[jira] [Updated] (ZOOKEEPER-3914) Kerberized Zookeeper doesn't drop connection for unauthenticated clients

[Ella Kurginyan (Jira)]

     [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-3914?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ella Kurginyan updated ZOOKEEPER-3914:
--------------------------------------
    Description: 
my zoo.cfg:

 
{code:java}
tickTime=2000
initLimit=5
syncLimit=2
dataDir=/var/lib/zookeeper
clientPort=2181
maxClientCnxns=0
autopurge.snapRetainCount=3
autopurge.purgeInterval=24
standaloneEnabled=false
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
zookeeper.allowSaslFailedClients=false
jaasLoginRenew=3600000
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true
server.1=myhost.internal:2888:3888
{code}
 

zookeeper-env.sh

 
{code:java}
export JAVA="$JAVA_HOME/bin/java"
export ZOO_LOG4J_PROP="DEBUG, CONSOLE, ROLLINGFILE"
export ZOO_LOG_DIR="/var/log/zookeeper"
export ZOOPIDFILE="/var/run/zookeeper/zookeeper_server.pid"
export 
SERVER_JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/zookeeper_server_jaas.conf"

export CLIENT_JVMFLAGS="$CLIENT_JVMFLAGS 
-Djava.security.auth.login.config=/etc/zookeeper/conf/zookeeper_client_jaas.conf"
{code}
 

zookeeper_server_jaas.conf
{code:java}
Server {
 com.sun.security.auth.module.Krb5LoginModule required
 doNotPrompt=true
 useKeyTab=true
 storeKey=true
 useTicketCache=false
 keyTab="/tmp/keytabs/zookeeper.keytab"
 principal="zookeeper/myhost.inter...@mydomain.com";
};{code}
zookeeper_client_jaas.conf
{code:java}
Client {
 com.sun.security.auth.module.Krb5LoginModule required
 useKeyTab=false
 useTicketCache=true;
};{code}
For anonymous user its allowed to connect:
{code:java}
2020-08-17 13:58:18,603 - WARN 
[main-SendThread(localhost:2181):SaslClientCallbackHandler@60] - Could not 
login: the Client is being asked for a password, but the ZooKeeper Client code 
does not currently support obtaining a password from the user. Make sure that 
the Client is configured to use a ticket cache (using the JAAS configuration 
setting 'useTicketCache=true)' and restart the Client. If you still get this 
message after that, the TGT in the ticket cache has expired and must be 
manually refreshed. To do so, first determine if you are using a password or a 
keytab. If the former, run kinit in a Unix shell in the environment of the user 
who is running this Zookeeper Client using the command 'kinit <princ>' (where 
<princ> is the name of the Client's Kerberos principal). If the latter, do 
'kinit -k -t <keytab> <princ>' (where <princ> is the name of the Kerberos 
principal, and <keytab> is the location of the keytab file). After manually 
refreshing your cache, restart this Client. If you continue to see this message 
after manually refreshing your cache, ensure that your KDC host's clock is in 
sync with this host's clock. 2020-08-17 13:58:18,604 - WARN 
[main-SendThread(localhost:2181):ClientCnxn$SendThread@1010] - SASL 
configuration failed: javax.security.auth.login.LoginException: No password 
provided Will continue connection to Zookeeper server without SASL 
authentication,if Zookeeper server allows it. 2020-08-17 13:58:18,606 - INFO 
[main-SendThread(localhost:2181):ClientCnxn$SendThread@1028] - Opening socket 
connection to server localhost/0:0:0:0:0:0:0:1:2181 WATCHER:: WatchedEvent 
state:AuthFailed type:None path:null 2020-08-17 13:58:18,653 - INFO 
[main-SendThread(localhost:2181):ClientCnxn$SendThread@878] - Socket connection 
established to localhost/0:0:0:0:0:0:0:1:2181, initiating session 2020-08-17 
13:58:18,662 - INFO 
[main-SendThread(localhost:2181):ClientCnxn$SendThread@1302] - Session 
establishment complete on server localhost/0:0:0:0:0:0:0:1:2181, sessionid = 
0x1001d710bf9003e, negotiated timeout = 30000 WATCHER:: WatchedEvent 
state:SyncConnected type:None path:null [zk: localhost:2181(CONNECTED) 0] ls / 
{code}
For wrong user connection is dropped:
{code:java}
2020-08-18 16:09:41,628 [myid:localhost:2181] - ERROR 
[main-SendThread(localhost:2181):ZooKeeperSaslClient@341] - An error: 
(java.security.PrivilegedActionException: javax.security.sasl.SaslException: 
GSS initiate failed [Caused by GSSException: No valid credentials provided 
(Mechanism level: Server not found in Kerberos database (7))]) occurred when 
evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client will 
go to AUTH_FAILED state. 2020-08-18 16:09:41,629 [myid:localhost:2181] - ERROR 
[main-SendThread(localhost:2181):ClientCnxn$SendThread@1151] - SASL 
authentication with Zookeeper Quorum member failed: 
javax.security.sasl.SaslException: An error: 
(java.security.PrivilegedActionException: javax.security.sasl.SaslException: 
GSS initiate failed [Caused by GSSException: No valid credentials provided 
(Mechanism level: Server not found in Kerberos database (7))]) occurred when 
evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client will 
go to AUTH_FAILED state. WATCHER:: WatchedEvent state:AuthFailed type:None 
path:null 2020-08-18 16:09:41,629 [myid:] - INFO 
[main-EventThread:ClientCnxn$EventThread@524] - EventThread shut down for 
session: 0x1008b3112ae0004 [zk: localhost:2181(AUTH_FAILED) 0] [zk: 
localhost:2181(AUTH_FAILED) 0] {code}
{{}}

  was:
my zoo.cfg:

 
{code:java}
tickTime=2000
initLimit=5
syncLimit=2
dataDir=/var/lib/zookeeper
clientPort=2181
maxClientCnxns=0
autopurge.snapRetainCount=3
autopurge.purgeInterval=24
standaloneEnabled=false
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
zookeeper.allowSaslFailedClients=false
jaasLoginRenew=3600000
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true
server.1=myhost.internal:2888:3888
{code}
 

zookeeper-env.sh

 
{code:java}
export JAVA="$JAVA_HOME/bin/java"
export ZOO_LOG4J_PROP="DEBUG, CONSOLE, ROLLINGFILE"
export ZOO_LOG_DIR="/var/log/zookeeper"
export ZOOPIDFILE="/var/run/zookeeper/zookeeper_server.pid"
export 
SERVER_JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/zookeeper_server_jaas.conf"

export CLIENT_JVMFLAGS="$CLIENT_JVMFLAGS 
-Djava.security.auth.login.config=/etc/zookeeper/conf/zookeeper_client_jaas.conf"
{code}
 

zookeeper_server_jaas.conf
{code:java}
Server {
 com.sun.security.auth.module.Krb5LoginModule required
 doNotPrompt=true
 useKeyTab=true
 storeKey=true
 useTicketCache=false
 keyTab="/tmp/keytabs/zookeeper.keytab"
 principal="zookeeper/myhost.inter...@mydomain.com";
};{code}
zookeeper_client_jaas.conf
{code:java}
Client {
 com.sun.security.auth.module.Krb5LoginModule required
 useKeyTab=false
 useTicketCache=true;
};{code}

For anonymous user its allowed to connect:
{code:java}
2020-08-17 13:58:18,603 - WARN 
[main-SendThread(localhost:2181):SaslClientCallbackHandler@60] - Could not 
login: the Client is being asked for a password, but the ZooKeeper Client code 
does not currently support obtaining a password from the user. Make sure that 
the Client is configured to use a ticket cache (using the JAAS configuration 
setting 'useTicketCache=true)' and restart the Client. If you still get this 
message after that, the TGT in the ticket cache has expired and must be 
manually refreshed. To do so, first determine if you are using a password or a 
keytab. If the former, run kinit in a Unix shell in the environment of the user 
who is running this Zookeeper Client using the command 'kinit <princ>' (where 
<princ> is the name of the Client's Kerberos principal). If the latter, do 
'kinit -k -t <keytab> <princ>' (where <princ> is the name of the Kerberos 
principal, and <keytab> is the location of the keytab file). After manually 
refreshing your cache, restart this Client. If you continue to see this message 
after manually refreshing your cache, ensure that your KDC host's clock is in 
sync with this host's clock. 2020-08-17 13:58:18,604 - WARN 
[main-SendThread(localhost:2181):ClientCnxn$SendThread@1010] - SASL 
configuration failed: javax.security.auth.login.LoginException: No password 
provided Will continue connection to Zookeeper server without SASL 
authentication,if Zookeeper server allows it. 2020-08-17 13:58:18,606 - INFO 
[main-SendThread(localhost:2181):ClientCnxn$SendThread@1028] - Opening socket 
connection to server localhost/0:0:0:0:0:0:0:1:2181 WATCHER:: WatchedEvent 
state:AuthFailed type:None path:null 2020-08-17 13:58:18,653 - INFO 
[main-SendThread(localhost:2181):ClientCnxn$SendThread@878] - Socket connection 
established to localhost/0:0:0:0:0:0:0:1:2181, initiating session 2020-08-17 
13:58:18,662 - INFO 
[main-SendThread(localhost:2181):ClientCnxn$SendThread@1302] - Session 
establishment complete on server localhost/0:0:0:0:0:0:0:1:2181, sessionid = 
0x1001d710bf9003e, negotiated timeout = 30000 WATCHER:: WatchedEvent 
state:SyncConnected type:None path:null [zk: localhost:2181(CONNECTED) 0] ls / 
{code}
For wrong user connection is dropped:{{}}{{}}
{code:java}
2020-08-18 16:09:41,628 [myid:localhost:2181] - ERROR 
[main-SendThread(localhost:2181):ZooKeeperSaslClient@341] - An error: 
(java.security.PrivilegedActionException: javax.security.sasl.SaslException: 
GSS initiate failed [Caused by GSSException: No valid credentials provided 
(Mechanism level: Server not found in Kerberos database (7))]) occurred when 
evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client will 
go to AUTH_FAILED state. 2020-08-18 16:09:41,629 [myid:localhost:2181] - ERROR 
[main-SendThread(localhost:2181):ClientCnxn$SendThread@1151] - SASL 
authentication with Zookeeper Quorum member failed: 
javax.security.sasl.SaslException: An error: 
(java.security.PrivilegedActionException: javax.security.sasl.SaslException: 
GSS initiate failed [Caused by GSSException: No valid credentials provided 
(Mechanism level: Server not found in Kerberos database (7))]) occurred when 
evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client will 
go to AUTH_FAILED state. WATCHER:: WatchedEvent state:AuthFailed type:None 
path:null 2020-08-18 16:09:41,629 [myid:] - INFO 
[main-EventThread:ClientCnxn$EventThread@524] - EventThread shut down for 
session: 0x1008b3112ae0004 [zk: localhost:2181(AUTH_FAILED) 0] [zk: 
localhost:2181(AUTH_FAILED) 0] {code}
{{}}


> Kerberized Zookeeper doesn't drop connection for unauthenticated clients
> ------------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-3914
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3914
>             Project: ZooKeeper
>          Issue Type: Bug
>    Affects Versions: 3.5.6
>            Reporter: Ella Kurginyan
>            Priority: Critical
>
> my zoo.cfg:
>  
> {code:java}
> tickTime=2000
> initLimit=5
> syncLimit=2
> dataDir=/var/lib/zookeeper
> clientPort=2181
> maxClientCnxns=0
> autopurge.snapRetainCount=3
> autopurge.purgeInterval=24
> standaloneEnabled=false
> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> zookeeper.allowSaslFailedClients=false
> jaasLoginRenew=3600000
> kerberos.removeHostFromPrincipal=true
> kerberos.removeRealmFromPrincipal=true
> server.1=myhost.internal:2888:3888
> {code}
>  
> zookeeper-env.sh
>  
> {code:java}
> export JAVA="$JAVA_HOME/bin/java"
> export ZOO_LOG4J_PROP="DEBUG, CONSOLE, ROLLINGFILE"
> export ZOO_LOG_DIR="/var/log/zookeeper"
> export ZOOPIDFILE="/var/run/zookeeper/zookeeper_server.pid"
> export 
> SERVER_JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/zookeeper_server_jaas.conf"
> export CLIENT_JVMFLAGS="$CLIENT_JVMFLAGS 
> -Djava.security.auth.login.config=/etc/zookeeper/conf/zookeeper_client_jaas.conf"
> {code}
>  
> zookeeper_server_jaas.conf
> {code:java}
> Server {
>  com.sun.security.auth.module.Krb5LoginModule required
>  doNotPrompt=true
>  useKeyTab=true
>  storeKey=true
>  useTicketCache=false
>  keyTab="/tmp/keytabs/zookeeper.keytab"
>  principal="zookeeper/myhost.inter...@mydomain.com";
> };{code}
> zookeeper_client_jaas.conf
> {code:java}
> Client {
>  com.sun.security.auth.module.Krb5LoginModule required
>  useKeyTab=false
>  useTicketCache=true;
> };{code}
> For anonymous user its allowed to connect:
> {code:java}
> 2020-08-17 13:58:18,603 - WARN 
> [main-SendThread(localhost:2181):SaslClientCallbackHandler@60] - Could not 
> login: the Client is being asked for a password, but the ZooKeeper Client 
> code does not currently support obtaining a password from the user. Make sure 
> that the Client is configured to use a ticket cache (using the JAAS 
> configuration setting 'useTicketCache=true)' and restart the Client. If you 
> still get this message after that, the TGT in the ticket cache has expired 
> and must be manually refreshed. To do so, first determine if you are using a 
> password or a keytab. If the former, run kinit in a Unix shell in the 
> environment of the user who is running this Zookeeper Client using the 
> command 'kinit <princ>' (where <princ> is the name of the Client's Kerberos 
> principal). If the latter, do 'kinit -k -t <keytab> <princ>' (where <princ> 
> is the name of the Kerberos principal, and <keytab> is the location of the 
> keytab file). After manually refreshing your cache, restart this Client. If 
> you continue to see this message after manually refreshing your cache, ensure 
> that your KDC host's clock is in sync with this host's clock. 2020-08-17 
> 13:58:18,604 - WARN 
> [main-SendThread(localhost:2181):ClientCnxn$SendThread@1010] - SASL 
> configuration failed: javax.security.auth.login.LoginException: No password 
> provided Will continue connection to Zookeeper server without SASL 
> authentication,if Zookeeper server allows it. 2020-08-17 13:58:18,606 - INFO 
> [main-SendThread(localhost:2181):ClientCnxn$SendThread@1028] - Opening socket 
> connection to server localhost/0:0:0:0:0:0:0:1:2181 WATCHER:: WatchedEvent 
> state:AuthFailed type:None path:null 2020-08-17 13:58:18,653 - INFO 
> [main-SendThread(localhost:2181):ClientCnxn$SendThread@878] - Socket 
> connection established to localhost/0:0:0:0:0:0:0:1:2181, initiating session 
> 2020-08-17 13:58:18,662 - INFO 
> [main-SendThread(localhost:2181):ClientCnxn$SendThread@1302] - Session 
> establishment complete on server localhost/0:0:0:0:0:0:0:1:2181, sessionid = 
> 0x1001d710bf9003e, negotiated timeout = 30000 WATCHER:: WatchedEvent 
> state:SyncConnected type:None path:null [zk: localhost:2181(CONNECTED) 0] ls 
> / {code}
> For wrong user connection is dropped:
> {code:java}
> 2020-08-18 16:09:41,628 [myid:localhost:2181] - ERROR 
> [main-SendThread(localhost:2181):ZooKeeperSaslClient@341] - An error: 
> (java.security.PrivilegedActionException: javax.security.sasl.SaslException: 
> GSS initiate failed [Caused by GSSException: No valid credentials provided 
> (Mechanism level: Server not found in Kerberos database (7))]) occurred when 
> evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client 
> will go to AUTH_FAILED state. 2020-08-18 16:09:41,629 [myid:localhost:2181] - 
> ERROR [main-SendThread(localhost:2181):ClientCnxn$SendThread@1151] - SASL 
> authentication with Zookeeper Quorum member failed: 
> javax.security.sasl.SaslException: An error: 
> (java.security.PrivilegedActionException: javax.security.sasl.SaslException: 
> GSS initiate failed [Caused by GSSException: No valid credentials provided 
> (Mechanism level: Server not found in Kerberos database (7))]) occurred when 
> evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client 
> will go to AUTH_FAILED state. WATCHER:: WatchedEvent state:AuthFailed 
> type:None path:null 2020-08-18 16:09:41,629 [myid:] - INFO 
> [main-EventThread:ClientCnxn$EventThread@524] - EventThread shut down for 
> session: 0x1008b3112ae0004 [zk: localhost:2181(AUTH_FAILED) 0] [zk: 
> localhost:2181(AUTH_FAILED) 0] {code}
> {{}}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)