Hello Dene, Currently if you enable Kerberos authentication, then the clients are still able to connect to ZooKeeper without any authentication. Of course they won't be able to access / change any ZNodes protected by ACLs, but they can join and will be authenticated automatically as "word:anyone" and will be able to read / modify any ZNode where you haven't configured any ACL.
You can enforce authentication (maybe using this zoo.cfg property? zookeeper.sessionRequireClientSASLAuth see here: https://zookeeper.apache.org/doc/current/zookeeperAdmin.html#ch_administration ) but AFAIK this feature is disabled by default. So you should be good to make this transition iteratively. But it worths testing :) Kind regards, Mate On Thu, Jul 8, 2021 at 5:07 PM Hamado Dene <[email protected]> wrote: > Hi Everyone, > We will need to switch our existing system using zookeeper (without sasl > auth) to kerberos authentication.Since our system is quite large, is it > possible to configure zookeeper to accept both plaintext connections and > connections with kerberos authentication? > If this is possible, it would allow us to program a plan to restart our > application, without causing major disservices to customers. > Thanks for your help, > > Hamado Dene
