39,7 +39,7 @@ import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.Timeout;
-public class QuorumDigestAuthTest extends QuorumAuthTestBase {
+public class QuorumDigestAuthTest extends DigestSecurityTestcase {
static {
String jaasEntries = "QuorumServer {\n"
diff --git
a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthDesignatedClientTest.java
b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthDesignatedClientTest.java
index e5cd89d43..57c57d0b0 100644
---
a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthDesignatedClientTest.java
+++
b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthDesignatedClientTest.java
@@ -40,7 +40,7 @@ import org.apache.zookeeper.data.ACL;
import org.apache.zookeeper.data.Id;
import org.junit.jupiter.api.Test;
-public class SaslAuthDesignatedClientTest extends ClientBase {
+public class SaslAuthDesignatedClientTest extends SaslAuthDigestTestBase {
static {
System.setProperty("zookeeper.authProvider.1",
"org.apache.zookeeper.server.auth.SASLAuthenticationProvider");
diff --git
a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthDesignatedServerTest.java
b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthDesignatedServerTest.java
index c534b6ff6..8b85e13bb 100644
---
a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthDesignatedServerTest.java
+++
b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthDesignatedServerTest.java
@@ -33,7 +33,7 @@ import org.apache.zookeeper.ZooKeeper;
import org.apache.zookeeper.server.ZooKeeperSaslServer;
import org.junit.jupiter.api.Test;
-public class SaslAuthDesignatedServerTest extends ClientBase {
+public class SaslAuthDesignatedServerTest extends SaslAuthDigestTestBase {
public static int AUTHENTICATION_TIMEOUT = 30000;
diff --git
a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthDigestTestBase.java
b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthDigestTestBase.java
new file mode 100644
index 000000000..2e3b4a2ba
--- /dev/null
+++
b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthDigestTestBase.java
@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.zookeeper.test;
+
+import org.apache.zookeeper.common.X509Util;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.BeforeAll;
+
+/**
+ * Created as a base class for Digest Auth based SASL authentication tests.
+ * We need to disable Fips mode, otherwise DIGEST-MD5 cannot be used.
+ *
+ * @see org.apache.zookeeper.server.quorum.auth.DigestSecurityTestcase
+ */
+public class SaslAuthDigestTestBase extends ClientBase {
+
+ @BeforeAll
+ public static void beforeClass() throws Exception {
+ // Need to disable Fips-mode, because we use DIGEST-MD5 mech for Sasl
+ System.setProperty(X509Util.FIPS_MODE_PROPERTY, "false");
+ }
+
+ @AfterAll
+ public static void afterClass() throws Exception {
+ System.clearProperty(X509Util.FIPS_MODE_PROPERTY);
+ }
+
+}
diff --git
a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthFailDesignatedClientTest.java
b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthFailDesignatedClientTest.java
index 84579a909..0d2c32a3a 100644
---
a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthFailDesignatedClientTest.java
+++
b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthFailDesignatedClientTest.java
@@ -30,7 +30,7 @@ import org.apache.zookeeper.ZooDefs.Ids;
import org.apache.zookeeper.client.ZKClientConfig;
import org.junit.jupiter.api.Test;
-public class SaslAuthFailDesignatedClientTest extends ClientBase {
+public class SaslAuthFailDesignatedClientTest extends SaslAuthDigestTestBase {
static {
System.setProperty("zookeeper.authProvider.1",
"org.apache.zookeeper.server.auth.SASLAuthenticationProvider");
diff --git
a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthFailTest.java
b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthFailTest.java
index 93204b4eb..2384cd612 100644
---
a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthFailTest.java
+++
b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthFailTest.java
@@ -30,7 +30,7 @@ import org.apache.zookeeper.ZooDefs.Ids;
import org.apache.zookeeper.ZooKeeper;
import org.junit.jupiter.api.Test;
-public class SaslAuthFailTest extends ClientBase {
+public class SaslAuthFailTest extends SaslAuthDigestTestBase {
static {
System.setProperty("zookeeper.authProvider.1",
"org.apache.zookeeper.server.auth.SASLAuthenticationProvider");
diff --git
a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthMissingClientConfigTest.java
b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthMissingClientConfigTest.java
index aa9445253..1bfd0ab34 100644
---
a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthMissingClientConfigTest.java
+++
b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthMissingClientConfigTest.java
@@ -29,7 +29,7 @@ import org.apache.zookeeper.ZooKeeper;
import org.apache.zookeeper.client.ZKClientConfig;
import org.junit.jupiter.api.Test;
-public class SaslAuthMissingClientConfigTest extends ClientBase {
+public class SaslAuthMissingClientConfigTest extends SaslAuthDigestTestBase {
static {
System.setProperty("zookeeper.authProvider.1",
"org.apache.zookeeper.server.auth.SASLAuthenticationProvider");
diff --git
a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthRequiredFailNoSASLTest.java
b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthRequiredFailNoSASLTest.java
index f5b99b90d..2d8c48c06 100644
---
a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthRequiredFailNoSASLTest.java
+++
b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthRequiredFailNoSASLTest.java
@@ -28,7 +28,7 @@ import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
-public class SaslAuthRequiredFailNoSASLTest extends ClientBase {
+public class SaslAuthRequiredFailNoSASLTest extends SaslAuthDigestTestBase {
@BeforeAll
public static void setup() {
diff --git
a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthRequiredFailWrongSASLTest.java
b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthRequiredFailWrongSASLTest.java
index 4d119a013..670706df2 100644
---
a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthRequiredFailWrongSASLTest.java
+++
b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthRequiredFailWrongSASLTest.java
@@ -28,7 +28,7 @@ import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
-public class SaslAuthRequiredFailWrongSASLTest extends ClientBase {
+public class SaslAuthRequiredFailWrongSASLTest extends SaslAuthDigestTestBase {
@BeforeAll
public static void setUpBeforeClass() {
diff --git
a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthRequiredMultiClientTest.java
b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthRequiredMultiClientTest.java
index 9757eacca..f21d63455 100644
---
a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthRequiredMultiClientTest.java
+++
b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthRequiredMultiClientTest.java
@@ -29,7 +29,7 @@ import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
-public class SaslAuthRequiredMultiClientTest extends ClientBase {
+public class SaslAuthRequiredMultiClientTest extends SaslAuthDigestTestBase {
@BeforeAll
public static void setUpBeforeClass() {
diff --git
a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthRequiredTest.java
b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthRequiredTest.java
index 8333eb05b..657e7fe15 100644
---
a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthRequiredTest.java
+++
b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslAuthRequiredTest.java
@@ -27,7 +27,7 @@ import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
-public class SaslAuthRequiredTest extends ClientBase {
+public class SaslAuthRequiredTest extends SaslAuthDigestTestBase {
@BeforeAll
public static void setUpBeforeClass() {
diff --git
a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslDigestAuthOverSSLTest.java
b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslDigestAuthOverSSLTest.java
index a21e4a5a1..9f675e609 100644
---
a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslDigestAuthOverSSLTest.java
+++
b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslDigestAuthOverSSLTest.java
@@ -41,7 +41,7 @@ import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
-public class SaslDigestAuthOverSSLTest extends ClientBase {
+public class SaslDigestAuthOverSSLTest extends SaslAuthDigestTestBase {
private ClientX509Util clientX509Util;
private File saslConfFile;
diff --git
a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslSuperUserTest.java
b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslSuperUserTest.java
index 8676fbe14..6bab78a77 100644
---
a/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslSuperUserTest.java
+++
b/zookeeper-server/src/test/java/org/apache/zookeeper/test/SaslSuperUserTest.java
@@ -39,7 +39,7 @@ import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
-public class SaslSuperUserTest extends ClientBase {
+public class SaslSuperUserTest extends SaslAuthDigestTestBase {
private static Id otherSaslUser = new Id("sasl", "joe");
private static Id otherDigestUser;
