LiJie2023 created ZOOKEEPER-4740: ------------------------------------ Summary: I want to use kerberos for Zookeeper, but my authentication has been unsuccessful Key: ZOOKEEPER-4740 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4740 Project: ZooKeeper Issue Type: Wish Components: kerberos Affects Versions: 3.5.9 Reporter: LiJie2023 Attachments: image-2023-09-01-16-37-20-848.png
zookeeper_jaas.conf {code:java} Server { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true useTicketCache=false keyTab="/opt/test2.keytab" principal="test2/bigdata.hadoop.master01"; };Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/opt/test2.keytab" principal="test2/bigdata.hadoop.master01" useTicketCache=false debug=true; }; {code} [root@bigdata conf]# cat java.env {code:java} export JVMFLAGS="-Djava.security.auth.login.config=/usr/lib/zookeeper/conf/zookeeper_jaas.conf" {code} /etc/krb5.conf {code:java} # Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log[libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid}[realms] EXAMPLE.COM = { kdc = bigdata.hadoop.master01 admin_server = bigdata.hadoop.master01 }[domain_realm] .bigdata.hadoop.master01 = EXAMPLE.COM bigdata.hadoop.master01 = EXAMPLE.COM {code} !image-2023-09-01-16-37-20-848.png! When I use a client connection: {code:java} zookeeper-client -server localhost:12181 {code} Connecting to localhost:12181 2023-09-01 16:38:05,528 - INFO [main:Environment@109] - Client environment:zookeeper.version=3.5.9-83df9301aa5c2a5d284a9940177808c01bc35cef, built on 10/25/2022 23:07 GMT 2023-09-01 16:38:05,530 - INFO [main:Environment@109] - Client environment:host.name=bigdata.hadoop.master01 2023-09-01 16:38:05,530 - INFO [main:Environment@109] - Client environment:java.version=1.8.0_351 2023-09-01 16:38:05,532 - INFO [main:Environment@109] - Client environment:java.vendor=Oracle Corporation 2023-09-01 16:38:05,532 - INFO [main:Environment@109] - Client environment:java.home=/usr/java/jdk1.8.0_351-amd64/jre 2023-09-01 16:38:05,532 - INFO [main:Environment@109] - Client environment:java.class.path=/usr/lib/zookeeper/bin/../zookeeper-server/target/classes:/usr/lib/zookeeper/bin/../build/classes:/usr/lib/zookeeper/bin/../zookeeper-server/target/lib/*.jar:/usr/lib/zookeeper/bin/../build/lib/*.jar:/usr/lib/zookeeper/bin/../lib/zookeeper-jute-3.5.9.jar:/usr/lib/zookeeper/bin/../lib/zookeeper-3.5.9.jar:/usr/lib/zookeeper/bin/../lib/slf4j-log4j12-1.7.25.jar:/usr/lib/zookeeper/bin/../lib/slf4j-api-1.7.25.jar:/usr/lib/zookeeper/bin/../lib/netty-transport-native-unix-common-4.1.50.Final.jar:/usr/lib/zookeeper/bin/../lib/netty-transport-native-epoll-4.1.50.Final.jar:/usr/lib/zookeeper/bin/../lib/netty-transport-4.1.50.Final.jar:/usr/lib/zookeeper/bin/../lib/netty-resolver-4.1.50.Final.jar:/usr/lib/zookeeper/bin/../lib/netty-handler-4.1.50.Final.jar:/usr/lib/zookeeper/bin/../lib/netty-common-4.1.50.Final.jar:/usr/lib/zookeeper/bin/../lib/netty-codec-4.1.50.Final.jar:/usr/lib/zookeeper/bin/../lib/netty-buffer-4.1.50.Final.jar:/usr/lib/zookeeper/bin/../lib/log4j-1.2.17.jar:/usr/lib/zookeeper/bin/../lib/json-simple-1.1.1.jar:/usr/lib/zookeeper/bin/../lib/jline-2.14.6.jar:/usr/lib/zookeeper/bin/../lib/jetty-util-ajax-9.4.35.v20201120.jar:/usr/lib/zookeeper/bin/../lib/jetty-util-9.4.35.v20201120.jar:/usr/lib/zookeeper/bin/../lib/jetty-servlet-9.4.35.v20201120.jar:/usr/lib/zookeeper/bin/../lib/jetty-server-9.4.35.v20201120.jar:/usr/lib/zookeeper/bin/../lib/jetty-security-9.4.35.v20201120.jar:/usr/lib/zookeeper/bin/../lib/jetty-io-9.4.35.v20201120.jar:/usr/lib/zookeeper/bin/../lib/jetty-http-9.4.35.v20201120.jar:/usr/lib/zookeeper/bin/../lib/javax.servlet-api-3.1.0.jar:/usr/lib/zookeeper/bin/../lib/jackson-databind-2.10.5.1.jar:/usr/lib/zookeeper/bin/../lib/jackson-core-2.10.5.jar:/usr/lib/zookeeper/bin/../lib/jackson-annotations-2.10.5.jar:/usr/lib/zookeeper/bin/../lib/commons-cli-1.2.jar:/usr/lib/zookeeper/bin/../lib/audience-annotations-0.5.0.jar:/usr/lib/zookeeper/bin/../zookeeper-jute.jar:/usr/lib/zookeeper/bin/../zookeeper-jute-3.5.9.jar:/usr/lib/zookeeper/bin/../zookeeper-3.5.9.jar:/usr/lib/zookeeper/bin/../zookeeper-server/src/main/resources/lib/*.jar:/etc/zookeeper/conf::/etc/zookeeper/conf:/usr/lib/zookeeper/zookeeper-3.5.9.jar:/usr/lib/zookeeper/zookeeper-jute-3.5.9.jar:/usr/lib/zookeeper/zookeeper-jute.jar:/usr/lib/zookeeper/zookeeper.jar:/usr/lib/zookeeper/lib/audience-annotations-0.5.0.jar:/usr/lib/zookeeper/lib/commons-cli-1.2.jar:/usr/lib/zookeeper/lib/jackson-annotations-2.10.5.jar:/usr/lib/zookeeper/lib/jackson-core-2.10.5.jar:/usr/lib/zookeeper/lib/jackson-databind-2.10.5.1.jar:/usr/lib/zookeeper/lib/javax.servlet-api-3.1.0.jar:/usr/lib/zookeeper/lib/jetty-http-9.4.35.v20201120.jar:/usr/lib/zookeeper/lib/jetty-io-9.4.35.v20201120.jar:/usr/lib/zookeeper/lib/jetty-security-9.4.35.v20201120.jar:/usr/lib/zookeeper/lib/jetty-server-9.4.35.v20201120.jar:/usr/lib/zookeeper/lib/jetty-servlet-9.4.35.v20201120.jar:/usr/lib/zookeeper/lib/jetty-util-9.4.35.v20201120.jar:/usr/lib/zookeeper/lib/jetty-util-ajax-9.4.35.v20201120.jar:/usr/lib/zookeeper/lib/jline-2.14.6.jar:/usr/lib/zookeeper/lib/json-simple-1.1.1.jar:/usr/lib/zookeeper/lib/log4j-1.2.17.jar:/usr/lib/zookeeper/lib/netty-buffer-4.1.50.Final.jar:/usr/lib/zookeeper/lib/netty-codec-4.1.50.Final.jar:/usr/lib/zookeeper/lib/netty-common-4.1.50.Final.jar:/usr/lib/zookeeper/lib/netty-handler-4.1.50.Final.jar:/usr/lib/zookeeper/lib/netty-resolver-4.1.50.Final.jar:/usr/lib/zookeeper/lib/netty-transport-4.1.50.Final.jar:/usr/lib/zookeeper/lib/netty-transport-native-epoll-4.1.50.Final.jar:/usr/lib/zookeeper/lib/netty-transport-native-unix-common-4.1.50.Final.jar:/usr/lib/zookeeper/lib/slf4j-api-1.7.25.jar:/usr/lib/zookeeper/lib/slf4j-log4j12-1.7.25.jar:/usr/lib/zookeeper/lib/zookeeper-3.5.9.jar:/usr/lib/zookeeper/lib/zookeeper-jute-3.5.9.jar:/usr/share/zookeeper/* 2023-09-01 16:38:05,533 - INFO [main:Environment@109] - Client environment:java.library.path=/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib 2023-09-01 16:38:05,533 - INFO [main:Environment@109] - Client environment:java.io.tmpdir=/tmp 2023-09-01 16:38:05,533 - INFO [main:Environment@109] - Client environment:java.compiler=<NA> 2023-09-01 16:38:05,533 - INFO [main:Environment@109] - Client environment:os.name=Linux 2023-09-01 16:38:05,533 - INFO [main:Environment@109] - Client environment:os.arch=amd64 2023-09-01 16:38:05,533 - INFO [main:Environment@109] - Client environment:os.version=3.10.0-862.el7.x86_64 2023-09-01 16:38:05,534 - INFO [main:Environment@109] - Client environment:user.name=root 2023-09-01 16:38:05,534 - INFO [main:Environment@109] - Client environment:user.home=/root 2023-09-01 16:38:05,534 - INFO [main:Environment@109] - Client environment:user.dir=/etc/zookeeper/conf.dist 2023-09-01 16:38:05,534 - INFO [main:Environment@109] - Client environment:os.memory.free=236MB 2023-09-01 16:38:05,536 - INFO [main:Environment@109] - Client environment:os.memory.max=245MB 2023-09-01 16:38:05,536 - INFO [main:Environment@109] - Client environment:os.memory.total=245MB 2023-09-01 16:38:05,539 - INFO [main:ZooKeeper@868] - Initiating client connection, connectString=localhost:12181 sessionTimeout=30000 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@1c655221 2023-09-01 16:38:05,544 - INFO [main:X509Util@79] - Setting -D jdk.tls.rejectClientInitiatedRenegotiation=true to disable client-initiated TLS renegotiation 2023-09-01 16:38:05,550 - INFO [main:ClientCnxnSocket@237] - jute.maxbuffer value is 4194304 Bytes 2023-09-01 16:38:05,557 - INFO [main:ClientCnxn@1653] - zookeeper.request.timeout value is 0. feature enabled= Welcome to ZooKeeper! JLine support is enabled Debug is true storeKey false useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is /opt/test2.keytab refreshKrb5Config is false principal is test2/bigdata.hadoop.master01 tryFirstPass is false useFirstPass is false storePass is false clearPass is false [zk: localhost:12181(CONNECTING) 0] principal is test2/bigdata.hadoop.maste...@example.com Will use keytab Commit Succeeded 2023-09-01 16:38:05,843 - INFO [main-SendThread(localhost:12181):Login@302] - Client successfully logged in. 2023-09-01 16:38:05,845 - INFO [Thread-1:Login$1@135] - TGT refresh thread started. 2023-09-01 16:38:05,848 - INFO [main-SendThread(localhost:12181):SecurityUtils$1@128] - Client will use GSSAPI as SASL mechanism. 2023-09-01 16:38:05,848 - INFO [Thread-1:Login@320] - TGT valid starting at: Fri Sep 01 16:38:05 CST 2023 2023-09-01 16:38:05,848 - INFO [Thread-1:Login@321] - TGT expires: Sun Feb 07 14:28:15 CST 2106 2023-09-01 16:38:05,849 - INFO [Thread-1:Login$1@193] - TGT refresh sleeping until: Mon Mar 17 14:49:28 CST 2092 2023-09-01 16:38:05,857 - INFO [main-SendThread(localhost:12181):ClientCnxn$SendThread@1112] - Opening socket connection to server localhost/127.0.0.1:12181. Will attempt to SASL-authenticate using Login Context section 'Client' 2023-09-01 16:38:05,861 - INFO [main-SendThread(localhost:12181):ClientCnxn$SendThread@959] - Socket connection established, initiating session, client: /127.0.0.1:33722, server: localhost/127.0.0.1:12181 2023-09-01 16:38:05,870 - INFO [main-SendThread(localhost:12181):ClientCnxn$SendThread@1394] - Session establishment complete on server localhost/127.0.0.1:12181, sessionid = 0x100001d3c2d0004, negotiated timeout = 30000WATCHER::WatchedEvent state:SyncConnected type:None path:null 2023-09-01 16:38:05,882 - ERROR [main-SendThread(localhost:12181):ZooKeeperSaslClient@341] - An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Ticket expired (32) - PROCESS_TGS)]) occurred when evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client will go to AUTH_FAILED state. 2023-09-01 16:38:05,882 - ERROR [main-SendThread(localhost:12181):ClientCnxn$SendThread@1151] - SASL authentication with Zookeeper Quorum member failed: javax.security.sasl.SaslException: An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Ticket expired (32) - PROCESS_TGS)]) occurred when evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client will go to AUTH_FAILED state. [Caused by java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Ticket expired (32) - PROCESS_TGS)]]WATCHER::WatchedEvent state:AuthFailed type:None path:null 2023-09-01 16:38:05,883 - INFO [main-EventThread:ClientCnxn$EventThread@524] - EventThread shut down for session: 0x100001d3c2d0004 -- This message was sent by Atlassian Jira (v8.20.10#820010)