Re: Zookeeper client fails during SASL authentication

2020-06-11 Thread Arpit Jain 
Hi,

I tried it a few months ago and managed to do it. I am not either an expert
on this but managed to do the SASL authentication between ZK and client
I ran the Kerberos server using this image
https://hub.docker.com/r/gcavalcante8808/krb5-server/.

Thanks

On Thu, Jun 11, 2020 at 9:12 AM Szalay-Bekő Máté 
wrote:

> Hello Aparajita,
>
> After a quick glance on your configs and logs, I haven't found any problem
> with your zookeeper configs. I am not sure if you know this page, using
> these steps worked for me to setup a kerberized zookeeper:
> https://github.com/ekoontz/zookeeper/wiki
> I guess you are also familiar with our wiki:
>
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication
>
> Based on your logs the problem is here:
>  2020-06-10 17:09:27,007 - WARN  [NIOServerCxn.Factory:
> > 0.0.0.0/0.0.0.0:2181:ZooKeeperServer@969] - Client failed to SASL
> > authenticate: javax.security.sasl.SaslException: GSS initiate failed
> > [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism
> > level: Invalid argument (400) - Cannot find key of appropriate type to
> > decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)]
> >
>
> This is a kerberos / jaas related issue, I don't think it is zookeeper
> related. a few thing you might wish to check:
> - make sure you have "Java Cryptography Extension (JCE) Unlimited Strength
> Jurisdiction Policy Files" installed (I think you need them for AES256?)
> and your java security configs are OK
> - run "klist -e -k  /etc/krb5.keytab" to see if what encryptions you have
> in the keytabs
> - check if you have full export support in JCE by "java KeyLengthDetector"
> - Maybe you can try with different encryption types in kerberos configs /
> during keytab generation.
> - trying to use a different java version (latest JDK patches have some
> known kerberos backward-incompatibilities)
>
> Unfortunately I am not a kerberos expert, so I don't know much about these
> issues, I just used google to find some hints :)
> Maybe someone else in the community with deeper kerberos knowledge can help
> you more.
>
> Kind regards,
> Mate
>
> On Thu, Jun 11, 2020 at 9:47 AM Aparajita Singh 
> wrote:
>
> > gentle reminder
> > (unquoting the previous email)
> >
> > --
> >
> > Hi,
> >
> > I am trying to migrate an unauthenticated zookeeper cluster to a kerberos
> > authenticated one. For the time being SSL is disabled. I have configured
> > the server and client as described below but when SASL is enabled I am
> > unable to retreive data using zookeeper shell client from the zookeeper
> > server. Could I get some help in understanding why this is failing?
> >
> >
> > *server.log snippet*
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > *2020-06-10 17:09:01,263 - INFO
> >  [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxnFactory@197
> > ] - Accepted
> socket
> > connection from /127.0.0.1:44994 2020-06-10
> > 17:09:01,264 - INFO
> >  [NIOServerCxn.Factory:0.0.0.0/0.0.0.0:2181:NIOServerCnxn@827
> > ] - Processing mntr
> command
> > from /127.0.0.1:44994 2020-06-10 17:09:01,265 -
> > INFO  [Thread-5:NIOServerCnxn@1007] - Closed socket connection for
> client
> > /127.0.0.1:44994  (no session established for
> > client)2020-06-10 17:09:26,647 - INFO  [main:Environment@100] - Client
> > environment:zookeeper.version=3.4.6-169--1, built on 02/10/2016 05:49
> > GMT2020-06-10 17:09:26,649 - INFO  [main:Environment@100] - Client
> > environment:host.name =stage-kdc-zk-ivy2020-06-10
> > 17:09:26,649 - INFO  [main:Environment@100] - Client
> > environment:java.version=1.8.0_1722020-06-10 17:09:26,651 - INFO
> >  [main:Environment@100] - Client environment:java.vendor=Oracle
> > Corporation2020-06-10 17:09:26,651 - INFO  [main:Environment@100] -
> Client
> > environment:java.home=/usr/lib/jvm/oracle-java8-jdk-amd64/jre2020-06-10
> > 17:09:26,651 - INFO  [main:Environment@100] - Client
> >
> >
>

Znodes not cleaning up

2020-01-20 Thread Arpit Jain 
Hi,

The Znodes (with world auth scheme) that my application creates were
getting cleaned up by ZK if my application stops and I could see below
message in ZK console.

*2020-01-19 22:00:56,397 [myid:1] - INFO
 [ContainerManagerTask:ContainerManager@119] - Attempting to delete
candidate container:/myapp*

However, after having SASL scheme on these znodes, they are not getting
cleaned up even after my application dies.
Is it expected behaviour if we apply some auth scheme other than "world" ?

Thanks

Re: Zookeeper and curator SASL authentication

2020-01-15 Thread Arpit Jain 
I managed to create ACL with authenticated client principal using below
lines of code in client:

curator
.create().creatingParentContainersIfNeeded().withACL(ZooDefs.Ids.
CREATOR_ALL_ACL).forPath("/mynode");


ZooDefs.Ids.CREATOR_ALL_ACL gives permissions to the client which is
authenticated.

To test this, I logged in using zkCli.sh on ZK server and ran getAcl
/mynode and able to browse the znodes and can see that node has all (CDRWA)
permission for authenticated uses. If I log in with a unauthenticated
principal, I am not able to see the znodes tree even though I manage to
connect to ZK server.

On Wed, Jan 15, 2020 at 12:19 PM Enrico Olivelli - Diennea <
enrico.olive...@diennea.com> wrote:

> Yes, they are system properties
>
> You can take this guide (about Kafka) as example
>
> https://docs.confluent.io/current/kafka/authentication_sasl/authentication_sasl_gssapi.html
>
>
>
> Il giorno 15/01/20, 13:17 "Arpit Jain"  ha
> scritto:
>
> I have not passed those parameters. Is this something I need to set in
> Zookeeper (zoo.cfg) ?
>
> On Wed, Jan 15, 2020 at 12:12 PM Enrico Olivelli - Diennea <
> enrico.olive...@diennea.com> wrote:
>
> > Usually with SASL auth you are using:
> > kerberos.removeHostFromPrincipal=true
> > kerberos.removeRealmFromPrincipal=true
> >
> > is this the case for you ?
> >
> > Enrico
> >
> > Il giorno 15/01/20, 13:01 "Arpit Jain"  ha
> > scritto:
> >
> > I have asked in Curator mailing list as well but not much help.
> I am
> > able
> > to set ACL with sasl scheme by using zkCli.sh client in Zookeeper
> > server.
> > The idea is to use Curator to set the ACLs so that only my client
> > application can access its Znodes.
> >
> >
> > On Wed, Jan 15, 2020 at 9:21 AM Szalay-Bekő Máté <
> > szalay.beko.m...@gmail.com>
> > wrote:
> >
> > > I am not sure what is wrong with the code... I am not familiar
> with
> > > Curator. I can try to google / reproduce this and see what is
> wrong,
> > but it
> > > will take a while for me. So first I would ask the others,
> maybe
> > there is
> > > someone who knows both ZooKeeper SASL and Curator and can help
> you
> > more in
> > > this mailing list. If noone replies, then I will try to setup
> a dummy
> >     > project with Curator to test this.
> > >
> > > Did you also ask around the Curator mailing list maybe? Would
> it
> > help if I
> > > send you code about setting the ACLs using plain ZooKeeper
> (and no
> > Curator)?
> > >
> > > On Tue, Jan 14, 2020 at 2:48 PM Arpit Jain <
> jain.arp...@gmail.com>
> > wrote:
> > >
> > >> Thanks for the clarification.
> > >> I am able to authenticate client with Zookeeper. However,
> when I
> > started
> > >> to set ACLs with the same client, I get error messages. This
> is how
> > I am
> > >> creating curator client for setting ACLs
> > >>
> > >> CuratorFrameworkFactory.Builder builder =
> > >>
> > >> CuratorFrameworkFactory.builder().connectString(
> > >> coordinatorHosts).retryPolicy(retryPolicy)
> > >>
> > >> .connectionTimeoutMs(coordinatorConnectionTimeout
> > >> ).sessionTimeoutMs(coordinatorSessionTimeout);
> > >>
> > >> final CuratorFramework curatorFramework =
> > >>
> > >> builder.authorization("sasl", "zkclient/
> > z...@example.com"
> > >> .getBytes()).aclProvider(new ACLProvider() {
> > >>
> > >> @Override
> > >>
> > >> public List getDefaultAcl() {
> > >>
> > >> return ZooDefs.Ids.CREATOR_ALL_ACL;
> > >>
> > >> }
> > >>
> > >>
> > >> @Override
> > >>
> > >> public List getAclForPath(String path) {
> > >>
> > >&g

Re: Zookeeper and curator SASL authentication

2020-01-15 Thread Arpit Jain 
I have asked in Curator mailing list as well but not much help. I am able
to set ACL with sasl scheme by using zkCli.sh client in Zookeeper server.
The idea is to use Curator to set the ACLs so that only my client
application can access its Znodes.


On Wed, Jan 15, 2020 at 9:21 AM Szalay-Bekő Máté 
wrote:

> I am not sure what is wrong with the code... I am not familiar with
> Curator. I can try to google / reproduce this and see what is wrong, but it
> will take a while for me. So first I would ask the others, maybe there is
> someone who knows both ZooKeeper SASL and Curator and can help you more in
> this mailing list. If noone replies, then I will try to setup a dummy
> project with Curator to test this.
>
> Did you also ask around the Curator mailing list maybe? Would it help if I
> send you code about setting the ACLs using plain ZooKeeper (and no Curator)?
>
> On Tue, Jan 14, 2020 at 2:48 PM Arpit Jain  wrote:
>
>> Thanks for the clarification.
>> I am able to authenticate client with Zookeeper. However, when I started
>> to set ACLs with the same client, I get error messages. This is how I am
>> creating curator client for setting ACLs
>>
>> CuratorFrameworkFactory.Builder builder =
>>
>> CuratorFrameworkFactory.builder().connectString(
>> coordinatorHosts).retryPolicy(retryPolicy)
>>
>> .connectionTimeoutMs(coordinatorConnectionTimeout
>> ).sessionTimeoutMs(coordinatorSessionTimeout);
>>
>> final CuratorFramework curatorFramework =
>>
>> builder.authorization("sasl", "zkclient/z...@example.com"
>> .getBytes()).aclProvider(new ACLProvider() {
>>
>> @Override
>>
>> public List getDefaultAcl() {
>>
>> return ZooDefs.Ids.CREATOR_ALL_ACL;
>>
>> }
>>
>>
>> @Override
>>
>> public List getAclForPath(String path) {
>>
>> return ZooDefs.Ids.CREATOR_ALL_ACL;
>>
>> }
>>
>> }).build();
>>
>>
>>  I see below logs in Zookeeper node:
>>
>>
>>
>>
>>
>> *2020-01-14 13:27:53,174 [myid:1] - INFO
>>  [NIOWorkerThread-3:SaslServerCallbackHandler@120] - Successfully
>> authenticated client: authenticationID=zkclient/z...@example.com
>> ;  authorizationID=zkclient/z...@example.com
>> .2020-01-14 13:27:53,175 [myid:1] - INFO
>>  [NIOWorkerThread-3:SaslServerCallbackHandler@136] - Setting authorizedID:
>> zkclient/z...@example.com 2020-01-14 13:27:53,175
>> [myid:1] - INFO  [NIOWorkerThread-3:ZooKeeperServer@1170] - adding SASL
>> authorization for authorizationID: zkclient/z...@example.com
>> 2020-01-14 13:27:53,182 [myid:1] - INFO
>>  [NIOWorkerThread-7:ZooKeeperServer@1095] - got auth packet
>> /172.30.0.6:36658 <http://172.30.0.6:36658>2020-01-14 13:27:53,183 [myid:1]
>> - WARN  [NIOWorkerThread-7:ZooKeeperServer@1123] - Authentication failed
>> for scheme: sasl*
>>
>> Is this not the correct way to do it ?
>>
>>
>>
>> On Tue, Jan 14, 2020 at 11:52 AM Szalay-Bekő Máté <
>> szalay.beko.m...@gmail.com> wrote:
>>
>>> The system property name is a bit misleading... this parameter is
>>> actually specifies the username used in the ZooKeeper server principal.
>>> (in your case the server principal is: zookeeper/z...@example.com)
>>> AFAIK the ZooKeeper client (after authenticated as zkclient/
>>> z...@example.com in Kerberos based on the jaas.conf file) needs to know
>>> the ZooKeeper server principal in order to ask for a specific token from
>>> kerberos which can be read by the ZooKeeper server.
>>>
>>> In 3.5.5 (or 3.5.6) you can use the  zookeeper.sasl.client.username
>>> parameter (plus some other parameters) to configure how the server
>>> principal will be determined by the client.
>>> See:
>>> https://github.com/apache/zookeeper/blob/c11b7e26bc554b8523dc929761dd28808913f091/zookeeper-server/src/main/java/org/apache/zookeeper/SaslServerPrincipal.java#L48
>>>
>>> In future releases (3.5.7, 3.6, ...) you can also use
>>> the zookeeper.server.principal parameter (a much better name I think) to
>>> use a fix server principal name in the client.
>>> See:
>>> https://github.com/apache/zookeeper/blob/1c5d135d74f16275876c024401dc2de92909b20a/zookeeper-server/src/main/java/org/apache/zookeeper/SaslServerPrincipal.java#L50
>>>
>>> On Mon, Jan 13, 2020 at 6:03 PM Arpit Jain 
>>> wrote:
>>>
>>>> D

Zookeeper ACL creation using SASL Kerberos authorization

2020-01-14 Thread Arpit Jain 
ZK version 3.5.6
Curator version: 4.2.0

I am able to authenticate client principal on ZK sever but it fails while
setting ACL
Logs on Zookeeper server side:





*2020-01-14 15:05:27,177 [myid:1] - INFO
 [NIOWorkerThread-2:SaslServerCallbackHandler@120] - Successfully
authenticated client: authenticationID=zkcli...@example.com
;  authorizationID=zkcli...@example.com
.2020-01-14 15:05:27,178 [myid:1] - INFO
 [NIOWorkerThread-2:SaslServerCallbackHandler@136] - Setting authorizedID:
zkcli...@example.com 2020-01-14 15:05:27,178 [myid:1]
- INFO  [NIOWorkerThread-2:ZooKeeperServer@1170] - adding SASL
authorization for authorizationID: zkcli...@example.com
2020-01-14 15:05:27,179 [myid:1] - INFO
 [NIOWorkerThread-4:ZooKeeperServer@1095] - got auth packet
/172.30.0.6:33830 2020-01-14 15:05:27,180 [myid:1]
- WARN  [NIOWorkerThread-4:ZooKeeperServer@1123] - Authentication failed
for scheme: sasl*

Logs on client side:




*2020-01-14 15:05:27.183+ [L: ERROR] [O: E.c.q.l.c.Logger] [I: ] [U: ]
[S: ] [P: platform1] [T: main-EventThread] Authentication failed2020-01-14
15:05:27.184+ [L: ERROR] [O: o.a.c.ConnectionState] [I: ] [U: ] [S: ]
[P: platform1] [T: main-EventThread] Authentication failed2020-01-14
15:05:27.298+ [L: ERROR] [O: E.c.q.l.c.Logger] [I: ] [U: SuperUser] [S:
] [P: platform1] [T: main] Failed starting CuratorFramework client:
KeeperErrorCode = AuthFailed for /MyNode2020-01-14 15:05:27.303+ [L:
ERROR] [O: c.t.s.c.ZookeeperHelper] [I: ] [U: SuperUser] [S: ] [P:
platform1] [T: main] Failed starting CuratorFramework client:
KeeperErrorCode = AuthFailed for
/MyNodeorg.apache.zookeeper.KeeperException$AuthFailedException:
KeeperErrorCode = AuthFailed for /MyNode*

This is how I am creating client:

   CuratorFrameworkFactory.Builder builder =

CuratorFrameworkFactory.builder().connectString(coordinatorHosts
).retryPolicy(retryPolicy)

.connectionTimeoutMs(coordinatorConnectionTimeout
).sessionTimeoutMs(coordinatorSessionTimeout);


final CuratorFramework curatorFramework =

builder.authorization("sasl", "zkcli...@example.com"
.getBytes()).aclProvider(new ACLProvider() {

@Override

public List getDefaultAcl() {

return ZooDefs.Ids.CREATOR_ALL_ACL;

}


@Override

public List getAclForPath(String path) {

return ZooDefs.Ids.CREATOR_ALL_ACL;

}

}).build();

curatorFramework.start();

curatorFramework.create().withMode(CreateMode.CONTAINER).forPath(
"/MyNode");


I believe I am successfully authenticated but something is wrong with
creating ACL.


Thanks

Re: Zookeeper and curator SASL authentication

2020-01-14 Thread Arpit Jain 
Thanks for the clarification.
I am able to authenticate client with Zookeeper. However, when I started to
set ACLs with the same client, I get error messages. This is how I am
creating curator client for setting ACLs

CuratorFrameworkFactory.Builder builder =

CuratorFrameworkFactory.builder().connectString(coordinatorHosts
).retryPolicy(retryPolicy)

.connectionTimeoutMs(coordinatorConnectionTimeout
).sessionTimeoutMs(coordinatorSessionTimeout);

final CuratorFramework curatorFramework =

builder.authorization("sasl", "zkclient/z...@example.com"
.getBytes()).aclProvider(new ACLProvider() {

@Override

public List getDefaultAcl() {

return ZooDefs.Ids.CREATOR_ALL_ACL;

}


@Override

public List getAclForPath(String path) {

return ZooDefs.Ids.CREATOR_ALL_ACL;

}

}).build();


 I see below logs in Zookeeper node:





*2020-01-14 13:27:53,174 [myid:1] - INFO
 [NIOWorkerThread-3:SaslServerCallbackHandler@120] - Successfully
authenticated client: authenticationID=zkclient/z...@example.com
;  authorizationID=zkclient/z...@example.com
.2020-01-14 13:27:53,175 [myid:1] - INFO
 [NIOWorkerThread-3:SaslServerCallbackHandler@136] - Setting authorizedID:
zkclient/z...@example.com 2020-01-14 13:27:53,175
[myid:1] - INFO  [NIOWorkerThread-3:ZooKeeperServer@1170] - adding SASL
authorization for authorizationID: zkclient/z...@example.com
2020-01-14 13:27:53,182 [myid:1] - INFO
 [NIOWorkerThread-7:ZooKeeperServer@1095] - got auth packet
/172.30.0.6:36658 <http://172.30.0.6:36658>2020-01-14 13:27:53,183 [myid:1]
- WARN  [NIOWorkerThread-7:ZooKeeperServer@1123] - Authentication failed
for scheme: sasl*

Is this not the correct way to do it ?



On Tue, Jan 14, 2020 at 11:52 AM Szalay-Bekő Máté <
szalay.beko.m...@gmail.com> wrote:

> The system property name is a bit misleading... this parameter is actually
> specifies the username used in the ZooKeeper server principal.  (in your
> case the server principal is: zookeeper/z...@example.com)
> AFAIK the ZooKeeper client (after authenticated as zkclient/
> z...@example.com in Kerberos based on the jaas.conf file) needs to know
> the ZooKeeper server principal in order to ask for a specific token from
> kerberos which can be read by the ZooKeeper server.
>
> In 3.5.5 (or 3.5.6) you can use the  zookeeper.sasl.client.username
> parameter (plus some other parameters) to configure how the server
> principal will be determined by the client.
> See:
> https://github.com/apache/zookeeper/blob/c11b7e26bc554b8523dc929761dd28808913f091/zookeeper-server/src/main/java/org/apache/zookeeper/SaslServerPrincipal.java#L48
>
> In future releases (3.5.7, 3.6, ...) you can also use
> the zookeeper.server.principal parameter (a much better name I think) to
> use a fix server principal name in the client.
> See:
> https://github.com/apache/zookeeper/blob/1c5d135d74f16275876c024401dc2de92909b20a/zookeeper-server/src/main/java/org/apache/zookeeper/SaslServerPrincipal.java#L50
>
> On Mon, Jan 13, 2020 at 6:03 PM Arpit Jain  wrote:
>
>> Does this user name have to be "Zookeeper"
>> (-Dzookeeper.sasl.client.username=zookeeper) always ?
>> And the client principal name is different than this username..Correct me
>> if I am wrong ?
>>
>> On Mon, Jan 13, 2020 at 4:58 PM Arpit Jain  wrote:
>>
>>> Thanks you so much !
>>> It worked finally. I had to change
>>> -Dzookeeper.sasl.client.username=zookeeper parameter.
>>>
>>> On Mon, Jan 13, 2020 at 4:40 PM Szalay-Bekő Máté <
>>> szalay.beko.m...@gmail.com> wrote:
>>>
>>>> You are using 3.5.5 or 3.5.6, right?
>>>> I think you need to specify: -Dzookeeper.sasl.client.username=zookeeper
>>>> can you give it a try? If it doesn't work then I can take a deeper look
>>>> (also we can enable some debug logging)
>>>>
>>>> On Mon, Jan 13, 2020 at 5:31 PM Arpit Jain 
>>>> wrote:
>>>>
>>>>> Hi
>>>>>
>>>>> I have Kerberos, Zookeeper and my application (using curator) running
>>>>> in 3 docker containers with ZK SASL authentication enabled. The ZK can
>>>>> login to Kerberos and starts successfully.
>>>>>
>>>>> The ZK server principal is zookeeper/z...@example.com
>>>>> The client principal is : zkclient/z...@example.com
>>>>>
>>>>> While starting my application, I am seeing failure while obtaining
>>>>> TGS.
>>>>> See the log at Kerberos side:
>>>>>
>>>>>
>>>>>
>>>>>

Re: Authorisation in Zookeeper

2020-01-11 Thread Arpit Jain 
Which authorization scheme is used for this kind of authorization using
Unix user ids?

Thanks

On Sat, Jan 11, 2020, 1:05 PM Enrico Olivelli  wrote:

> Il giorno sab 11 gen 2020 alle ore 09:31 shrikant kalani <
> shrikantkal...@gmail.com> ha scritto:
>
> >
> > My system account means a client process running with unix user id.
> >
> > I want user A to have full access while all other users should only read
> > data from znodes.
> >
>
> Yes ACLs are your way to go
>
> Enrico
>
>
> >
> > Thanks
> > Srikant Kalani
> > Sent from my iPhone
> >
> > > On 11 Jan 2020, at 2:20 PM, Enrico Olivelli 
> wrote:
> > >
> > > Srikant
> > >
> > > Il sab 11 gen 2020, 03:48 shrikant kalani 
> ha
> > > scritto:
> > >
> > >> Hi Zookeeper Users
> > >>
> > >> I have implemented TLS authentication in my cluster. Right now the
> > >> authentication is done based on host name (X509).
> > >>
> > >> Now I want to implement authorisation based on user I’d  like only my
> > >> system account should be able to read write data to znodes.
> > >>
> > >
> > > Can you define 'my system account'?
> > > Is your goal that only authenticated users are able to access data?
> > >
> > >
> > > Enrico
> > >
> > >>
> > >> How I can do that ? Is ACLs is the only solution ?
> > >>
> > >> Thanks
> > >> Srikant Kalani
> > >>
> > >> Sent from my iPhone
> >
>

Re: Zookeeper and curator SASL authentication

2020-01-09 Thread Arpit Jain 
The solution is to pass JAAS file
with  -Djava.security.auth.login.config=/path/to/jaas.conf. Using
System.setProperty does not work for me.

On Thu, Jan 9, 2020 at 3:49 PM Szalay-Bekő Máté 
wrote:

> I also faced this exception not long ago. I think it is an edge case, most
> probably you have something else, but still... maybe it helps:
>
> I tried to write a unit test which dynamically generated multiple
> jaas.conf files. Then I was setting the
> java.security.auth.login.config system property to the config file I needed
> in the given testcase, and when I tried to establish a ZooKeeper connection
> in the unit test, I also got the same exception that you got.
>
> The problem was, that the security configuration file I referred in the
> java.security.auth.login.config system property file was read only once,
> then stored in memory. And it haven't got reloaded, even if the file (or
> its path in the system property) changed. Maybe the best in this case is to
> specify separate JAAS config sections for each tests and use a single
> JAAS.conf file per JVM.
>
> Mate
>
> On Thu, Jan 9, 2020 at 2:56 PM Damien Diederen 
> wrote:
>
>>
>> Hi Arpit,
>>
>> > I am trying to do SASL authentication between ZK and curator. […]
>>
>> Okay.
>>
>> > I am also setting -Dzookeeper.sasl.clientconfig="Client" system
>> > variable.
>>
>> Looking at my deployments, I am specifying the location of the
>> configuration file using another system property:
>>
>> -Djava.security.auth.login.config=/path/to/jaas.conf
>>
>> > SASL configuration failed: javax.security.auth.login.LoginException: No
>> > JAAS configuration section named 'Client' was found in specified JAAS
>> > configuration file: '//jaas.conf'.
>>
>> It looks like your "JAAS config key" is explicitly set to a bogus value
>> (via the aforementioned system property or some other config file):
>>
>> //jaas.conf
>>
>> HTH, -D
>>
>

Zookeeper and curator SASL authentication

2020-01-09 Thread Arpit Jain 
Hi,

I am trying to do SASL authentication between ZK and curator. Principal for
curator is added in Kerberos server. While starting up curator, I see below
message in logs even though JAAS file has "Client" section. I am also
setting -Dzookeeper.sasl.clientconfig="Client" system variable.

*2020-01-06 11:38:06.443+ [L: WARN] [O: o.a.z.ClientCnxn] [I: ] [U: ]
[S: ] [P: platform] [T: localhost-startStop-1-SendThread(localhost:2181)]
SASL configuration failed: javax.security.auth.login.LoginException: No
JAAS configuration section named 'Client' was found in specified JAAS
configuration file: '//jaas.conf'. Will continue connection to
Zookeeper server without SASL authentication, if Zookeeper server allows
it.*

I am using Curator version 4.2.0 and ZK version 3.5.6.

JAAS file looks like this:








*Client {   com.sun.security.auth.module.Krb5LoginModule required
 useKeyTab=true   keyTab="//zkclient.keytab"
 storeKey=true   useTicketCache=false   principal="zkclient";};*

I am asking here as someone might have seen this issue and help me proceed.

Thanks

Re: Zookeeper server and client authentication

2019-12-30 Thread Arpit Jain 
Just to confirm the settings I have in my environment:

1. On ZK side, my JAAS file looks like this:
Server {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   keyTab="/conf/zoo1.keytab"
   storeKey=true
   useTicketCache=false
   principal="zookeeper/z...@example.com";
};
The principal "*zookeeper/z...@example.com "* has been
created in Kerberos server running locally. I am able to start ZK with this
principal and I can see ticket exchange between ZK and Kerberos for this
principal.

2. On client (Curator) side, JAAS file looks like below. Principal
"*zkcli...@example.com
"* is present in Kerberos server. The curator is able
to connect properly to ZK (with or without principal) even though SASL is
enabled. May be I should use ZK 3.6 as you pointed out to enforce
authentication.
Client {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   keyTab="/tmp/zkclient.keytab"
   storeKey=true
   useTicketCache=false
   principal="zkcli...@example.com";
};

Just want to make sure my settings are correct.

Thanks

On Mon, Dec 30, 2019 at 12:47 PM Enrico Olivelli 
wrote:

> Arpit,
> Up to 3.5.x you can only leverage auth only in conjunction with ACLs.
>
> I hope we are able to release 3.6.0 within a couple of weeks.
>
> If you have time you can build from branch-3.6 and run the server enabling
> that feature tha you are pointing to.
> It is a server side change only so you can use 3.5 in your application
>
>
> Enrico
>
> Il lun 30 dic 2019, 13:23 shrikant kalani  ha
> scritto:
>
> > Couple of things which you can check -
> > 1) if your Zookeeper server is not running with Zookeeper I’d then you
> > need to set Zookeeper.sasl.client.username
> > 2) set java.security.auth.login.config
> >
> > And I also faced the same issue that there is no strict enforcement to
> > allow only authenticated client. Unless someone is aware of the way I
> doubt
> > we may need to wait for 3.6
> >
> > Thanks
> > Srikant
> >
> > Sent from my iPhone
> >
> > > On 30 Dec 2019, at 8:11 PM, Arpit Jain  wrote:
> > >
> > > Hi,
> > >
> > > I have configured Zookeeper 3.5.5 to use SASL authentication using
> > > Kerberos. I am able to authenticate ZK with Kerberos server but I don't
> > see
> > > any authentication happening between Zookeeper client (curator) and ZK
> > > server. I have put the following setting in zoo.cfg and followed this
> > guide
> > >
> >
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication
> > > .
> > >
> > >
> >
> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> > > requireClientAuthScheme=sasl
> > >
> > > What additional setting I need to provide so that only authenticated
> > > clients (for which principals are present in Kerberos server) can
> connect
> > > to ZK server ?
> > > I also found this link
> > > https://github.com/apache/zookeeper/pull/118/commits which
> > > mentions that it will be strict only from ZK 3.6 onwards and currently
> ZK
> > > does not enforce it even if we have the configuration.
> > >
> > > Thanks
> >
>

Zookeeper server and client authentication

2019-12-30 Thread Arpit Jain 
Hi,

I have configured Zookeeper 3.5.5 to use SASL authentication using
Kerberos. I am able to authenticate ZK with Kerberos server but I don't see
any authentication happening between Zookeeper client (curator) and ZK
server. I have put the following setting in zoo.cfg and followed this guide
https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication
.

authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
requireClientAuthScheme=sasl

What additional setting I need to provide so that only authenticated
clients (for which principals are present in Kerberos server) can connect
to ZK server ?
I also found this link
https://github.com/apache/zookeeper/pull/118/commits which
mentions that it will be strict only from ZK 3.6 onwards and currently ZK
does not enforce it even if we have the configuration.

Thanks