[
https://issues.apache.org/jira/browse/ZOOKEEPER-3914?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17181097#comment-17181097
]
Enrico Olivelli commented on ZOOKEEPER-3914:
--------------------------------------------
Can you please describe what you expect to happen?
> Kerberized Zookeeper doesn't drop connection for unauthenticated clients
> ------------------------------------------------------------------------
>
> Key: ZOOKEEPER-3914
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3914
> Project: ZooKeeper
> Issue Type: Bug
> Affects Versions: 3.5.6
> Reporter: Ella Kurginyan
> Priority: Critical
>
> my zoo.cfg:
> {code:java}
> tickTime=2000
> initLimit=5
> syncLimit=2
> dataDir=/var/lib/zookeeper
> clientPort=2181
> maxClientCnxns=0
> autopurge.snapRetainCount=3
> autopurge.purgeInterval=24
> standaloneEnabled=false
> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> zookeeper.allowSaslFailedClients=false
> jaasLoginRenew=3600000
> kerberos.removeHostFromPrincipal=true
> kerberos.removeRealmFromPrincipal=true
> server.1=myhost.internal:2888:3888
> {code}
>
> zookeeper-env.sh
> {code:java}
> export JAVA="$JAVA_HOME/bin/java"
> export ZOO_LOG4J_PROP="DEBUG, CONSOLE, ROLLINGFILE"
> export ZOO_LOG_DIR="/var/log/zookeeper"
> export ZOOPIDFILE="/var/run/zookeeper/zookeeper_server.pid"
> export
> SERVER_JVMFLAGS="-Djava.security.auth.login.config=/etc/zookeeper/conf/zookeeper_server_jaas.conf"
> export CLIENT_JVMFLAGS="$CLIENT_JVMFLAGS
> -Djava.security.auth.login.config=/etc/zookeeper/conf/zookeeper_client_jaas.conf"
> {code}
>
> zookeeper_server_jaas.conf:
> {code:java}
> Server {
> com.sun.security.auth.module.Krb5LoginModule required
> doNotPrompt=true
> useKeyTab=true
> storeKey=true
> useTicketCache=false
> keyTab="/tmp/keytabs/zookeeper.keytab"
> principal="zookeeper/[email protected]";
> };{code}
> zookeeper_client_jaas.conf:
> {code:java}
> Client {
> com.sun.security.auth.module.Krb5LoginModule required
> useKeyTab=false
> useTicketCache=true;
> };{code}
> For anonymous user its allowed to connect:
> {code:java}
> 2020-08-17 13:58:18,603 - WARN
> [main-SendThread(localhost:2181):SaslClientCallbackHandler@60] - Could not
> login: the Client is being asked for a password, but the ZooKeeper Client
> code does not currently support obtaining a password from the user. Make sure
> that the Client is configured to use a ticket cache (using the JAAS
> configuration setting 'useTicketCache=true)' and restart the Client. If you
> still get this message after that, the TGT in the ticket cache has expired
> and must be manually refreshed. To do so, first determine if you are using a
> password or a keytab. If the former, run kinit in a Unix shell in the
> environment of the user who is running this Zookeeper Client using the
> command 'kinit <princ>' (where <princ> is the name of the Client's Kerberos
> principal). If the latter, do 'kinit -k -t <keytab> <princ>' (where <princ>
> is the name of the Kerberos principal, and <keytab> is the location of the
> keytab file). After manually refreshing your cache, restart this Client. If
> you continue to see this message after manually refreshing your cache, ensure
> that your KDC host's clock is in sync with this host's clock. 2020-08-17
> 13:58:18,604 - WARN
> [main-SendThread(localhost:2181):ClientCnxn$SendThread@1010] - SASL
> configuration failed: javax.security.auth.login.LoginException: No password
> provided Will continue connection to Zookeeper server without SASL
> authentication,if Zookeeper server allows it. 2020-08-17 13:58:18,606 - INFO
> [main-SendThread(localhost:2181):ClientCnxn$SendThread@1028] - Opening socket
> connection to server localhost/0:0:0:0:0:0:0:1:2181 WATCHER:: WatchedEvent
> state:AuthFailed type:None path:null 2020-08-17 13:58:18,653 - INFO
> [main-SendThread(localhost:2181):ClientCnxn$SendThread@878] - Socket
> connection established to localhost/0:0:0:0:0:0:0:1:2181, initiating session
> 2020-08-17 13:58:18,662 - INFO
> [main-SendThread(localhost:2181):ClientCnxn$SendThread@1302] - Session
> establishment complete on server localhost/0:0:0:0:0:0:0:1:2181, sessionid =
> 0x1001d710bf9003e, negotiated timeout = 30000 WATCHER:: WatchedEvent
> state:SyncConnected type:None path:null [zk: localhost:2181(CONNECTED) 0] ls
> / {code}
> For wrong user connection is dropped:
> {code:java}
> 2020-08-18 16:09:41,628 [myid:localhost:2181] - ERROR
> [main-SendThread(localhost:2181):ZooKeeperSaslClient@341] - An error:
> (java.security.PrivilegedActionException: javax.security.sasl.SaslException:
> GSS initiate failed [Caused by GSSException: No valid credentials provided
> (Mechanism level: Server not found in Kerberos database (7))]) occurred when
> evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client
> will go to AUTH_FAILED state. 2020-08-18 16:09:41,629 [myid:localhost:2181] -
> ERROR [main-SendThread(localhost:2181):ClientCnxn$SendThread@1151] - SASL
> authentication with Zookeeper Quorum member failed:
> javax.security.sasl.SaslException: An error:
> (java.security.PrivilegedActionException: javax.security.sasl.SaslException:
> GSS initiate failed [Caused by GSSException: No valid credentials provided
> (Mechanism level: Server not found in Kerberos database (7))]) occurred when
> evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client
> will go to AUTH_FAILED state. WATCHER:: WatchedEvent state:AuthFailed
> type:None path:null 2020-08-18 16:09:41,629 [myid:] - INFO
> [main-EventThread:ClientCnxn$EventThread@524] - EventThread shut down for
> session: 0x1008b3112ae0004 [zk: localhost:2181(AUTH_FAILED) 0] [zk:
> localhost:2181(AUTH_FAILED) 0] {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
