Hi,
I think you are referring to
zookeeper.allowSaslFailedClients
This is casually mentioned in the link you provided but not explained as a
standalone option.
Regards
Chris
On 15 December 2021 08:14:19 Szalay-Bekő Máté <[email protected]>
wrote:
Hello Andrzej,
In ZooKeeper, the authentication is not enforced by default, meaning that
even if you fail to authenticate (or don't even provide any credentials)
you can still connect to ZooKeeper, but your session won't have any user
attached to it. So you will be able to see/modify only the ZNodes that are
granting permission to the "world" user. There are several server side
options to change this behaviour. I think you are looking for the
"enforce.auth.enabled=true" option, see here:
https://zookeeper.apache.org/doc/r3.7.0/zookeeperAdmin.html#sc_authOptions
(I remember there is some other option, which will disable the "fallback to
world user" behaviour (so terminating the session if you connect with wrong
credentials, but still let you connect without providing any credentials).
I remember seeing this in the code, but don't see it in the documentation.
If you would need this one, I can dig deeper.
Kind regards,
Máté
On Tue, Dec 14, 2021 at 2:20 PM Andrzej Trzeciak <
[email protected]> wrote:
Hi,
I’m having trouble implementing the simplest zookeeper (v 3.7.0)
authentication using just username and password and the ‘digest’ mechanism.
I tried various config properties, but none of them worked.
The problem is, that when I connect giving the wrong credentials I am
still being successfully authenticated instead of being rejected.
My setup below (including oprions I have tried, but didn’t work, so I
commented them:
*Zoo.cfg:*
#SASL----------------------------------------------------------------------------
#authProvider.sasl=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
#authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
#requireClientAuthScheme=sasl
#sessionRequireClientSASLAuth=true
#set.acl=true
DigestAuthenticationProvider.enabled=true
enforce.auth.enabled=true
enforce.auth.schemes=digest
#SASL
END--------------------------------------------------------------------------
*Jaas_config:*
Server {
org.apache.zookeeper.server.auth.DigestLoginModule required
user_super="adminsecret"
user_bob="bobsecret";
};
*Client code:*
CuratorFrameworkFactory.Builder builder = CuratorFrameworkFactory.builder()
.connectString(connectUris(zookeeper, "zookeeper:2181"))
.connectionStateErrorPolicy(connectionStateErrorPolicy)
.retryPolicy(retryPolicy)
.aclProvider(aclProvider)
.connectionTimeoutMs(10000)
.sessionTimeoutMs(sessionTimeout);
if(zookeeperAuthEnabled){
builder.authorization("digest",
"kuku:adminsecret4".getBytes());
}
curatorClient = builder.build();
curatorClient.getConnectionStateListenable().addListener((c, s) ->
{
connectionState = s;
log.info(MessageFormat.format("CuratorState
[State={0},Connected={1}]", s.name(), s.isConnected()));
});
curatorClient.start();
try {
curatorClient.blockUntilConnected();
leaderLatch = initLeadership();
} catch (InterruptedException e) {
log.info(e);
}
As a result, when the application starts I a successful authentication and
a message in zookeeper console:
2021-12-14 14:08:45,854 [myid:] - INFO
[NIOWorkerThread-13:ZooKeeperServer@1623] - got auth packet /
192.168.43.169:49753
2021-12-14 14:08:45,854 [myid:] - INFO
[NIOWorkerThread-13:ZooKeeperServer@1642] - Session 0x1004d2f28d00001:
auth success for scheme digest and address /192.168.43.169:49753
*Andrzej Trzeciak*
Senior System Engineer
[image: Exela Technologies]
<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.exelatech.com&d=DwMGAg&c=vUJZwL3cXgysPapgT_xxpQ&r=qYKonYlzjxczUafF69aUpTo2yr3vlnyfAIfacMfaFVc&m=BEleYOt4bfeuGjzvehekEKqcRyy6_G9eQLtKlteRxRA&s=ZtZoxYybCmOC8pf0yeoK229hRtlZVj15I1uUn8zMCe8&e=>
Grudziądzka 46-48 • 87-100 Toruń • Poland
Tel. +48 573 251 507
exelatech.com
<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.exelatech.com&d=DwMGAg&c=vUJZwL3cXgysPapgT_xxpQ&r=qYKonYlzjxczUafF69aUpTo2yr3vlnyfAIfacMfaFVc&m=BEleYOt4bfeuGjzvehekEKqcRyy6_G9eQLtKlteRxRA&s=ZtZoxYybCmOC8pf0yeoK229hRtlZVj15I1uUn8zMCe8&e=>
• About EXELA
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.exelatech.com_about-2Dus&d=DwMGAg&c=vUJZwL3cXgysPapgT_xxpQ&r=qYKonYlzjxczUafF69aUpTo2yr3vlnyfAIfacMfaFVc&m=BEleYOt4bfeuGjzvehekEKqcRyy6_G9eQLtKlteRxRA&s=2TsjiQIkpmtM3JqrI3DlrrcVDtrKmEIWVY5kqx67Foc&e=>
• Instagram
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.instagram.com_exelatechnologies&d=DwMGAg&c=vUJZwL3cXgysPapgT_xxpQ&r=qYKonYlzjxczUafF69aUpTo2yr3vlnyfAIfacMfaFVc&m=BEleYOt4bfeuGjzvehekEKqcRyy6_G9eQLtKlteRxRA&s=7GytPlw8jAryTL_JwfZEk8_Bt6Hpe1ZWEVzZTrg2MGw&e=>
• LinkedIn
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_exela-2Dtechnologies&d=DwMGAg&c=vUJZwL3cXgysPapgT_xxpQ&r=qYKonYlzjxczUafF69aUpTo2yr3vlnyfAIfacMfaFVc&m=BEleYOt4bfeuGjzvehekEKqcRyy6_G9eQLtKlteRxRA&s=vgnCkdlePgn9sFFxSElE3Mfig4_T_crRXr0TfTU6cDM&e=>
------------------------------
Please consider the environment before printing or forwarding this email.
If you do print this email, please recycle the paper.
This email message may contain confidential, proprietary and/or privileged
information. It is intended only for the use of the intended recipient(s).
If you have received it in error, please immediately advise the sender by
reply email and then delete this email message. Any disclosure, copying,
distribution or use of the information contained in this email message to
or by anyone other than the intended recipient is strictly prohibited. Any
views expressed in this message are those of the individual sender, except
where the sender specifically states them to be the views of Exela
Technologies, Inc. or its subsidiaries.
This email does not constitute an agreement to conduct transactions by
electronic means and does not create any legally binding contract or
enforceable obligation against Exela in the absence of a fully signed
written agreement.
