Take a look to https://issues.apache.org/jira/browse/ZOOKEEPER-1634
Enrico Il lun 6 gen 2020, 13:52 Andor Molnar <an...@apache.org> ha scritto: > Are we going to release client authentication enforcement in 3.6? > I can’t remember a patch which implements it. > > Andor > > > > > > On 2019. Dec 30., at 15:17, Enrico Olivelli <eolive...@gmail.com> wrote: > > > > Il lun 30 dic 2019, 14:55 shrikant kalani <shrikantkal...@gmail.com> ha > > scritto: > > > >> Enrico, > >> > >> Is 3.6 going to be available soon ? Within 1 month ? > >> > > > > I can't make promises. > > It is up to the community. > > I can say we are actively preparing the release. > > You will see, hopefully next week, a VOTE email thread on > > d...@zookeeper.apache.org mailing list. > > > > If you try it and report that it is working for you, this will be a good > > contribution to the community > > > > Cheers > > Enrico > > > >> > >> Thanks > >> Srikant Kalani > >> > >> Sent from my iPhone > >> > >>> On 30 Dec 2019, at 9:23 PM, Enrico Olivelli <eolive...@gmail.com> > wrote: > >>> > >>> If you try to use wrong credentials, corrupted keytab...you won't be > >> able > >>> to read/write. > >>> Connection maybe is allowed > >>> > >>> Enrico > >>> > >>> Il lun 30 dic 2019, 14:19 Arpit Jain <jain.arp...@gmail.com> ha > scritto: > >>> > >>>> Just to confirm the settings I have in my environment: > >>>> > >>>> 1. On ZK side, my JAAS file looks like this: > >>>> Server { > >>>> com.sun.security.auth.module.Krb5LoginModule required > >>>> useKeyTab=true > >>>> keyTab="/conf/zoo1.keytab" > >>>> storeKey=true > >>>> useTicketCache=false > >>>> principal="zookeeper/z...@example.com"; > >>>> }; > >>>> The principal "*zookeeper/z...@example.com <z...@example.com>"* has > >> been > >>>> created in Kerberos server running locally. I am able to start ZK with > >> this > >>>> principal and I can see ticket exchange between ZK and Kerberos for > this > >>>> principal. > >>>> > >>>> 2. On client (Curator) side, JAAS file looks like below. Principal > >>>> "*zkcli...@example.com > >>>> <zkcli...@example.com>"* is present in Kerberos server. The curator > is > >>>> able > >>>> to connect properly to ZK (with or without principal) even though SASL > >> is > >>>> enabled. May be I should use ZK 3.6 as you pointed out to enforce > >>>> authentication. > >>>> Client { > >>>> com.sun.security.auth.module.Krb5LoginModule required > >>>> useKeyTab=true > >>>> keyTab="/tmp/zkclient.keytab" > >>>> storeKey=true > >>>> useTicketCache=false > >>>> principal="zkcli...@example.com"; > >>>> }; > >>>> > >>>> Just want to make sure my settings are correct. > >>>> > >>>> Thanks > >>>> > >>>>> On Mon, Dec 30, 2019 at 12:47 PM Enrico Olivelli < > eolive...@gmail.com> > >>>>> wrote: > >>>>> > >>>>> Arpit, > >>>>> Up to 3.5.x you can only leverage auth only in conjunction with ACLs. > >>>>> > >>>>> I hope we are able to release 3.6.0 within a couple of weeks. > >>>>> > >>>>> If you have time you can build from branch-3.6 and run the server > >>>> enabling > >>>>> that feature tha you are pointing to. > >>>>> It is a server side change only so you can use 3.5 in your > application > >>>>> > >>>>> > >>>>> Enrico > >>>>> > >>>>> Il lun 30 dic 2019, 13:23 shrikant kalani <shrikantkal...@gmail.com> > >> ha > >>>>> scritto: > >>>>> > >>>>>> Couple of things which you can check - > >>>>>> 1) if your Zookeeper server is not running with Zookeeper I’d then > you > >>>>>> need to set Zookeeper.sasl.client.username > >>>>>> 2) set java.security.auth.login.config > >>>>>> > >>>>>> And I also faced the same issue that there is no strict enforcement > to > >>>>>> allow only authenticated client. Unless someone is aware of the way > I > >>>>> doubt > >>>>>> we may need to wait for 3.6 > >>>>>> > >>>>>> Thanks > >>>>>> Srikant > >>>>>> > >>>>>> Sent from my iPhone > >>>>>> > >>>>>>> On 30 Dec 2019, at 8:11 PM, Arpit Jain <jain.arp...@gmail.com> > >>>> wrote: > >>>>>>> > >>>>>>> Hi, > >>>>>>> > >>>>>>> I have configured Zookeeper 3.5.5 to use SASL authentication using > >>>>>>> Kerberos. I am able to authenticate ZK with Kerberos server but I > >>>> don't > >>>>>> see > >>>>>>> any authentication happening between Zookeeper client (curator) and > >>>> ZK > >>>>>>> server. I have put the following setting in zoo.cfg and followed > this > >>>>>> guide > >>>>>>> > >>>>>> > >>>>> > >>>> > >> > https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication > >>>>>>> . > >>>>>>> > >>>>>>> > >>>>>> > >>>>> > >>>> > >> > authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider > >>>>>>> requireClientAuthScheme=sasl > >>>>>>> > >>>>>>> What additional setting I need to provide so that only > authenticated > >>>>>>> clients (for which principals are present in Kerberos server) can > >>>>> connect > >>>>>>> to ZK server ? > >>>>>>> I also found this link > >>>>>>> https://github.com/apache/zookeeper/pull/118/commits which > >>>>>>> mentions that it will be strict only from ZK 3.6 onwards and > >>>> currently > >>>>> ZK > >>>>>>> does not enforce it even if we have the configuration. > >>>>>>> > >>>>>>> Thanks > >>>>>> > >>>>> > >>>> > >> > >