LiJie2023 created ZOOKEEPER-4740:
------------------------------------
Summary: I want to use kerberos for Zookeeper, but my
authentication has been unsuccessful
Key: ZOOKEEPER-4740
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4740
Project: ZooKeeper
Issue Type: Wish
Components: kerberos
Affects Versions: 3.5.9
Reporter: LiJie2023
Attachments: image-2023-09-01-16-37-20-848.png
zookeeper_jaas.conf
{code:java}
Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
useTicketCache=false
keyTab="/opt/test2.keytab"
principal="test2/bigdata.hadoop.master01";
};Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/opt/test2.keytab"
principal="test2/bigdata.hadoop.master01"
useTicketCache=false
debug=true;
}; {code}
[root@bigdata conf]# cat java.env
{code:java}
export
JVMFLAGS="-Djava.security.auth.login.config=/usr/lib/zookeeper/conf/zookeeper_jaas.conf"
{code}
/etc/krb5.conf
{code:java}
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}[realms]
EXAMPLE.COM = {
kdc = bigdata.hadoop.master01
admin_server = bigdata.hadoop.master01
}[domain_realm]
.bigdata.hadoop.master01 = EXAMPLE.COM
bigdata.hadoop.master01 = EXAMPLE.COM {code}
!image-2023-09-01-16-37-20-848.png!
When I use a client connection:
{code:java}
zookeeper-client -server localhost:12181 {code}
Connecting to localhost:12181 2023-09-01 16:38:05,528 - INFO
[main:Environment@109] - Client
environment:zookeeper.version=3.5.9-83df9301aa5c2a5d284a9940177808c01bc35cef,
built on 10/25/2022 23:07 GMT 2023-09-01 16:38:05,530 - INFO
[main:Environment@109] - Client environment:host.name=bigdata.hadoop.master01
2023-09-01 16:38:05,530 - INFO [main:Environment@109] - Client
environment:java.version=1.8.0_351 2023-09-01 16:38:05,532 - INFO
[main:Environment@109] - Client environment:java.vendor=Oracle Corporation
2023-09-01 16:38:05,532 - INFO [main:Environment@109] - Client
environment:java.home=/usr/java/jdk1.8.0_351-amd64/jre 2023-09-01 16:38:05,532
- INFO [main:Environment@109] - Client
environment:java.class.path=/usr/lib/zookeeper/bin/../zookeeper-server/target/classes:/usr/lib/zookeeper/bin/../build/classes:/usr/lib/zookeeper/bin/../zookeeper-server/target/lib/*.jar:/usr/lib/zookeeper/bin/../build/lib/*.jar:/usr/lib/zookeeper/bin/../lib/zookeeper-jute-3.5.9.jar:/usr/lib/zookeeper/bin/../lib/zookeeper-3.5.9.jar:/usr/lib/zookeeper/bin/../lib/slf4j-log4j12-1.7.25.jar:/usr/lib/zookeeper/bin/../lib/slf4j-api-1.7.25.jar:/usr/lib/zookeeper/bin/../lib/netty-transport-native-unix-common-4.1.50.Final.jar:/usr/lib/zookeeper/bin/../lib/netty-transport-native-epoll-4.1.50.Final.jar:/usr/lib/zookeeper/bin/../lib/netty-transport-4.1.50.Final.jar:/usr/lib/zookeeper/bin/../lib/netty-resolver-4.1.50.Final.jar:/usr/lib/zookeeper/bin/../lib/netty-handler-4.1.50.Final.jar:/usr/lib/zookeeper/bin/../lib/netty-common-4.1.50.Final.jar:/usr/lib/zookeeper/bin/../lib/netty-codec-4.1.50.Final.jar:/usr/lib/zookeeper/bin/../lib/netty-buffer-4.1.50.Final.jar:/usr/lib/zookeeper/bin/../lib/log4j-1.2.17.jar:/usr/lib/zookeeper/bin/../lib/json-simple-1.1.1.jar:/usr/lib/zookeeper/bin/../lib/jline-2.14.6.jar:/usr/lib/zookeeper/bin/../lib/jetty-util-ajax-9.4.35.v20201120.jar:/usr/lib/zookeeper/bin/../lib/jetty-util-9.4.35.v20201120.jar:/usr/lib/zookeeper/bin/../lib/jetty-servlet-9.4.35.v20201120.jar:/usr/lib/zookeeper/bin/../lib/jetty-server-9.4.35.v20201120.jar:/usr/lib/zookeeper/bin/../lib/jetty-security-9.4.35.v20201120.jar:/usr/lib/zookeeper/bin/../lib/jetty-io-9.4.35.v20201120.jar:/usr/lib/zookeeper/bin/../lib/jetty-http-9.4.35.v20201120.jar:/usr/lib/zookeeper/bin/../lib/javax.servlet-api-3.1.0.jar:/usr/lib/zookeeper/bin/../lib/jackson-databind-2.10.5.1.jar:/usr/lib/zookeeper/bin/../lib/jackson-core-2.10.5.jar:/usr/lib/zookeeper/bin/../lib/jackson-annotations-2.10.5.jar:/usr/lib/zookeeper/bin/../lib/commons-cli-1.2.jar:/usr/lib/zookeeper/bin/../lib/audience-annotations-0.5.0.jar:/usr/lib/zookeeper/bin/../zookeeper-jute.jar:/usr/lib/zookeeper/bin/../zookeeper-jute-3.5.9.jar:/usr/lib/zookeeper/bin/../zookeeper-3.5.9.jar:/usr/lib/zookeeper/bin/../zookeeper-server/src/main/resources/lib/*.jar:/etc/zookeeper/conf::/etc/zookeeper/conf:/usr/lib/zookeeper/zookeeper-3.5.9.jar:/usr/lib/zookeeper/zookeeper-jute-3.5.9.jar:/usr/lib/zookeeper/zookeeper-jute.jar:/usr/lib/zookeeper/zookeeper.jar:/usr/lib/zookeeper/lib/audience-annotations-0.5.0.jar:/usr/lib/zookeeper/lib/commons-cli-1.2.jar:/usr/lib/zookeeper/lib/jackson-annotations-2.10.5.jar:/usr/lib/zookeeper/lib/jackson-core-2.10.5.jar:/usr/lib/zookeeper/lib/jackson-databind-2.10.5.1.jar:/usr/lib/zookeeper/lib/javax.servlet-api-3.1.0.jar:/usr/lib/zookeeper/lib/jetty-http-9.4.35.v20201120.jar:/usr/lib/zookeeper/lib/jetty-io-9.4.35.v20201120.jar:/usr/lib/zookeeper/lib/jetty-security-9.4.35.v20201120.jar:/usr/lib/zookeeper/lib/jetty-server-9.4.35.v20201120.jar:/usr/lib/zookeeper/lib/jetty-servlet-9.4.35.v20201120.jar:/usr/lib/zookeeper/lib/jetty-util-9.4.35.v20201120.jar:/usr/lib/zookeeper/lib/jetty-util-ajax-9.4.35.v20201120.jar:/usr/lib/zookeeper/lib/jline-2.14.6.jar:/usr/lib/zookeeper/lib/json-simple-1.1.1.jar:/usr/lib/zookeeper/lib/log4j-1.2.17.jar:/usr/lib/zookeeper/lib/netty-buffer-4.1.50.Final.jar:/usr/lib/zookeeper/lib/netty-codec-4.1.50.Final.jar:/usr/lib/zookeeper/lib/netty-common-4.1.50.Final.jar:/usr/lib/zookeeper/lib/netty-handler-4.1.50.Final.jar:/usr/lib/zookeeper/lib/netty-resolver-4.1.50.Final.jar:/usr/lib/zookeeper/lib/netty-transport-4.1.50.Final.jar:/usr/lib/zookeeper/lib/netty-transport-native-epoll-4.1.50.Final.jar:/usr/lib/zookeeper/lib/netty-transport-native-unix-common-4.1.50.Final.jar:/usr/lib/zookeeper/lib/slf4j-api-1.7.25.jar:/usr/lib/zookeeper/lib/slf4j-log4j12-1.7.25.jar:/usr/lib/zookeeper/lib/zookeeper-3.5.9.jar:/usr/lib/zookeeper/lib/zookeeper-jute-3.5.9.jar:/usr/share/zookeeper/*
2023-09-01 16:38:05,533 - INFO [main:Environment@109] - Client
environment:java.library.path=/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
2023-09-01 16:38:05,533 - INFO [main:Environment@109] - Client
environment:java.io.tmpdir=/tmp 2023-09-01 16:38:05,533 - INFO
[main:Environment@109] - Client environment:java.compiler=<NA> 2023-09-01
16:38:05,533 - INFO [main:Environment@109] - Client environment:os.name=Linux
2023-09-01 16:38:05,533 - INFO [main:Environment@109] - Client
environment:os.arch=amd64 2023-09-01 16:38:05,533 - INFO
[main:Environment@109] - Client environment:os.version=3.10.0-862.el7.x86_64
2023-09-01 16:38:05,534 - INFO [main:Environment@109] - Client
environment:user.name=root 2023-09-01 16:38:05,534 - INFO
[main:Environment@109] - Client environment:user.home=/root 2023-09-01
16:38:05,534 - INFO [main:Environment@109] - Client
environment:user.dir=/etc/zookeeper/conf.dist 2023-09-01 16:38:05,534 - INFO
[main:Environment@109] - Client environment:os.memory.free=236MB 2023-09-01
16:38:05,536 - INFO [main:Environment@109] - Client
environment:os.memory.max=245MB 2023-09-01 16:38:05,536 - INFO
[main:Environment@109] - Client environment:os.memory.total=245MB 2023-09-01
16:38:05,539 - INFO [main:ZooKeeper@868] - Initiating client connection,
connectString=localhost:12181 sessionTimeout=30000
watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@1c655221 2023-09-01
16:38:05,544 - INFO [main:X509Util@79] - Setting -D
jdk.tls.rejectClientInitiatedRenegotiation=true to disable client-initiated TLS
renegotiation 2023-09-01 16:38:05,550 - INFO [main:ClientCnxnSocket@237] -
jute.maxbuffer value is 4194304 Bytes 2023-09-01 16:38:05,557 - INFO
[main:ClientCnxn@1653] - zookeeper.request.timeout value is 0. feature enabled=
Welcome to ZooKeeper! JLine support is enabled Debug is true storeKey false
useTicketCache false useKeyTab true doNotPrompt false ticketCache is null
isInitiator true KeyTab is /opt/test2.keytab refreshKrb5Config is false
principal is test2/bigdata.hadoop.master01 tryFirstPass is false useFirstPass
is false storePass is false clearPass is false [zk: localhost:12181(CONNECTING)
0] principal is test2/[email protected] Will use keytab
Commit Succeeded 2023-09-01 16:38:05,843 - INFO
[main-SendThread(localhost:12181):Login@302] - Client successfully logged in.
2023-09-01 16:38:05,845 - INFO [Thread-1:Login$1@135] - TGT refresh thread
started. 2023-09-01 16:38:05,848 - INFO
[main-SendThread(localhost:12181):SecurityUtils$1@128] - Client will use GSSAPI
as SASL mechanism. 2023-09-01 16:38:05,848 - INFO [Thread-1:Login@320] - TGT
valid starting at: Fri Sep 01 16:38:05 CST 2023 2023-09-01 16:38:05,848
- INFO [Thread-1:Login@321] - TGT expires: Sun Feb 07
14:28:15 CST 2106 2023-09-01 16:38:05,849 - INFO [Thread-1:Login$1@193] - TGT
refresh sleeping until: Mon Mar 17 14:49:28 CST 2092 2023-09-01 16:38:05,857 -
INFO [main-SendThread(localhost:12181):ClientCnxn$SendThread@1112] - Opening
socket connection to server localhost/127.0.0.1:12181. Will attempt to
SASL-authenticate using Login Context section 'Client' 2023-09-01 16:38:05,861
- INFO [main-SendThread(localhost:12181):ClientCnxn$SendThread@959] - Socket
connection established, initiating session, client: /127.0.0.1:33722, server:
localhost/127.0.0.1:12181 2023-09-01 16:38:05,870 - INFO
[main-SendThread(localhost:12181):ClientCnxn$SendThread@1394] - Session
establishment complete on server localhost/127.0.0.1:12181, sessionid =
0x100001d3c2d0004, negotiated timeout = 30000WATCHER::WatchedEvent
state:SyncConnected type:None path:null 2023-09-01 16:38:05,882 - ERROR
[main-SendThread(localhost:12181):ZooKeeperSaslClient@341] - An error:
(java.security.PrivilegedActionException: javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided
(Mechanism level: Ticket expired (32) - PROCESS_TGS)]) occurred when evaluating
Zookeeper Quorum Member's received SASL token. Zookeeper Client will go to
AUTH_FAILED state. 2023-09-01 16:38:05,882 - ERROR
[main-SendThread(localhost:12181):ClientCnxn$SendThread@1151] - SASL
authentication with Zookeeper Quorum member failed:
javax.security.sasl.SaslException: An error:
(java.security.PrivilegedActionException: javax.security.sasl.SaslException:
GSS initiate failed [Caused by GSSException: No valid credentials provided
(Mechanism level: Ticket expired (32) - PROCESS_TGS)]) occurred when evaluating
Zookeeper Quorum Member's received SASL token. Zookeeper Client will go to
AUTH_FAILED state. [Caused by java.security.PrivilegedActionException:
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException:
No valid credentials provided (Mechanism level: Ticket expired (32) -
PROCESS_TGS)]]WATCHER::WatchedEvent state:AuthFailed type:None path:null
2023-09-01 16:38:05,883 - INFO [main-EventThread:ClientCnxn$EventThread@524] -
EventThread shut down for session: 0x100001d3c2d0004
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
