Enrico,
Is 3.6 going to be available soon ? Within 1 month ?
Thanks
Srikant Kalani
Sent from my iPhone
> On 30 Dec 2019, at 9:23 PM, Enrico Olivelli <eolive...@gmail.com> wrote:
>
> If you try to use wrong credentials, corrupted keytab...you won't be able
> to read/write.
> Connection maybe is allowed
>
> Enrico
>
> Il lun 30 dic 2019, 14:19 Arpit Jain <jain.arp...@gmail.com> ha scritto:
>
>> Just to confirm the settings I have in my environment:
>>
>> 1. On ZK side, my JAAS file looks like this:
>> Server {
>> com.sun.security.auth.module.Krb5LoginModule required
>> useKeyTab=true
>> keyTab="/conf/zoo1.keytab"
>> storeKey=true
>> useTicketCache=false
>> principal="zookeeper/z...@example.com";
>> };
>> The principal "*zookeeper/z...@example.com <z...@example.com>"* has been
>> created in Kerberos server running locally. I am able to start ZK with this
>> principal and I can see ticket exchange between ZK and Kerberos for this
>> principal.
>>
>> 2. On client (Curator) side, JAAS file looks like below. Principal
>> "*zkcli...@example.com
>> <zkcli...@example.com>"* is present in Kerberos server. The curator is
>> able
>> to connect properly to ZK (with or without principal) even though SASL is
>> enabled. May be I should use ZK 3.6 as you pointed out to enforce
>> authentication.
>> Client {
>> com.sun.security.auth.module.Krb5LoginModule required
>> useKeyTab=true
>> keyTab="/tmp/zkclient.keytab"
>> storeKey=true
>> useTicketCache=false
>> principal="zkcli...@example.com";
>> };
>>
>> Just want to make sure my settings are correct.
>>
>> Thanks
>>
>>> On Mon, Dec 30, 2019 at 12:47 PM Enrico Olivelli <eolive...@gmail.com>
>>> wrote:
>>>
>>> Arpit,
>>> Up to 3.5.x you can only leverage auth only in conjunction with ACLs.
>>>
>>> I hope we are able to release 3.6.0 within a couple of weeks.
>>>
>>> If you have time you can build from branch-3.6 and run the server
>> enabling
>>> that feature tha you are pointing to.
>>> It is a server side change only so you can use 3.5 in your application
>>>
>>>
>>> Enrico
>>>
>>> Il lun 30 dic 2019, 13:23 shrikant kalani <shrikantkal...@gmail.com> ha
>>> scritto:
>>>
>>>> Couple of things which you can check -
>>>> 1) if your Zookeeper server is not running with Zookeeper I’d then you
>>>> need to set Zookeeper.sasl.client.username
>>>> 2) set java.security.auth.login.config
>>>>
>>>> And I also faced the same issue that there is no strict enforcement to
>>>> allow only authenticated client. Unless someone is aware of the way I
>>> doubt
>>>> we may need to wait for 3.6
>>>>
>>>> Thanks
>>>> Srikant
>>>>
>>>> Sent from my iPhone
>>>>
>>>>> On 30 Dec 2019, at 8:11 PM, Arpit Jain <jain.arp...@gmail.com>
>> wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> I have configured Zookeeper 3.5.5 to use SASL authentication using
>>>>> Kerberos. I am able to authenticate ZK with Kerberos server but I
>> don't
>>>> see
>>>>> any authentication happening between Zookeeper client (curator) and
>> ZK
>>>>> server. I have put the following setting in zoo.cfg and followed this
>>>> guide
>>>>>
>>>>
>>>
>> https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication
>>>>> .
>>>>>
>>>>>
>>>>
>>>
>> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
>>>>> requireClientAuthScheme=sasl
>>>>>
>>>>> What additional setting I need to provide so that only authenticated
>>>>> clients (for which principals are present in Kerberos server) can
>>> connect
>>>>> to ZK server ?
>>>>> I also found this link
>>>>> https://github.com/apache/zookeeper/pull/118/commits which
>>>>> mentions that it will be strict only from ZK 3.6 onwards and
>> currently
>>> ZK
>>>>> does not enforce it even if we have the configuration.
>>>>>
>>>>> Thanks
>>>>
>>>
>>
