Enrico, Is 3.6 going to be available soon ? Within 1 month ?
Thanks Srikant Kalani Sent from my iPhone > On 30 Dec 2019, at 9:23 PM, Enrico Olivelli <eolive...@gmail.com> wrote: > > If you try to use wrong credentials, corrupted keytab...you won't be able > to read/write. > Connection maybe is allowed > > Enrico > > Il lun 30 dic 2019, 14:19 Arpit Jain <jain.arp...@gmail.com> ha scritto: > >> Just to confirm the settings I have in my environment: >> >> 1. On ZK side, my JAAS file looks like this: >> Server { >> com.sun.security.auth.module.Krb5LoginModule required >> useKeyTab=true >> keyTab="/conf/zoo1.keytab" >> storeKey=true >> useTicketCache=false >> principal="zookeeper/z...@example.com"; >> }; >> The principal "*zookeeper/z...@example.com <z...@example.com>"* has been >> created in Kerberos server running locally. I am able to start ZK with this >> principal and I can see ticket exchange between ZK and Kerberos for this >> principal. >> >> 2. On client (Curator) side, JAAS file looks like below. Principal >> "*zkcli...@example.com >> <zkcli...@example.com>"* is present in Kerberos server. The curator is >> able >> to connect properly to ZK (with or without principal) even though SASL is >> enabled. May be I should use ZK 3.6 as you pointed out to enforce >> authentication. >> Client { >> com.sun.security.auth.module.Krb5LoginModule required >> useKeyTab=true >> keyTab="/tmp/zkclient.keytab" >> storeKey=true >> useTicketCache=false >> principal="zkcli...@example.com"; >> }; >> >> Just want to make sure my settings are correct. >> >> Thanks >> >>> On Mon, Dec 30, 2019 at 12:47 PM Enrico Olivelli <eolive...@gmail.com> >>> wrote: >>> >>> Arpit, >>> Up to 3.5.x you can only leverage auth only in conjunction with ACLs. >>> >>> I hope we are able to release 3.6.0 within a couple of weeks. >>> >>> If you have time you can build from branch-3.6 and run the server >> enabling >>> that feature tha you are pointing to. >>> It is a server side change only so you can use 3.5 in your application >>> >>> >>> Enrico >>> >>> Il lun 30 dic 2019, 13:23 shrikant kalani <shrikantkal...@gmail.com> ha >>> scritto: >>> >>>> Couple of things which you can check - >>>> 1) if your Zookeeper server is not running with Zookeeper I’d then you >>>> need to set Zookeeper.sasl.client.username >>>> 2) set java.security.auth.login.config >>>> >>>> And I also faced the same issue that there is no strict enforcement to >>>> allow only authenticated client. Unless someone is aware of the way I >>> doubt >>>> we may need to wait for 3.6 >>>> >>>> Thanks >>>> Srikant >>>> >>>> Sent from my iPhone >>>> >>>>> On 30 Dec 2019, at 8:11 PM, Arpit Jain <jain.arp...@gmail.com> >> wrote: >>>>> >>>>> Hi, >>>>> >>>>> I have configured Zookeeper 3.5.5 to use SASL authentication using >>>>> Kerberos. I am able to authenticate ZK with Kerberos server but I >> don't >>>> see >>>>> any authentication happening between Zookeeper client (curator) and >> ZK >>>>> server. I have put the following setting in zoo.cfg and followed this >>>> guide >>>>> >>>> >>> >> https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication >>>>> . >>>>> >>>>> >>>> >>> >> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider >>>>> requireClientAuthScheme=sasl >>>>> >>>>> What additional setting I need to provide so that only authenticated >>>>> clients (for which principals are present in Kerberos server) can >>> connect >>>>> to ZK server ? >>>>> I also found this link >>>>> https://github.com/apache/zookeeper/pull/118/commits which >>>>> mentions that it will be strict only from ZK 3.6 onwards and >> currently >>> ZK >>>>> does not enforce it even if we have the configuration. >>>>> >>>>> Thanks >>>> >>> >>