Just to confirm the settings I have in my environment:
1. On ZK side, my JAAS file looks like this:
Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/conf/zoo1.keytab"
storeKey=true
useTicketCache=false
principal="zookeeper/z...@example.com";
};
The principal "*zookeeper/z...@example.com <z...@example.com>"* has been
created in Kerberos server running locally. I am able to start ZK with this
principal and I can see ticket exchange between ZK and Kerberos for this
principal.
2. On client (Curator) side, JAAS file looks like below. Principal
"*zkcli...@example.com
<zkcli...@example.com>"* is present in Kerberos server. The curator is able
to connect properly to ZK (with or without principal) even though SASL is
enabled. May be I should use ZK 3.6 as you pointed out to enforce
authentication.
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/tmp/zkclient.keytab"
storeKey=true
useTicketCache=false
principal="zkcli...@example.com";
};
Just want to make sure my settings are correct.
Thanks
On Mon, Dec 30, 2019 at 12:47 PM Enrico Olivelli <eolive...@gmail.com>
wrote:
> Arpit,
> Up to 3.5.x you can only leverage auth only in conjunction with ACLs.
>
> I hope we are able to release 3.6.0 within a couple of weeks.
>
> If you have time you can build from branch-3.6 and run the server enabling
> that feature tha you are pointing to.
> It is a server side change only so you can use 3.5 in your application
>
>
> Enrico
>
> Il lun 30 dic 2019, 13:23 shrikant kalani <shrikantkal...@gmail.com> ha
> scritto:
>
> > Couple of things which you can check -
> > 1) if your Zookeeper server is not running with Zookeeper I’d then you
> > need to set Zookeeper.sasl.client.username
> > 2) set java.security.auth.login.config
> >
> > And I also faced the same issue that there is no strict enforcement to
> > allow only authenticated client. Unless someone is aware of the way I
> doubt
> > we may need to wait for 3.6
> >
> > Thanks
> > Srikant
> >
> > Sent from my iPhone
> >
> > > On 30 Dec 2019, at 8:11 PM, Arpit Jain <jain.arp...@gmail.com> wrote:
> > >
> > > Hi,
> > >
> > > I have configured Zookeeper 3.5.5 to use SASL authentication using
> > > Kerberos. I am able to authenticate ZK with Kerberos server but I don't
> > see
> > > any authentication happening between Zookeeper client (curator) and ZK
> > > server. I have put the following setting in zoo.cfg and followed this
> > guide
> > >
> >
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication
> > > .
> > >
> > >
> >
> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> > > requireClientAuthScheme=sasl
> > >
> > > What additional setting I need to provide so that only authenticated
> > > clients (for which principals are present in Kerberos server) can
> connect
> > > to ZK server ?
> > > I also found this link
> > > https://github.com/apache/zookeeper/pull/118/commits which
> > > mentions that it will be strict only from ZK 3.6 onwards and currently
> ZK
> > > does not enforce it even if we have the configuration.
> > >
> > > Thanks
> >
>
