[
https://issues.apache.org/jira/browse/ZOOKEEPER-3743?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17047761#comment-17047761
]
Mate Szalay-Beko commented on ZOOKEEPER-3743:
---------------------------------------------
In ZooKeeper 3.5.x I don't think you can enforce authentication. The basic idea
is, that using ACLs you can fine-tune for each ZNode in ZooKeeper that which
authenticated users have read / write / etc permissions. So even if some user
can login without authentication, he shouldn't be able to see your sensitive
data (if you set the ACLs properly).
However, from ZooKeeper 3.6.0 (hopefully released very soon) there will be a
new system property named {{zookeeper.sessionRequireClientSASLAuth}}: When it
is set to {{true}}, then ZooKeeper server will only accept connections and
requests from clients that have authenticated with server via SASL. Clients
that are not configured with SASL authentication, or configured with SASL but
failed authentication (i.e. with invalid credential) will not be able to
establish a session with server. A typed error code (-124) will be delivered in
such case, both Java and C client will close the session with server
thereafter, without further attempts on retrying to reconnect.
> Poor error messages about the parsing of the jass.conf file
> -----------------------------------------------------------
>
> Key: ZOOKEEPER-3743
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3743
> Project: ZooKeeper
> Issue Type: Improvement
> Affects Versions: 3.5.6
> Environment: Debian 10
> Reporter: Alexandre Anouthcine
> Assignee: Mate Szalay-Beko
> Priority: Major
>
> I'm trying to set up a cluster of 3 Zookeeper nodes and I'm struggling to
> understand the error messages regarding jaas.conf file.
> I found 2 articles about the [Server-Server mutual
> authentication|[https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication]]
> jaas.conf file are the same on 3 nodes and it seems to be working:
> |{{QuorumServer {}}
> {{ org.apache.zookeeper.server.auth.DigestLoginModule required}}
> {{ user_zkinternal="pa$$word";}}
> {{};}}
>
> {{QuorumLearner {}}
> {{ org.apache.zookeeper.server.auth.DigestLoginModule required}}
> {{ username="zkinternal";}}
> {{ password="pa$$word";}}
> {{};}}|
> Now I want to connect a Solr client to it. I found an article about
> [Client-Server mutual
> authentication|[https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication]]
> It show an example:
> |{{Server {}}
> {{ org.apache.zookeeper.server.auth.DigestLoginModule required}}
> {{ user_super=}}{{"adminsecret"}}
> {{ user_bob=}}{{"bobsecret"}}{{;}}
> {{};}}|
> The problem when I try to change my original jaas.conf file with something
> else like:
> |{{QuorumServer {}}
> {{ org.apache.zookeeper.server.auth.DigestLoginModule required}}
> {{ user_zkinternal="pa$$word";}}
> {{ user_solr=}}{{"solrsecret";}}
> {{};}}
>
> {{QuorumLearner {}}
> {{ org.apache.zookeeper.server.auth.DigestLoginModule required}}
> {{ username="zkinternal"}}
> {{ password="pa$$word";}}
> {{};}}|
> or
> |{{QuorumServer {}}
> {{ org.apache.zookeeper.server.auth.DigestLoginModule required}}
> {{ user_zkinternal="pa$$word";}}
> {{};}}
>
> {{QuorumLearner {}}
> {{ org.apache.zookeeper.server.auth.DigestLoginModule required}}
> {{ username="zkinternal"}}
> {{ password="pa$$word";}}
> {{};}}
>
> {{Server {}}
> {{ org.apache.zookeeper.server.auth.DigestLoginModule required}}
> {{user_solr=}}{{"solrsecret"}}{{;}}
> {{};}}|
> or even
> |{{QuorumServer {}}
> {{ org.apache.zookeeper.server.auth.DigestLoginModule required}}
> {{ user_zkinternal="pa$$word"}}
> {{};}}
>
> {{QuorumLearner {}}
> {{ org.apache.zookeeper.server.auth.DigestLoginModule required}}
> {{ username="zkinternal"}}
> {{ password="pa$$word";}}
> {{};}}|
> (Notice the missing semicolon for the user)
> I always get the same error message which doesn't make much sense to me:
> |2020-02-27 16:24:07,815 [myid:] - INFO [main:QuorumPeerConfig@133] -
> Reading configuration from: /conf/zoo.cfg
> 2020-02-27 16:24:07,815 [myid:] - INFO [main:QuorumPeerConfig@133] -
> Reading configuration from: /conf/zoo.cfg
> 2020-02-27 16:24:07,822 [myid:] - INFO [main:QuorumPeerConfig@385] -
> clientPortAddress is 0.0.0.0/0.0.0.0:2181
> 2020-02-27 16:24:07,822 [myid:] - INFO [main:QuorumPeerConfig@389] -
> secureClientPort is not set
> 2020-02-27 16:24:08,676 [myid:3] - INFO [main:DatadirCleanupManager@78] -
> autopurge.snapRetainCount set to 3
> 2020-02-27 16:24:08,678 [myid:3] - INFO [main:DatadirCleanupManager@79] -
> autopurge.purgeInterval set to 0
> 2020-02-27 16:24:08,679 [myid:3] - INFO [main:DatadirCleanupManager@101] -
> Purge task is not scheduled.
> 2020-02-27 16:24:08,680 [myid:3] - INFO [main:ManagedUtil@46] - Log4j found
> with jmx enabled.
> 2020-02-27 16:24:08,690 [myid:3] - INFO [main:QuorumPeerMain@141] -
> Starting quorum peer
> 2020-02-27 16:24:08,697 [myid:3] - INFO [main:ServerCnxnFactory@135] -
> Using org.apache.zookeeper.server.NIOServerCnxnFactory as server connection
> factory
> 2020-02-27 16:24:08,712 [myid:3] - ERROR [main:ServerCnxnFactory@231] - No
> JAAS configuration section named 'Server' was found in '/conf/jaas.conf'.
> 2020-02-27 16:24:08,730 [myid:3] - ERROR [main:QuorumPeerMain@101] -
> Unexpected exception, exiting abnormally
> java.io.IOException: No JAAS configuration section named 'Server' was found
> in '/conf/jaas.conf'.
> at
> org.apache.zookeeper.server.ServerCnxnFactory.configureSaslLogin(ServerCnxnFactory.java:232)
> at
> org.apache.zookeeper.server.NIOServerCnxnFactory.configure(NIOServerCnxnFactory.java:646)
> at
> org.apache.zookeeper.server.quorum.QuorumPeerMain.runFromConfig(QuorumPeerMain.java:148)
> at
> org.apache.zookeeper.server.quorum.QuorumPeerMain.initializeAndRun(QuorumPeerMain.java:123)
> at
> org.apache.zookeeper.server.quorum.QuorumPeerMain.main(QuorumPeerMain.java:82)|
> So what does it mean ? How to do it ?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
