Are we going to release client authentication enforcement in 3.6? I can’t remember a patch which implements it.
Andor > On 2019. Dec 30., at 15:17, Enrico Olivelli <[email protected]> wrote: > > Il lun 30 dic 2019, 14:55 shrikant kalani <[email protected]> ha > scritto: > >> Enrico, >> >> Is 3.6 going to be available soon ? Within 1 month ? >> > > I can't make promises. > It is up to the community. > I can say we are actively preparing the release. > You will see, hopefully next week, a VOTE email thread on > [email protected] mailing list. > > If you try it and report that it is working for you, this will be a good > contribution to the community > > Cheers > Enrico > >> >> Thanks >> Srikant Kalani >> >> Sent from my iPhone >> >>> On 30 Dec 2019, at 9:23 PM, Enrico Olivelli <[email protected]> wrote: >>> >>> If you try to use wrong credentials, corrupted keytab...you won't be >> able >>> to read/write. >>> Connection maybe is allowed >>> >>> Enrico >>> >>> Il lun 30 dic 2019, 14:19 Arpit Jain <[email protected]> ha scritto: >>> >>>> Just to confirm the settings I have in my environment: >>>> >>>> 1. On ZK side, my JAAS file looks like this: >>>> Server { >>>> com.sun.security.auth.module.Krb5LoginModule required >>>> useKeyTab=true >>>> keyTab="/conf/zoo1.keytab" >>>> storeKey=true >>>> useTicketCache=false >>>> principal="zookeeper/[email protected]"; >>>> }; >>>> The principal "*zookeeper/[email protected] <[email protected]>"* has >> been >>>> created in Kerberos server running locally. I am able to start ZK with >> this >>>> principal and I can see ticket exchange between ZK and Kerberos for this >>>> principal. >>>> >>>> 2. On client (Curator) side, JAAS file looks like below. Principal >>>> "*[email protected] >>>> <[email protected]>"* is present in Kerberos server. The curator is >>>> able >>>> to connect properly to ZK (with or without principal) even though SASL >> is >>>> enabled. May be I should use ZK 3.6 as you pointed out to enforce >>>> authentication. >>>> Client { >>>> com.sun.security.auth.module.Krb5LoginModule required >>>> useKeyTab=true >>>> keyTab="/tmp/zkclient.keytab" >>>> storeKey=true >>>> useTicketCache=false >>>> principal="[email protected]"; >>>> }; >>>> >>>> Just want to make sure my settings are correct. >>>> >>>> Thanks >>>> >>>>> On Mon, Dec 30, 2019 at 12:47 PM Enrico Olivelli <[email protected]> >>>>> wrote: >>>>> >>>>> Arpit, >>>>> Up to 3.5.x you can only leverage auth only in conjunction with ACLs. >>>>> >>>>> I hope we are able to release 3.6.0 within a couple of weeks. >>>>> >>>>> If you have time you can build from branch-3.6 and run the server >>>> enabling >>>>> that feature tha you are pointing to. >>>>> It is a server side change only so you can use 3.5 in your application >>>>> >>>>> >>>>> Enrico >>>>> >>>>> Il lun 30 dic 2019, 13:23 shrikant kalani <[email protected]> >> ha >>>>> scritto: >>>>> >>>>>> Couple of things which you can check - >>>>>> 1) if your Zookeeper server is not running with Zookeeper I’d then you >>>>>> need to set Zookeeper.sasl.client.username >>>>>> 2) set java.security.auth.login.config >>>>>> >>>>>> And I also faced the same issue that there is no strict enforcement to >>>>>> allow only authenticated client. Unless someone is aware of the way I >>>>> doubt >>>>>> we may need to wait for 3.6 >>>>>> >>>>>> Thanks >>>>>> Srikant >>>>>> >>>>>> Sent from my iPhone >>>>>> >>>>>>> On 30 Dec 2019, at 8:11 PM, Arpit Jain <[email protected]> >>>> wrote: >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I have configured Zookeeper 3.5.5 to use SASL authentication using >>>>>>> Kerberos. I am able to authenticate ZK with Kerberos server but I >>>> don't >>>>>> see >>>>>>> any authentication happening between Zookeeper client (curator) and >>>> ZK >>>>>>> server. I have put the following setting in zoo.cfg and followed this >>>>>> guide >>>>>>> >>>>>> >>>>> >>>> >> https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication >>>>>>> . >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider >>>>>>> requireClientAuthScheme=sasl >>>>>>> >>>>>>> What additional setting I need to provide so that only authenticated >>>>>>> clients (for which principals are present in Kerberos server) can >>>>> connect >>>>>>> to ZK server ? >>>>>>> I also found this link >>>>>>> https://github.com/apache/zookeeper/pull/118/commits which >>>>>>> mentions that it will be strict only from ZK 3.6 onwards and >>>> currently >>>>> ZK >>>>>>> does not enforce it even if we have the configuration. >>>>>>> >>>>>>> Thanks >>>>>> >>>>> >>>> >>
