Hi,
first of all thank you Máté and Chris for coming back to me with support.
I wanted to inform you that I did use the documentation from the link provided
by Máté and I did use the option 'enforce.auth.enabled=true', yet I was still
being authenticated. After Chris wrote about 'zookeeper.allowSaslFailedClients'
I found a Jira issue on that subject
https://issues.apache.org/jira/browse/ZOOKEEPER-1736
However I copied the configuration as described in that issue and I am still
successfully authenticating with the wrong credentials.
The config I am now using is (copied from Jira issue)
zoo.cfg:
requireClientAuthScheme=sasl
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
jaasLoginRenew=3600000
zookeeper.allowSaslFailedClients=false
jaasFile.conf
Server {
org.apache.zookeeper.server.auth.DigestLoginModule required
user_admin="admin";
};
Client {
org.apache.zookeeper.server.auth.DigestLoginModule required
username="admin"
password="admin";
};
Do you maybe have an example config for that handy?
Kind regards,
Andrzej
-----Original Message-----
From: Chris T. <[email protected]>
Sent: Wednesday, December 15, 2021 8:19 AM
To: [email protected]
Subject: Re: zookeeper digest authentication
CAUTION: This email originated from outside of the organization. Do not click
links or open attachments unless you recognize the sender and know the content
is safe. Please contact [email protected] with any concerns.
Hi,
I think you are referring to
zookeeper.allowSaslFailedClients
This is casually mentioned in the link you provided but not explained as a
standalone option.
Regards
Chris
On 15 December 2021 08:14:19 Szalay-Bekő Máté <[email protected]>
wrote:
> Hello Andrzej,
>
> In ZooKeeper, the authentication is not enforced by default, meaning
> that even if you fail to authenticate (or don't even provide any
> credentials) you can still connect to ZooKeeper, but your session
> won't have any user attached to it. So you will be able to see/modify
> only the ZNodes that are granting permission to the "world" user.
> There are several server side options to change this behaviour. I
> think you are looking for the "enforce.auth.enabled=true" option, see here:
> https://urldefense.com/v3/__https://zookeeper.apache.org/doc/r3.7.0/zo
> okeeperAdmin.html*sc_authOptions__;Iw!!NCEDZeEw!u7G2JZg8FqgI70GySY1GFH
> 2nZr8CpzzXIQgzyzIn7HUwTNrmLNj9u2Szwehx8YVZBF8Fsc-jvw$
>
> (I remember there is some other option, which will disable the
> "fallback to world user" behaviour (so terminating the session if you
> connect with wrong credentials, but still let you connect without providing
> any credentials).
> I remember seeing this in the code, but don't see it in the documentation.
> If you would need this one, I can dig deeper.
>
> Kind regards,
> Máté
>
> On Tue, Dec 14, 2021 at 2:20 PM Andrzej Trzeciak <
> [email protected]> wrote:
>
>> Hi,
>>
>> I’m having trouble implementing the simplest zookeeper (v 3.7.0)
>> authentication using just username and password and the ‘digest’ mechanism.
>>
>> I tried various config properties, but none of them worked.
>>
>> The problem is, that when I connect giving the wrong credentials I am
>> still being successfully authenticated instead of being rejected.
>>
>> My setup below (including oprions I have tried, but didn’t work, so I
>> commented them:
>>
>> *Zoo.cfg:*
>>
>>
>> #SASL----------------------------------------------------------------
>> ------------
>>
>>
>>
>>
>> #authProvider.sasl=org.apache.zookeeper.server.auth.SASLAuthenticatio
>> nProvider
>>
>> #authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationPr
>> ovider
>>
>> #requireClientAuthScheme=sasl
>>
>> #sessionRequireClientSASLAuth=true
>>
>> #set.acl=true
>>
>> DigestAuthenticationProvider.enabled=true
>>
>> enforce.auth.enabled=true
>>
>> enforce.auth.schemes=digest
>>
>> #SASL
>> END------------------------------------------------------------------
>> --------
>>
>>
>>
>> *Jaas_config:*
>>
>> Server {
>>
>> org.apache.zookeeper.server.auth.DigestLoginModule required
>>
>> user_super="adminsecret"
>>
>> user_bob="bobsecret";
>>
>> };
>>
>> *Client code:*
>>
>> CuratorFrameworkFactory.Builder builder =
>> CuratorFrameworkFactory.builder()
>>
>> .connectString(connectUris(zookeeper,
>> "zookeeper:2181"))
>>
>>
>> .connectionStateErrorPolicy(connectionStateErrorPolicy)
>>
>> .retryPolicy(retryPolicy)
>>
>> .aclProvider(aclProvider)
>>
>> .connectionTimeoutMs(10000)
>>
>> .sessionTimeoutMs(sessionTimeout);
>>
>> if(zookeeperAuthEnabled){
>>
>> builder.authorization("digest",
>> "kuku:adminsecret4".getBytes());
>>
>> }
>>
>> curatorClient = builder.build();
>>
>> curatorClient.getConnectionStateListenable().addListener((c,
>> s) -> {
>>
>> connectionState = s;
>>
>> log.info(MessageFormat.format("CuratorState
>> [State={0},Connected={1}]", s.name(), s.isConnected()));
>>
>> });
>>
>> curatorClient.start();
>>
>> try {
>>
>> curatorClient.blockUntilConnected();
>>
>> leaderLatch = initLeadership();
>>
>> } catch (InterruptedException e) {
>>
>> log.info(e);
>>
>> }
>>
>>
>>
>> As a result, when the application starts I a successful
>> authentication and a message in zookeeper console:
>>
>> 2021-12-14 14:08:45,854 [myid:] - INFO
>> [NIOWorkerThread-13:ZooKeeperServer@1623] - got auth packet /
>> 192.168.43.169:49753
>>
>> 2021-12-14 14:08:45,854 [myid:] - INFO
>> [NIOWorkerThread-13:ZooKeeperServer@1642] - Session 0x1004d2f28d00001:
>> auth success for scheme digest and address /192.168.43.169:49753
>>
>>
>>
>>
>>
>> *Andrzej Trzeciak*
>> Senior System Engineer
>> [image: Exela Technologies]
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.exelatech.co
>> m&d=DwMGAg&c=vUJZwL3cXgysPapgT_xxpQ&r=qYKonYlzjxczUafF69aUpTo2yr3vlny
>> fAIfacMfaFVc&m=BEleYOt4bfeuGjzvehekEKqcRyy6_G9eQLtKlteRxRA&s=ZtZoxYyb
>> CmOC8pf0yeoK229hRtlZVj15I1uUn8zMCe8&e=>
>>
>> Grudziądzka 46-48 • 87-100 Toruń • Poland
>>
>> Tel. +48 573 251 507
>> exelatech.com
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.exelatech.com&d=DwMGAg&c=vUJZwL3cXgysPapgT_xxpQ&r=qYKonYlzjxczUafF69aUpTo2yr3vlnyfAIfacMfaFVc&m=BEleYOt4bfeuGjzvehekEKqcRyy6_G9eQLtKlteRxRA&s=ZtZoxYybCmOC8pf0yeoK229hRtlZVj15I1uUn8zMCe8&e=>
>> • About EXELA
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.exelatech.com_about-2Dus&d=DwMGAg&c=vUJZwL3cXgysPapgT_xxpQ&r=qYKonYlzjxczUafF69aUpTo2yr3vlnyfAIfacMfaFVc&m=BEleYOt4bfeuGjzvehekEKqcRyy6_G9eQLtKlteRxRA&s=2TsjiQIkpmtM3JqrI3DlrrcVDtrKmEIWVY5kqx67Foc&e=>
>> • Instagram
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.instagram.com_exelatechnologies&d=DwMGAg&c=vUJZwL3cXgysPapgT_xxpQ&r=qYKonYlzjxczUafF69aUpTo2yr3vlnyfAIfacMfaFVc&m=BEleYOt4bfeuGjzvehekEKqcRyy6_G9eQLtKlteRxRA&s=7GytPlw8jAryTL_JwfZEk8_Bt6Hpe1ZWEVzZTrg2MGw&e=>
>> • LinkedIn
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.co
>> m_company_exela-2Dtechnologies&d=DwMGAg&c=vUJZwL3cXgysPapgT_xxpQ&r=qY
>> KonYlzjxczUafF69aUpTo2yr3vlnyfAIfacMfaFVc&m=BEleYOt4bfeuGjzvehekEKqcR
>> yy6_G9eQLtKlteRxRA&s=vgnCkdlePgn9sFFxSElE3Mfig4_T_crRXr0TfTU6cDM&e=>
>>
>>
>> ------------------------------
>> Please consider the environment before printing or forwarding this email.
>> If you do print this email, please recycle the paper.
>>
>> This email message may contain confidential, proprietary and/or
>> privileged information. It is intended only for the use of the intended
>> recipient(s).
>> If you have received it in error, please immediately advise the
>> sender by reply email and then delete this email message. Any
>> disclosure, copying, distribution or use of the information contained
>> in this email message to or by anyone other than the intended
>> recipient is strictly prohibited. Any views expressed in this message
>> are those of the individual sender, except where the sender
>> specifically states them to be the views of Exela Technologies, Inc. or its
>> subsidiaries.
>>
>> This email does not constitute an agreement to conduct transactions
>> by electronic means and does not create any legally binding contract
>> or enforceable obligation against Exela in the absence of a fully
>> signed written agreement.
>>
________________________________
Please consider the environment before printing or forwarding this email. If
you do print this email, please recycle the paper.
This email message may contain confidential, proprietary and/or privileged
information. It is intended only for the use of the intended recipient(s). If
you have received it in error, please immediately advise the sender by reply
email and then delete this email message. Any disclosure, copying, distribution
or use of the information contained in this email message to or by anyone other
than the intended recipient is strictly prohibited. Any views expressed in this
message are those of the individual sender, except where the sender
specifically states them to be the views of Exela Technologies, Inc. or its
subsidiaries.
This email does not constitute an agreement to conduct transactions by
electronic means and does not create any legally binding contract or
enforceable obligation against Exela in the absence of a fully signed written
agreement.
