Hi Abe, We are trying to understand the difference between setting requireClientAuthScheme=sasl and requireClientAuthScheme=all When a client does not have a valid Kerberos ticket, the behaviour is the same for either of the above settings. Whereas we'd've expected the client to not be able to connect when requireClientAuthScheme=sasl. To restrict such connections, should we also set zookeeper.allowSaslFailedClients=false?
Regards Shirsha -----Original Message----- From: Abraham Fine [mailto:[email protected]] Sent: Friday, March 9, 2018 12:31 AM To: [email protected] Subject: Re: SASL for Client connections Hi Harish- Currently there is no way to restrict ALL incoming client connections when using SASL. In ZooKeeper, SASL works on a node by node basis. Thanks, Abe On Thu, Mar 8, 2018, at 03:58, Harish kumar wrote: > Hi, > > I have enabled SASL on my Zookeeper, with below configuration. > > *requireClientAuthScheme=sasl* > *authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationPro > vider* > > But still I see that, I am able to connect to zookeeper even without a > valid kerberos ticket. > Is there a way to restrict all client connections only with valid > kerberos ticket. > > Zookeeper Version - 3.4.8 > > > Thanks, > Harish
