Thanks, great stuff! I’ve already forgotten about it. So, this is the approach of enforcing clients to authenticate during connection. I reckon another one which would let clients postponing authentication with ‘addAuth’ command: https://issues.apache.org/jira/browse/ZOOKEEPER-2462
But that’s still open. Not a problem though, 3.6.0 is already super cool with this. Andor > On 2020. Jan 6., at 16:09, Enrico Olivelli <[email protected]> wrote: > > Take a look to > https://issues.apache.org/jira/browse/ZOOKEEPER-1634 > > Enrico > > Il lun 6 gen 2020, 13:52 Andor Molnar <[email protected]> ha scritto: > >> Are we going to release client authentication enforcement in 3.6? >> I can’t remember a patch which implements it. >> >> Andor >> >> >> >> >>> On 2019. Dec 30., at 15:17, Enrico Olivelli <[email protected]> wrote: >>> >>> Il lun 30 dic 2019, 14:55 shrikant kalani <[email protected]> ha >>> scritto: >>> >>>> Enrico, >>>> >>>> Is 3.6 going to be available soon ? Within 1 month ? >>>> >>> >>> I can't make promises. >>> It is up to the community. >>> I can say we are actively preparing the release. >>> You will see, hopefully next week, a VOTE email thread on >>> [email protected] mailing list. >>> >>> If you try it and report that it is working for you, this will be a good >>> contribution to the community >>> >>> Cheers >>> Enrico >>> >>>> >>>> Thanks >>>> Srikant Kalani >>>> >>>> Sent from my iPhone >>>> >>>>> On 30 Dec 2019, at 9:23 PM, Enrico Olivelli <[email protected]> >> wrote: >>>>> >>>>> If you try to use wrong credentials, corrupted keytab...you won't be >>>> able >>>>> to read/write. >>>>> Connection maybe is allowed >>>>> >>>>> Enrico >>>>> >>>>> Il lun 30 dic 2019, 14:19 Arpit Jain <[email protected]> ha >> scritto: >>>>> >>>>>> Just to confirm the settings I have in my environment: >>>>>> >>>>>> 1. On ZK side, my JAAS file looks like this: >>>>>> Server { >>>>>> com.sun.security.auth.module.Krb5LoginModule required >>>>>> useKeyTab=true >>>>>> keyTab="/conf/zoo1.keytab" >>>>>> storeKey=true >>>>>> useTicketCache=false >>>>>> principal="zookeeper/[email protected]"; >>>>>> }; >>>>>> The principal "*zookeeper/[email protected] <[email protected]>"* has >>>> been >>>>>> created in Kerberos server running locally. I am able to start ZK with >>>> this >>>>>> principal and I can see ticket exchange between ZK and Kerberos for >> this >>>>>> principal. >>>>>> >>>>>> 2. On client (Curator) side, JAAS file looks like below. Principal >>>>>> "*[email protected] >>>>>> <[email protected]>"* is present in Kerberos server. The curator >> is >>>>>> able >>>>>> to connect properly to ZK (with or without principal) even though SASL >>>> is >>>>>> enabled. May be I should use ZK 3.6 as you pointed out to enforce >>>>>> authentication. >>>>>> Client { >>>>>> com.sun.security.auth.module.Krb5LoginModule required >>>>>> useKeyTab=true >>>>>> keyTab="/tmp/zkclient.keytab" >>>>>> storeKey=true >>>>>> useTicketCache=false >>>>>> principal="[email protected]"; >>>>>> }; >>>>>> >>>>>> Just want to make sure my settings are correct. >>>>>> >>>>>> Thanks >>>>>> >>>>>>> On Mon, Dec 30, 2019 at 12:47 PM Enrico Olivelli < >> [email protected]> >>>>>>> wrote: >>>>>>> >>>>>>> Arpit, >>>>>>> Up to 3.5.x you can only leverage auth only in conjunction with ACLs. >>>>>>> >>>>>>> I hope we are able to release 3.6.0 within a couple of weeks. >>>>>>> >>>>>>> If you have time you can build from branch-3.6 and run the server >>>>>> enabling >>>>>>> that feature tha you are pointing to. >>>>>>> It is a server side change only so you can use 3.5 in your >> application >>>>>>> >>>>>>> >>>>>>> Enrico >>>>>>> >>>>>>> Il lun 30 dic 2019, 13:23 shrikant kalani <[email protected]> >>>> ha >>>>>>> scritto: >>>>>>> >>>>>>>> Couple of things which you can check - >>>>>>>> 1) if your Zookeeper server is not running with Zookeeper I’d then >> you >>>>>>>> need to set Zookeeper.sasl.client.username >>>>>>>> 2) set java.security.auth.login.config >>>>>>>> >>>>>>>> And I also faced the same issue that there is no strict enforcement >> to >>>>>>>> allow only authenticated client. Unless someone is aware of the way >> I >>>>>>> doubt >>>>>>>> we may need to wait for 3.6 >>>>>>>> >>>>>>>> Thanks >>>>>>>> Srikant >>>>>>>> >>>>>>>> Sent from my iPhone >>>>>>>> >>>>>>>>> On 30 Dec 2019, at 8:11 PM, Arpit Jain <[email protected]> >>>>>> wrote: >>>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I have configured Zookeeper 3.5.5 to use SASL authentication using >>>>>>>>> Kerberos. I am able to authenticate ZK with Kerberos server but I >>>>>> don't >>>>>>>> see >>>>>>>>> any authentication happening between Zookeeper client (curator) and >>>>>> ZK >>>>>>>>> server. I have put the following setting in zoo.cfg and followed >> this >>>>>>>> guide >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>> >> https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication >>>>>>>>> . >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>> >> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider >>>>>>>>> requireClientAuthScheme=sasl >>>>>>>>> >>>>>>>>> What additional setting I need to provide so that only >> authenticated >>>>>>>>> clients (for which principals are present in Kerberos server) can >>>>>>> connect >>>>>>>>> to ZK server ? >>>>>>>>> I also found this link >>>>>>>>> https://github.com/apache/zookeeper/pull/118/commits which >>>>>>>>> mentions that it will be strict only from ZK 3.6 onwards and >>>>>> currently >>>>>>> ZK >>>>>>>>> does not enforce it even if we have the configuration. >>>>>>>>> >>>>>>>>> Thanks >>>>>>>> >>>>>>> >>>>>> >>>> >> >>
