Hi Praveen, Regarding SASL, some useful links: - https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication (I just updated this page today) - I was also checking the Kerberos JAAS configs when I tried these things locally: https://docs.oracle.com/javase/8/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html - this is a good howto as well: https://github.com/ekoontz/zookeeper/wiki - https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication
In this Jira case you can see some zoo.cfg and client configs that we used to test SASL + SSL: https://issues.apache.org/jira/browse/ZOOKEEPER-3482?focusedCommentId=16998033&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16998033 With these configs we were managed to use ZooKeeper SASL + SSL on a real Hadoop cluster using MIT Kerberos. Mate On Thu, Jan 16, 2020 at 10:39 AM Praveen Kumar K S < prav...@securelyshare.com> wrote: > Thanks Enrico. I was also looking at > https://issues.apache.org/jira/browse/ZOOKEEPER-2220 who is facing same > issue. > > I will try with your suggestion. My requirement is to enable SASL based > authentication between server-server and client-server. > > Please advise if I'm looking at the right place or is there any better > documentation. > > Regards, > Praveen Kumar K S > +91-9986855625 > > > On Thu, Jan 16, 2020 at 3:01 PM Enrico Olivelli - Diennea < > enrico.olive...@diennea.com> wrote: > > > Praveen > > In order to use Netty it is better for you to use 3.5.6 that contains > > Netty 4, ZooKeeper 3.4.x uses the deprecated Netty 3. For TSL, and it is > > known to have security flaws and it is no more maintained > > > > Btw your problem looks like there is a missing class and it is weird > > > > Enrico > > > > Il giorno 16/01/20, 10:25 "Praveen Kumar K S" < > prav...@securelyshare.com> > > ha scritto: > > > > Hello, > > > > I'm looking for help on enabling authentication in zookeeper. Please > > note > > below approach I have tried. > > > > 1. I followed > > > > > https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide > > 2. I'm deploying zookeeper as single node using docker > > 3. Zookeeper version is 3.4.13 > > 4. Below are some important environmental variables in zookeeper > > container > > > > > > > CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > > -Dzookeeper.client.secure=true > > > -Dzookeeper.ssl.keyStore.location=/opt/vault/zookeeper/ssl/KeyStore.jks > > -Dzookeeper.ssl.keyStore.password=XX@123 > > > > > -Dzookeeper.ssl.trustStore.location=/opt/vault/zookeeper/ssl/truststore.jks > > -Dzookeeper.ssl.trustStore.password=XX@123 > > > > > > > SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > > > -Dzookeeper.ssl.keyStore.location=/opt/vault/zookeeper/ssl/KeyStore.jks > > -Dzookeeper.ssl.keyStore.password=XX@123 > > > > > -Dzookeeper.ssl.trustStore.location=/opt/vault/zookeeper/ssl/truststore.jks > > -Dzookeeper.ssl.trustStore.password=XX@123 > > > > > > > zookeeper.serverCnxnFactory="org.apache.zookeeper.server.NettyServerCnxnFactory" > > > > 5. Below is conf file > > server.1=0.0.0.0:2888:3888 > > secureClientPort=2281 > > initLimit=5 > > syncLimit=2 > > tickTime=2000 > > clientPort=2181 > > clientPortAddress=zookeeper > > dataLogDir=/opt/vault/zookeeper/logs > > dataDir=/opt/vault/zookeeper/data > > > > 6. Zookeeper is healthy > > 7. I tried connecting to Zookeeper server from my machine using > > zkCli.sh. > > But getting below error > > > > 2020-01-16 14:21:27,798 [myid:] - INFO [main:ZooKeeper@442] - > > Initiating > > client connection, connectString=zookeeper:2281 sessionTimeout=30000 > > watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@531d72ca > > Exception in thread "main" java.io.IOException: Couldn't instantiate > > org.apache.zookeeper.ClientCnxnSocketNetty > > at > > org.apache.zookeeper.ZooKeeper.getClientCnxnSocket(ZooKeeper.java:1851) > > at org.apache.zookeeper.ZooKeeper.<init>(ZooKeeper.java:453) > > at > > org.apache.zookeeper.ZooKeeperMain.connectToZK(ZooKeeperMain.java:283) > > at org.apache.zookeeper.ZooKeeperMain.<init>(ZooKeeperMain.java:297) > > at org.apache.zookeeper.ZooKeeperMain.main(ZooKeeperMain.java:290) > > Caused by: java.lang.ClassNotFoundException: > > org.apache.zookeeper.ClientCnxnSocketNetty > > at java.net.URLClassLoader.findClass(URLClassLoader.java:382) > > at java.lang.ClassLoader.loadClass(ClassLoader.java:424) > > at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:349) > > at java.lang.ClassLoader.loadClass(ClassLoader.java:357) > > at java.lang.Class.forName0(Native Method) > > at java.lang.Class.forName(Class.java:264) > > at > > org.apache.zookeeper.ZooKeeper.getClientCnxnSocket(ZooKeeper.java:1848) > > ... 4 more > > > > 8.Zookeeper is working fine on 2181 > > 9.I tried to connect Kafka to Zookeeper on port 2281. Getting below > > error > > > > [2020-01-16 09:12:07,477] INFO Initiating client connection, > > connectString=zookeeper:2281 sessionTimeout=6000 > > > > watcher=kafka.zookeeper.ZooKeeperClient$ZooKeeperClientWatcher$@5c33f1a9 > > (org.apache.zookeeper.ZooKeeper) > > [2020-01-16 09:12:07,488] INFO [ZooKeeperClient] Waiting until > > connected. > > (kafka.zookeeper.ZooKeeperClient) > > [2020-01-16 09:12:07,489] INFO Opening socket connection to server > > zookeeper/172.16.13.2:2281. Will not attempt to authenticate using > > SASL > > (unknown error) (org.apache.zookeeper.ClientCnxn) > > [2020-01-16 09:12:07,493] INFO Socket error occurred: zookeeper/ > > 172.16.13.2:2281: Connection refused > (org.apache.zookeeper.ClientCnxn) > > [2020-01-16 09:12:08,599] INFO Opening socket connection to server > > zookeeper/172.16.13.2:2281. Will not attempt to authenticate using > > SASL > > (unknown error) (org.apache.zookeeper.ClientCnxn) > > > > Please help and advice. > > > > Regards, > > Praveen Kumar K S > > +91-9986855625 > > > > > > > > ________________________________ > > > > CONFIDENTIALITY & PRIVACY NOTICE > > This e-mail (including any attachments) is strictly confidential and may > > also contain privileged information. If you are not the intended > recipient > > you are not authorised to read, print, save, process or disclose this > > message. If you have received this message by mistake, please inform the > > sender immediately and destroy this e-mail, its attachments and any > copies. > > Any use, distribution, reproduction or disclosure by any person other > than > > the intended recipient is strictly prohibited and the person responsible > > may incur in penalties. > > The use of this e-mail is only for professional purposes; there is no > > guarantee that the correspondence towards this e-mail will be read only > by > > the recipient, because, under certain circumstances, there may be a need > to > > access this email by third subjects belonging to the Company. > > >
