[
https://issues.apache.org/jira/browse/ZOOKEEPER-3743?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17047311#comment-17047311
]
Mate Szalay-Beko edited comment on ZOOKEEPER-3743 at 2/28/20 8:28 AM:
----------------------------------------------------------------------
Hi Alexandre,
I aggree, we definitely need to improve the error message. A few weeks back we
were also investigating a problem with
Sebastian Schmitz (see on the [email protected]) where having
misleading error message made it hard to debug a config error. Also just 1-2
days ago we were facing a similar production issue in my company. We definitely
need to add a few extra checks and logs helping debugging these problems.
I will prepare a PR for that.
Still, back to your issue. If you use SASL authentication, you will need two
jaas.conf files. One used by the server and one used by the clients. For the
server (assuming you also use quorum authentication between servers) you need
to provide three sections:
- QuorumLearner
- QuorumServer
- Server
And for the client, you need to provide only a single section into your
jaas.conf file, named 'Client'.
These two config files should work on ZooKeeper 3.5.6:
*jaas_server.conf:*
{code:java}
QuorumServer {
org.apache.zookeeper.server.auth.DigestLoginModule required
user_zkinternal="test";
};
QuorumLearner {
org.apache.zookeeper.server.auth.DigestLoginModule required
username="zkinternal"
password="test";
};
Server {
org.apache.zookeeper.server.auth.DigestLoginModule required
user_zkclient="test";
};
{code}
*jaas_client.conf:*
{code:java}
Client {
org.apache.zookeeper.server.auth.DigestLoginModule required
username="zkclient"
password="test";
};
{code}
For the server config file (zoo.cfg) you need to add the following lines to
have the Quorum SASL authentication work:
{code:java}
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
quorum.auth.enableSasl=true
quorum.auth.learnerRequireSasl=true
quorum.auth.serverRequireSasl=true
quorum.auth.learner.saslLoginContext=QuorumLearner
quorum.auth.server.saslLoginContext=QuorumServer
{code}
Then you need to make sure, that you provide the correct jaas config path to
the server and also to the client. E.g when you start the server:
{{SERVER_JVMFLAGS="-Djava.security.auth.login.config=./conf/jaas_server.conf"
./bin/zkServer.sh start-foreground}}
And similarly when you start e.g. the command line ZooKeeper client:
{{CLIENT_JVMFLAGS="-Djava.security.auth.login.config=./conf/jaas_client.conf"
./bin/zkCli.sh 127.0.0.1:2181}}
Unfortunately, even if you did these things right, there can be some problems
still when you get the above mentioned error message. In this case please check
the following:
- the zookeeper process has the permission to read the jaas config files you
specified
- the zookeeper process has the permission to read the java.policy /
java.security and other related files (these are usually somewhere in your
JAVA_HOME/jre/lib/security - depending on your JDK / OS)
If you need more example, then you can check this repo where I have a
dockerized environment with ZooKeeper digest authentication (among other
configs / use-cases), see: https://github.com/symat/zookeeper-docker-test
If these still don't help, please provide more info (like your OS version, Java
version, ZooKeeper configs and logs, the command you use to start ZooKeeper,
etc) to make it possible to reproduce your environment.
(AFAIK the digest authentication is working in ZooKeeper for many people, it
should be some config / environmental issue on your side.)
was (Author: symat):
Hi Alexandre,
I aggree, we definitely need to improve the error message. A few weeks back we
were also investigating a problem with
Sebastian Schmitz (see on the [email protected]) where having
misleading error message made it hard to debug a config error. Also just 1-2
days ago we were facing a similar production issue in my company. We definitely
need to add a few extra checks and logs helping debugging these problems.
I will prepare a PR for that.
Still, back to your issue. If you use SASL authentication, you will need two
jaas.conf files. One used by the server and one used by the clients. For the
server (assuming you also use quorum authentication between servers) you need
to provide three sections:
- QuorumLearner
- QuorumServer
- Server
And for the client, you need to provide only a single section into your
jaas.conf file, named 'Client'.
These two config files should work on ZooKeeper 3.5.6:
*jaas_server.conf:*
{code:java}
QuorumServer {
org.apache.zookeeper.server.auth.DigestLoginModule required
user_zkinternal="test";
};
QuorumLearner {
org.apache.zookeeper.server.auth.DigestLoginModule required
username="zkinternal"
password="test";
};
Server {
org.apache.zookeeper.server.auth.DigestLoginModule required
user_zkclient="test";
};
{code}
*jaas_client.conf:*
{code:java}
Client {
org.apache.zookeeper.server.auth.DigestLoginModule required
username="zkclient"
password="test";
};
{code}
For the server config file (zoo.cfg) you need to add the following lines to
have the Quorum SASL authentication work:
{code:java}
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
quorum.auth.enableSasl=true
quorum.auth.learnerRequireSasl=true
quorum.auth.serverRequireSasl=true
quorum.auth.learner.saslLoginContext=QuorumLearner
quorum.auth.server.saslLoginContext=QuorumServer
{code}
Then you need to make sure, that you provide the correct jaas config path to
the server and also to the client. E.g when you start the server:
{{SERVER_JVMFLAGS="-Djava.security.auth.login.config=./conf/jaas_server.conf"
./bin/zkServer.sh start-foreground}}
And similarly when you start e.g. the command line ZooKeeper client:
{{CLIENT_JVMFLAGS="-Djava.security.auth.login.config=./conf/jaas_client.conf"
./bin/zkCli.sh 127.0.0.1:2181}}
Unfortunately, even if you did these things right, there can be some problems
still when you get the above mentioned error message. In this case please check
the following:
- the zookeeper process has the permission to read the jaas config files you
specified
- the zookeeper process has the permission to read the java.policy /
java.security and other related files (these are usually somewhere in your
JAVA_HOME/jre/lib/security - depending on your JDK / OS)
If you need more example, then you can check this repo where I have a
dockerized environment with ZooKeeper digest authentication (among other
configs / use-cases), see: https://github.com/symat/zookeeper-docker-test
If these still don't help, please provide more info (like your OS version, Java
version, ZooKeeper configs and logs, the command you use to start ZooKeeper,
etc) to make it possible to reproduce your environment.
(AFAIK the digest authentication is working in ZooKeeper for many people, it
should be some config / environmental issue on your side.)
> Poor error messages about the parsing of the jass.conf file
> -----------------------------------------------------------
>
> Key: ZOOKEEPER-3743
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3743
> Project: ZooKeeper
> Issue Type: Improvement
> Affects Versions: 3.5.6
> Environment: Debian 10
> Reporter: Alexandre Anouthcine
> Assignee: Mate Szalay-Beko
> Priority: Major
>
> I'm trying to set up a cluster of 3 Zookeeper nodes and I'm struggling to
> understand the error messages regarding jaas.conf file.
> I found 2 articles about the [Server-Server mutual
> authentication|[https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication]]
> jaas.conf file are the same on 3 nodes and it seems to be working:
> |{{QuorumServer {}}
> {{ org.apache.zookeeper.server.auth.DigestLoginModule required}}
> {{ user_zkinternal="pa$$word";}}
> {{};}}
>
> {{QuorumLearner {}}
> {{ org.apache.zookeeper.server.auth.DigestLoginModule required}}
> {{ username="zkinternal"}}
> {{ password="pa$$word";}}
> {{};}}|
> Now I want to connect a Solr client to it. I found an article about
> [Client-Server mutual
> authentication|[https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication]]
> It show an example:
> |{{Server {}}
> {{ org.apache.zookeeper.server.auth.DigestLoginModule required}}
> {{ user_super=}}{{"adminsecret"}}
> {{ user_bob=}}{{"bobsecret"}}{{;}}
> {{};}}|
> The problem when I try to change my original jaas.conf file with something
> else like:
> |{{QuorumServer {}}
> {{ org.apache.zookeeper.server.auth.DigestLoginModule required}}
> {{ user_zkinternal="pa$$word";}}
> {{ user_solr=}}{{"solrsecret";}}
> {{};}}
>
> {{QuorumLearner {}}
> {{ org.apache.zookeeper.server.auth.DigestLoginModule required}}
> {{ username="zkinternal"}}
> {{ password="pa$$word";}}
> {{};}}|
> or
> |{{QuorumServer {}}
> {{ org.apache.zookeeper.server.auth.DigestLoginModule required}}
> {{ user_zkinternal="pa$$word";}}
> {{};}}
>
> {{QuorumLearner {}}
> {{ org.apache.zookeeper.server.auth.DigestLoginModule required}}
> {{ username="zkinternal"}}
> {{ password="pa$$word";}}
> {{};}}
>
> {{Server {}}
> {{ org.apache.zookeeper.server.auth.DigestLoginModule required}}
> {{user_solr=}}{{"solrsecret"}}{{;}}{{}}
> {{};}}|
> or even
> |{{QuorumServer {}}
> {{ org.apache.zookeeper.server.auth.DigestLoginModule required}}
> {{ user_zkinternal="pa$$word"}}
> {{};}}
>
> {{QuorumLearner {}}
> {{ org.apache.zookeeper.server.auth.DigestLoginModule required}}
> {{ username="zkinternal"}}
> {{ password="pa$$word";}}
> {{};}}|
> (Notice the missing semicolon for the user)
> I always get the same error message which doesn't make much sense to me:
> |2020-02-27 16:24:07,815 [myid:] - INFO [main:QuorumPeerConfig@133] -
> Reading configuration from: /conf/zoo.cfg
> 2020-02-27 16:24:07,815 [myid:] - INFO [main:QuorumPeerConfig@133] - Reading
> configuration from: /conf/zoo.cfg
> 2020-02-27 16:24:07,822 [myid:] - INFO [main:QuorumPeerConfig@385] -
> clientPortAddress is 0.0.0.0/0.0.0.0:2181
> 2020-02-27 16:24:07,822 [myid:] - INFO [main:QuorumPeerConfig@389] -
> secureClientPort is not set
> 2020-02-27 16:24:08,676 [myid:3] - INFO [main:DatadirCleanupManager@78] -
> autopurge.snapRetainCount set to 3
> 2020-02-27 16:24:08,678 [myid:3] - INFO [main:DatadirCleanupManager@79] -
> autopurge.purgeInterval set to 0
> 2020-02-27 16:24:08,679 [myid:3] - INFO [main:DatadirCleanupManager@101] -
> Purge task is not scheduled.
> 2020-02-27 16:24:08,680 [myid:3] - INFO [main:ManagedUtil@46] - Log4j found
> with jmx enabled.
> 2020-02-27 16:24:08,690 [myid:3] - INFO [main:QuorumPeerMain@141] - Starting
> quorum peer
> 2020-02-27 16:24:08,697 [myid:3] - INFO [main:ServerCnxnFactory@135] - Using
> org.apache.zookeeper.server.NIOServerCnxnFactory as server connection factory
> 2020-02-27 16:24:08,712 [myid:3] - ERROR [main:ServerCnxnFactory@231] - No
> JAAS configuration section named 'Server' was found in '/conf/jaas.conf'.
> 2020-02-27 16:24:08,730 [myid:3] - ERROR [main:QuorumPeerMain@101] -
> Unexpected exception, exiting abnormallyjava.io.IOException: No JAAS
> configuration section named 'Server' was found in '/conf/jaas.conf'.
> at
> org.apache.zookeeper.server.ServerCnxnFactory.configureSaslLogin(ServerCnxnFactory.java:232)
> at
> org.apache.zookeeper.server.NIOServerCnxnFactory.configure(NIOServerCnxnFactory.java:646)
> at
> org.apache.zookeeper.server.quorum.QuorumPeerMain.runFromConfig(QuorumPeerMain.java:148)
> at
> org.apache.zookeeper.server.quorum.QuorumPeerMain.initializeAndRun(QuorumPeerMain.java:123)
> at
> org.apache.zookeeper.server.quorum.QuorumPeerMain.main(QuorumPeerMain.java:82)|
> So what does it mean ? How to do it ?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
