Take a look to
https://issues.apache.org/jira/browse/ZOOKEEPER-1634
Enrico
Il lun 6 gen 2020, 13:52 Andor Molnar <an...@apache.org> ha scritto:
> Are we going to release client authentication enforcement in 3.6?
> I can’t remember a patch which implements it.
>
> Andor
>
>
>
>
> > On 2019. Dec 30., at 15:17, Enrico Olivelli <eolive...@gmail.com> wrote:
> >
> > Il lun 30 dic 2019, 14:55 shrikant kalani <shrikantkal...@gmail.com> ha
> > scritto:
> >
> >> Enrico,
> >>
> >> Is 3.6 going to be available soon ? Within 1 month ?
> >>
> >
> > I can't make promises.
> > It is up to the community.
> > I can say we are actively preparing the release.
> > You will see, hopefully next week, a VOTE email thread on
> > d...@zookeeper.apache.org mailing list.
> >
> > If you try it and report that it is working for you, this will be a good
> > contribution to the community
> >
> > Cheers
> > Enrico
> >
> >>
> >> Thanks
> >> Srikant Kalani
> >>
> >> Sent from my iPhone
> >>
> >>> On 30 Dec 2019, at 9:23 PM, Enrico Olivelli <eolive...@gmail.com>
> wrote:
> >>>
> >>> If you try to use wrong credentials, corrupted keytab...you won't be
> >> able
> >>> to read/write.
> >>> Connection maybe is allowed
> >>>
> >>> Enrico
> >>>
> >>> Il lun 30 dic 2019, 14:19 Arpit Jain <jain.arp...@gmail.com> ha
> scritto:
> >>>
> >>>> Just to confirm the settings I have in my environment:
> >>>>
> >>>> 1. On ZK side, my JAAS file looks like this:
> >>>> Server {
> >>>> com.sun.security.auth.module.Krb5LoginModule required
> >>>> useKeyTab=true
> >>>> keyTab="/conf/zoo1.keytab"
> >>>> storeKey=true
> >>>> useTicketCache=false
> >>>> principal="zookeeper/z...@example.com";
> >>>> };
> >>>> The principal "*zookeeper/z...@example.com <z...@example.com>"* has
> >> been
> >>>> created in Kerberos server running locally. I am able to start ZK with
> >> this
> >>>> principal and I can see ticket exchange between ZK and Kerberos for
> this
> >>>> principal.
> >>>>
> >>>> 2. On client (Curator) side, JAAS file looks like below. Principal
> >>>> "*zkcli...@example.com
> >>>> <zkcli...@example.com>"* is present in Kerberos server. The curator
> is
> >>>> able
> >>>> to connect properly to ZK (with or without principal) even though SASL
> >> is
> >>>> enabled. May be I should use ZK 3.6 as you pointed out to enforce
> >>>> authentication.
> >>>> Client {
> >>>> com.sun.security.auth.module.Krb5LoginModule required
> >>>> useKeyTab=true
> >>>> keyTab="/tmp/zkclient.keytab"
> >>>> storeKey=true
> >>>> useTicketCache=false
> >>>> principal="zkcli...@example.com";
> >>>> };
> >>>>
> >>>> Just want to make sure my settings are correct.
> >>>>
> >>>> Thanks
> >>>>
> >>>>> On Mon, Dec 30, 2019 at 12:47 PM Enrico Olivelli <
> eolive...@gmail.com>
> >>>>> wrote:
> >>>>>
> >>>>> Arpit,
> >>>>> Up to 3.5.x you can only leverage auth only in conjunction with ACLs.
> >>>>>
> >>>>> I hope we are able to release 3.6.0 within a couple of weeks.
> >>>>>
> >>>>> If you have time you can build from branch-3.6 and run the server
> >>>> enabling
> >>>>> that feature tha you are pointing to.
> >>>>> It is a server side change only so you can use 3.5 in your
> application
> >>>>>
> >>>>>
> >>>>> Enrico
> >>>>>
> >>>>> Il lun 30 dic 2019, 13:23 shrikant kalani <shrikantkal...@gmail.com>
> >> ha
> >>>>> scritto:
> >>>>>
> >>>>>> Couple of things which you can check -
> >>>>>> 1) if your Zookeeper server is not running with Zookeeper I’d then
> you
> >>>>>> need to set Zookeeper.sasl.client.username
> >>>>>> 2) set java.security.auth.login.config
> >>>>>>
> >>>>>> And I also faced the same issue that there is no strict enforcement
> to
> >>>>>> allow only authenticated client. Unless someone is aware of the way
> I
> >>>>> doubt
> >>>>>> we may need to wait for 3.6
> >>>>>>
> >>>>>> Thanks
> >>>>>> Srikant
> >>>>>>
> >>>>>> Sent from my iPhone
> >>>>>>
> >>>>>>> On 30 Dec 2019, at 8:11 PM, Arpit Jain <jain.arp...@gmail.com>
> >>>> wrote:
> >>>>>>>
> >>>>>>> Hi,
> >>>>>>>
> >>>>>>> I have configured Zookeeper 3.5.5 to use SASL authentication using
> >>>>>>> Kerberos. I am able to authenticate ZK with Kerberos server but I
> >>>> don't
> >>>>>> see
> >>>>>>> any authentication happening between Zookeeper client (curator) and
> >>>> ZK
> >>>>>>> server. I have put the following setting in zoo.cfg and followed
> this
> >>>>>> guide
> >>>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication
> >>>>>>> .
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>
> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> >>>>>>> requireClientAuthScheme=sasl
> >>>>>>>
> >>>>>>> What additional setting I need to provide so that only
> authenticated
> >>>>>>> clients (for which principals are present in Kerberos server) can
> >>>>> connect
> >>>>>>> to ZK server ?
> >>>>>>> I also found this link
> >>>>>>> https://github.com/apache/zookeeper/pull/118/commits which
> >>>>>>> mentions that it will be strict only from ZK 3.6 onwards and
> >>>> currently
> >>>>> ZK
> >>>>>>> does not enforce it even if we have the configuration.
> >>>>>>>
> >>>>>>> Thanks
> >>>>>>
> >>>>>
> >>>>
> >>
>
>
