If you try to use wrong credentials, corrupted keytab...you won't be able to read/write. Connection maybe is allowed
Enrico Il lun 30 dic 2019, 14:19 Arpit Jain <[email protected]> ha scritto: > Just to confirm the settings I have in my environment: > > 1. On ZK side, my JAAS file looks like this: > Server { > com.sun.security.auth.module.Krb5LoginModule required > useKeyTab=true > keyTab="/conf/zoo1.keytab" > storeKey=true > useTicketCache=false > principal="zookeeper/[email protected]"; > }; > The principal "*zookeeper/[email protected] <[email protected]>"* has been > created in Kerberos server running locally. I am able to start ZK with this > principal and I can see ticket exchange between ZK and Kerberos for this > principal. > > 2. On client (Curator) side, JAAS file looks like below. Principal > "*[email protected] > <[email protected]>"* is present in Kerberos server. The curator is > able > to connect properly to ZK (with or without principal) even though SASL is > enabled. May be I should use ZK 3.6 as you pointed out to enforce > authentication. > Client { > com.sun.security.auth.module.Krb5LoginModule required > useKeyTab=true > keyTab="/tmp/zkclient.keytab" > storeKey=true > useTicketCache=false > principal="[email protected]"; > }; > > Just want to make sure my settings are correct. > > Thanks > > On Mon, Dec 30, 2019 at 12:47 PM Enrico Olivelli <[email protected]> > wrote: > > > Arpit, > > Up to 3.5.x you can only leverage auth only in conjunction with ACLs. > > > > I hope we are able to release 3.6.0 within a couple of weeks. > > > > If you have time you can build from branch-3.6 and run the server > enabling > > that feature tha you are pointing to. > > It is a server side change only so you can use 3.5 in your application > > > > > > Enrico > > > > Il lun 30 dic 2019, 13:23 shrikant kalani <[email protected]> ha > > scritto: > > > > > Couple of things which you can check - > > > 1) if your Zookeeper server is not running with Zookeeper I’d then you > > > need to set Zookeeper.sasl.client.username > > > 2) set java.security.auth.login.config > > > > > > And I also faced the same issue that there is no strict enforcement to > > > allow only authenticated client. Unless someone is aware of the way I > > doubt > > > we may need to wait for 3.6 > > > > > > Thanks > > > Srikant > > > > > > Sent from my iPhone > > > > > > > On 30 Dec 2019, at 8:11 PM, Arpit Jain <[email protected]> > wrote: > > > > > > > > Hi, > > > > > > > > I have configured Zookeeper 3.5.5 to use SASL authentication using > > > > Kerberos. I am able to authenticate ZK with Kerberos server but I > don't > > > see > > > > any authentication happening between Zookeeper client (curator) and > ZK > > > > server. I have put the following setting in zoo.cfg and followed this > > > guide > > > > > > > > > > https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication > > > > . > > > > > > > > > > > > > > authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider > > > > requireClientAuthScheme=sasl > > > > > > > > What additional setting I need to provide so that only authenticated > > > > clients (for which principals are present in Kerberos server) can > > connect > > > > to ZK server ? > > > > I also found this link > > > > https://github.com/apache/zookeeper/pull/118/commits which > > > > mentions that it will be strict only from ZK 3.6 onwards and > currently > > ZK > > > > does not enforce it even if we have the configuration. > > > > > > > > Thanks > > > > > >
