RE: java.lang.NullPointerException on some commands (stats, conf)
Hi Enrico, no - log is absolutely clean...other commands work well now...
Thanks and Regards,
Mike
-Original Message-
From: Enrico Olivelli [mailto:eolive...@gmail.com]
Sent: Monday, December 30, 2019 8:24 AM
To: UserZooKeeper
Subject: Re: java.lang.NullPointerException on some commands (stats, conf)
Hi Mike
Do you see errors on server logs?
Enrico
Il lun 30 dic 2019, 14:10 Mike Smotritsky ha
scritto:
> Hey guys, Happy Holidays and thanks again for the fix!
>
> I've noticed that ruok in only secure mode gives no answer back at all...
> That's what I get back:
> {
> "command" : "ruok",
> "error" : null
> }
>
> Thanks and Regards,
>
> Mike
>
>
> -Original Message-
> From: Mate Szalay-Beko [mailto:msza...@cloudera.com.INVALID]
> Sent: Friday, December 06, 2019 5:06 AM
> To: user@zookeeper.apache.org
> Subject: Re: java.lang.NullPointerException on some commands (stats, conf)
>
> yep, in general I think it makes sense to try / get used to build ZooKeeper
> (or any other OpenSource product you use), one can never know when he
> needs a security patch or bugfix. :)
>
> Anyway, as I already have my environment ready, I did a quick build and
> shared it with Mike.
>
> Cheers,
> Mate
>
> On Thu, Dec 5, 2019 at 4:35 PM Enrico Olivelli
> wrote:
>
> > Just run these commands:
> >
> > git clone https://github.com/apache/zookeeper
> > git checkout branch-3.5
> > mvn clean install -DskipTests
> >
> > you will find binaries for 3.5.7-SNAPSHOT inside
> > "zookeeper-assembly/target"
> >
> > if you want to run unit tests run the command without '-DskipTests':
> > mvn clean install
> >
> > you need "git", "Apache Maven" and a Java JDK 8.x (or greater), like the
> > one from AdoptOpenJDK or which one you prefer
> >
> > Hope that helps
> >
> > Enrico
> >
> > Il giorno gio 5 dic 2019 alle ore 16:19 Mike Smotritsky <
> > mikesmotrit...@ongov.net> ha scritto:
> >
> > > Hey Enrico,
> > > If Mate can help to cut it - it would be great, if not - I'll need more
> > > detailed instructions on how to cut it please.
> > >
> > > Thanks and Regards,
> > > Mike
> > >
> > > -Original Message-
> > > From: Enrico Olivelli [mailto:eolive...@gmail.com]
> > > Sent: Thursday, December 05, 2019 10:08 AM
> > > To: UserZooKeeper
> > > Subject: Re: java.lang.NullPointerException on some commands (stats,
> > conf)
> > >
> > > Mike
> > >
> > > Il giorno gio 5 dic 2019 alle ore 15:55 Mike Smotritsky <
> > > mikesmotrit...@ongov.net> ha scritto:
> > >
> > > > Hey Mate, thank you very much for a very quick action on this issue.
> > > > If it's not very difficult can you please cut me a patched 3.5.6?
> > > >
> > >
> > > I think the best procedure is that you build your own patched version
> by
> > > yourself.
> > > Just "mvn clean install -DskipTests" on branch-3.5
> > >
> > > Please be aware that the binaries you are going to use are not an
> > official
> > > Apache release.
> > > I think it is fine, many companies run their own patched version of
> Open
> > > Source software
> > >
> > > Just my 2 cents
> > >
> > > Enrico
> > >
> > >
> > >
> > >
> > > > Again I very much appreciate your help!
> > > >
> > > > You guys have a very dedicated team on this project!
> > > >
> > > > Thanks and Regards,
> > > > Mike
> > > >
> > > > -Original Message-
> > > > From: Mate Szalay-Beko [mailto:msza...@cloudera.com.INVALID]
> > > > Sent: Thursday, December 05, 2019 3:48 AM
> > > > To: user@zookeeper.apache.org
> > > > Subject: Re: java.lang.NullPointerException on some commands (stats,
> > > conf)
> > > >
> > > > Hi Mike,
> > > >
> > > > 3.5.6 was already released a couple of weeks ago. Norbert
> cherry-picked
> > > the
> > > > NPE fix to branch 3.5, so the question is if we will have a 3.5.7 or
> > not.
> > > > BTW if it is a blocker for you, I can create you a personal /
> > unofficial
> > > > patched version of 3.5.6 which contains this fix and then you can use
> > it
> > > > until you would have 3.6 or 3.5.7 later.
> > > >
> > > > You can do this for yourself as well, by cloning the 3.5 branch (
> > > > https://github.com/apache/zookeeper/tree/branch-3.5) and executing
> > 'mvn
> > > > clean install -DskipTests'. If you also need the C-client, then 'mvn
> > > clean
> > > > install -DskipTests -Pfull-build'. It will not be an official
> release,
> > > but
> > > > in this case it is actually safe to use it, as the branch 3.5 now
> only
> > > > contains two small bugfixes on top of the stable 3.5.6.
> > > >
> > > > Cheers,
> > > > Mate
> > > >
> > > > On Tue, Dec 3, 2019 at 5:09 PM Mike Smotritsky <
> > mikesmotrit...@ongov.net
> > > >
> > > > wrote:
> > > >
> > > > > Hi Enrico, I'd really love to have 3.5.6 released with this fix in.
> > > > > (Thanks to Mate for the very quick fix!)
> > > > > Cause my my Solr cluster keeps complaining about the Zookeeper
> state.
> > > > >
> > > > > Thanks and Regards,
> > > > > Mike
> > > > >
> > > > >
> > > > >
> > > > > -Original Message-
> > > > > From: Enrico Olivelli
Re: Zookeeper server and client authentication
Il lun 30 dic 2019, 14:55 shrikant kalani ha
scritto:
> Enrico,
>
> Is 3.6 going to be available soon ? Within 1 month ?
>
I can't make promises.
It is up to the community.
I can say we are actively preparing the release.
You will see, hopefully next week, a VOTE email thread on
d...@zookeeper.apache.org mailing list.
If you try it and report that it is working for you, this will be a good
contribution to the community
Cheers
Enrico
>
> Thanks
> Srikant Kalani
>
> Sent from my iPhone
>
> > On 30 Dec 2019, at 9:23 PM, Enrico Olivelli wrote:
> >
> > If you try to use wrong credentials, corrupted keytab...you won't be
> able
> > to read/write.
> > Connection maybe is allowed
> >
> > Enrico
> >
> > Il lun 30 dic 2019, 14:19 Arpit Jain ha scritto:
> >
> >> Just to confirm the settings I have in my environment:
> >>
> >> 1. On ZK side, my JAAS file looks like this:
> >> Server {
> >> com.sun.security.auth.module.Krb5LoginModule required
> >> useKeyTab=true
> >> keyTab="/conf/zoo1.keytab"
> >> storeKey=true
> >> useTicketCache=false
> >> principal="zookeeper/z...@example.com";
> >> };
> >> The principal "*zookeeper/z...@example.com "* has
> been
> >> created in Kerberos server running locally. I am able to start ZK with
> this
> >> principal and I can see ticket exchange between ZK and Kerberos for this
> >> principal.
> >>
> >> 2. On client (Curator) side, JAAS file looks like below. Principal
> >> "*zkcli...@example.com
> >> "* is present in Kerberos server. The curator is
> >> able
> >> to connect properly to ZK (with or without principal) even though SASL
> is
> >> enabled. May be I should use ZK 3.6 as you pointed out to enforce
> >> authentication.
> >> Client {
> >> com.sun.security.auth.module.Krb5LoginModule required
> >> useKeyTab=true
> >> keyTab="/tmp/zkclient.keytab"
> >> storeKey=true
> >> useTicketCache=false
> >> principal="zkcli...@example.com";
> >> };
> >>
> >> Just want to make sure my settings are correct.
> >>
> >> Thanks
> >>
> >>> On Mon, Dec 30, 2019 at 12:47 PM Enrico Olivelli
> >>> wrote:
> >>>
> >>> Arpit,
> >>> Up to 3.5.x you can only leverage auth only in conjunction with ACLs.
> >>>
> >>> I hope we are able to release 3.6.0 within a couple of weeks.
> >>>
> >>> If you have time you can build from branch-3.6 and run the server
> >> enabling
> >>> that feature tha you are pointing to.
> >>> It is a server side change only so you can use 3.5 in your application
> >>>
> >>>
> >>> Enrico
> >>>
> >>> Il lun 30 dic 2019, 13:23 shrikant kalani
> ha
> >>> scritto:
> >>>
> Couple of things which you can check -
> 1) if your Zookeeper server is not running with Zookeeper I’d then you
> need to set Zookeeper.sasl.client.username
> 2) set java.security.auth.login.config
>
> And I also faced the same issue that there is no strict enforcement to
> allow only authenticated client. Unless someone is aware of the way I
> >>> doubt
> we may need to wait for 3.6
>
> Thanks
> Srikant
>
> Sent from my iPhone
>
> > On 30 Dec 2019, at 8:11 PM, Arpit Jain
> >> wrote:
> >
> > Hi,
> >
> > I have configured Zookeeper 3.5.5 to use SASL authentication using
> > Kerberos. I am able to authenticate ZK with Kerberos server but I
> >> don't
> see
> > any authentication happening between Zookeeper client (curator) and
> >> ZK
> > server. I have put the following setting in zoo.cfg and followed this
> guide
> >
>
> >>>
> >>
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication
> > .
> >
> >
>
> >>>
> >>
> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> > requireClientAuthScheme=sasl
> >
> > What additional setting I need to provide so that only authenticated
> > clients (for which principals are present in Kerberos server) can
> >>> connect
> > to ZK server ?
> > I also found this link
> > https://github.com/apache/zookeeper/pull/118/commits which
> > mentions that it will be strict only from ZK 3.6 onwards and
> >> currently
> >>> ZK
> > does not enforce it even if we have the configuration.
> >
> > Thanks
>
> >>>
> >>
>
Re: Zookeeper server and client authentication
Enrico,
Is 3.6 going to be available soon ? Within 1 month ?
Thanks
Srikant Kalani
Sent from my iPhone
> On 30 Dec 2019, at 9:23 PM, Enrico Olivelli wrote:
>
> If you try to use wrong credentials, corrupted keytab...you won't be able
> to read/write.
> Connection maybe is allowed
>
> Enrico
>
> Il lun 30 dic 2019, 14:19 Arpit Jain ha scritto:
>
>> Just to confirm the settings I have in my environment:
>>
>> 1. On ZK side, my JAAS file looks like this:
>> Server {
>> com.sun.security.auth.module.Krb5LoginModule required
>> useKeyTab=true
>> keyTab="/conf/zoo1.keytab"
>> storeKey=true
>> useTicketCache=false
>> principal="zookeeper/z...@example.com";
>> };
>> The principal "*zookeeper/z...@example.com "* has been
>> created in Kerberos server running locally. I am able to start ZK with this
>> principal and I can see ticket exchange between ZK and Kerberos for this
>> principal.
>>
>> 2. On client (Curator) side, JAAS file looks like below. Principal
>> "*zkcli...@example.com
>> "* is present in Kerberos server. The curator is
>> able
>> to connect properly to ZK (with or without principal) even though SASL is
>> enabled. May be I should use ZK 3.6 as you pointed out to enforce
>> authentication.
>> Client {
>> com.sun.security.auth.module.Krb5LoginModule required
>> useKeyTab=true
>> keyTab="/tmp/zkclient.keytab"
>> storeKey=true
>> useTicketCache=false
>> principal="zkcli...@example.com";
>> };
>>
>> Just want to make sure my settings are correct.
>>
>> Thanks
>>
>>> On Mon, Dec 30, 2019 at 12:47 PM Enrico Olivelli
>>> wrote:
>>>
>>> Arpit,
>>> Up to 3.5.x you can only leverage auth only in conjunction with ACLs.
>>>
>>> I hope we are able to release 3.6.0 within a couple of weeks.
>>>
>>> If you have time you can build from branch-3.6 and run the server
>> enabling
>>> that feature tha you are pointing to.
>>> It is a server side change only so you can use 3.5 in your application
>>>
>>>
>>> Enrico
>>>
>>> Il lun 30 dic 2019, 13:23 shrikant kalani ha
>>> scritto:
>>>
Couple of things which you can check -
1) if your Zookeeper server is not running with Zookeeper I’d then you
need to set Zookeeper.sasl.client.username
2) set java.security.auth.login.config
And I also faced the same issue that there is no strict enforcement to
allow only authenticated client. Unless someone is aware of the way I
>>> doubt
we may need to wait for 3.6
Thanks
Srikant
Sent from my iPhone
> On 30 Dec 2019, at 8:11 PM, Arpit Jain
>> wrote:
>
> Hi,
>
> I have configured Zookeeper 3.5.5 to use SASL authentication using
> Kerberos. I am able to authenticate ZK with Kerberos server but I
>> don't
see
> any authentication happening between Zookeeper client (curator) and
>> ZK
> server. I have put the following setting in zoo.cfg and followed this
guide
>
>>>
>> https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication
> .
>
>
>>>
>> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> requireClientAuthScheme=sasl
>
> What additional setting I need to provide so that only authenticated
> clients (for which principals are present in Kerberos server) can
>>> connect
> to ZK server ?
> I also found this link
> https://github.com/apache/zookeeper/pull/118/commits which
> mentions that it will be strict only from ZK 3.6 onwards and
>> currently
>>> ZK
> does not enforce it even if we have the configuration.
>
> Thanks
>>>
>>
Re: java.lang.NullPointerException on some commands (stats, conf)
Hi Mike
Do you see errors on server logs?
Enrico
Il lun 30 dic 2019, 14:10 Mike Smotritsky ha
scritto:
> Hey guys, Happy Holidays and thanks again for the fix!
>
> I've noticed that ruok in only secure mode gives no answer back at all...
> That's what I get back:
> {
> "command" : "ruok",
> "error" : null
> }
>
> Thanks and Regards,
>
> Mike
>
>
> -Original Message-
> From: Mate Szalay-Beko [mailto:msza...@cloudera.com.INVALID]
> Sent: Friday, December 06, 2019 5:06 AM
> To: user@zookeeper.apache.org
> Subject: Re: java.lang.NullPointerException on some commands (stats, conf)
>
> yep, in general I think it makes sense to try / get used to build ZooKeeper
> (or any other OpenSource product you use), one can never know when he
> needs a security patch or bugfix. :)
>
> Anyway, as I already have my environment ready, I did a quick build and
> shared it with Mike.
>
> Cheers,
> Mate
>
> On Thu, Dec 5, 2019 at 4:35 PM Enrico Olivelli
> wrote:
>
> > Just run these commands:
> >
> > git clone https://github.com/apache/zookeeper
> > git checkout branch-3.5
> > mvn clean install -DskipTests
> >
> > you will find binaries for 3.5.7-SNAPSHOT inside
> > "zookeeper-assembly/target"
> >
> > if you want to run unit tests run the command without '-DskipTests':
> > mvn clean install
> >
> > you need "git", "Apache Maven" and a Java JDK 8.x (or greater), like the
> > one from AdoptOpenJDK or which one you prefer
> >
> > Hope that helps
> >
> > Enrico
> >
> > Il giorno gio 5 dic 2019 alle ore 16:19 Mike Smotritsky <
> > mikesmotrit...@ongov.net> ha scritto:
> >
> > > Hey Enrico,
> > > If Mate can help to cut it - it would be great, if not - I'll need more
> > > detailed instructions on how to cut it please.
> > >
> > > Thanks and Regards,
> > > Mike
> > >
> > > -Original Message-
> > > From: Enrico Olivelli [mailto:eolive...@gmail.com]
> > > Sent: Thursday, December 05, 2019 10:08 AM
> > > To: UserZooKeeper
> > > Subject: Re: java.lang.NullPointerException on some commands (stats,
> > conf)
> > >
> > > Mike
> > >
> > > Il giorno gio 5 dic 2019 alle ore 15:55 Mike Smotritsky <
> > > mikesmotrit...@ongov.net> ha scritto:
> > >
> > > > Hey Mate, thank you very much for a very quick action on this issue.
> > > > If it's not very difficult can you please cut me a patched 3.5.6?
> > > >
> > >
> > > I think the best procedure is that you build your own patched version
> by
> > > yourself.
> > > Just "mvn clean install -DskipTests" on branch-3.5
> > >
> > > Please be aware that the binaries you are going to use are not an
> > official
> > > Apache release.
> > > I think it is fine, many companies run their own patched version of
> Open
> > > Source software
> > >
> > > Just my 2 cents
> > >
> > > Enrico
> > >
> > >
> > >
> > >
> > > > Again I very much appreciate your help!
> > > >
> > > > You guys have a very dedicated team on this project!
> > > >
> > > > Thanks and Regards,
> > > > Mike
> > > >
> > > > -Original Message-
> > > > From: Mate Szalay-Beko [mailto:msza...@cloudera.com.INVALID]
> > > > Sent: Thursday, December 05, 2019 3:48 AM
> > > > To: user@zookeeper.apache.org
> > > > Subject: Re: java.lang.NullPointerException on some commands (stats,
> > > conf)
> > > >
> > > > Hi Mike,
> > > >
> > > > 3.5.6 was already released a couple of weeks ago. Norbert
> cherry-picked
> > > the
> > > > NPE fix to branch 3.5, so the question is if we will have a 3.5.7 or
> > not.
> > > > BTW if it is a blocker for you, I can create you a personal /
> > unofficial
> > > > patched version of 3.5.6 which contains this fix and then you can use
> > it
> > > > until you would have 3.6 or 3.5.7 later.
> > > >
> > > > You can do this for yourself as well, by cloning the 3.5 branch (
> > > > https://github.com/apache/zookeeper/tree/branch-3.5) and executing
> > 'mvn
> > > > clean install -DskipTests'. If you also need the C-client, then 'mvn
> > > clean
> > > > install -DskipTests -Pfull-build'. It will not be an official
> release,
> > > but
> > > > in this case it is actually safe to use it, as the branch 3.5 now
> only
> > > > contains two small bugfixes on top of the stable 3.5.6.
> > > >
> > > > Cheers,
> > > > Mate
> > > >
> > > > On Tue, Dec 3, 2019 at 5:09 PM Mike Smotritsky <
> > mikesmotrit...@ongov.net
> > > >
> > > > wrote:
> > > >
> > > > > Hi Enrico, I'd really love to have 3.5.6 released with this fix in.
> > > > > (Thanks to Mate for the very quick fix!)
> > > > > Cause my my Solr cluster keeps complaining about the Zookeeper
> state.
> > > > >
> > > > > Thanks and Regards,
> > > > > Mike
> > > > >
> > > > >
> > > > >
> > > > > -Original Message-
> > > > > From: Enrico Olivelli [mailto:eolive...@gmail.com]
> > > > > Sent: Tuesday, December 03, 2019 10:07 AM
> > > > > To: UserZooKeeper
> > > > > Subject: Re: java.lang.NullPointerException on some commands
> (stats,
> > > > conf)
> > > > >
> > > > > Mike,
> > > > > just to be clear: 'we can cut new releases from 3.5 branch' means
> > that
> >
Re: Zookeeper server and client authentication
If you try to use wrong credentials, corrupted keytab...you won't be able
to read/write.
Connection maybe is allowed
Enrico
Il lun 30 dic 2019, 14:19 Arpit Jain ha scritto:
> Just to confirm the settings I have in my environment:
>
> 1. On ZK side, my JAAS file looks like this:
> Server {
>com.sun.security.auth.module.Krb5LoginModule required
>useKeyTab=true
>keyTab="/conf/zoo1.keytab"
>storeKey=true
>useTicketCache=false
>principal="zookeeper/z...@example.com";
> };
> The principal "*zookeeper/z...@example.com "* has been
> created in Kerberos server running locally. I am able to start ZK with this
> principal and I can see ticket exchange between ZK and Kerberos for this
> principal.
>
> 2. On client (Curator) side, JAAS file looks like below. Principal
> "*zkcli...@example.com
> "* is present in Kerberos server. The curator is
> able
> to connect properly to ZK (with or without principal) even though SASL is
> enabled. May be I should use ZK 3.6 as you pointed out to enforce
> authentication.
> Client {
>com.sun.security.auth.module.Krb5LoginModule required
>useKeyTab=true
>keyTab="/tmp/zkclient.keytab"
>storeKey=true
>useTicketCache=false
>principal="zkcli...@example.com";
> };
>
> Just want to make sure my settings are correct.
>
> Thanks
>
> On Mon, Dec 30, 2019 at 12:47 PM Enrico Olivelli
> wrote:
>
> > Arpit,
> > Up to 3.5.x you can only leverage auth only in conjunction with ACLs.
> >
> > I hope we are able to release 3.6.0 within a couple of weeks.
> >
> > If you have time you can build from branch-3.6 and run the server
> enabling
> > that feature tha you are pointing to.
> > It is a server side change only so you can use 3.5 in your application
> >
> >
> > Enrico
> >
> > Il lun 30 dic 2019, 13:23 shrikant kalani ha
> > scritto:
> >
> > > Couple of things which you can check -
> > > 1) if your Zookeeper server is not running with Zookeeper I’d then you
> > > need to set Zookeeper.sasl.client.username
> > > 2) set java.security.auth.login.config
> > >
> > > And I also faced the same issue that there is no strict enforcement to
> > > allow only authenticated client. Unless someone is aware of the way I
> > doubt
> > > we may need to wait for 3.6
> > >
> > > Thanks
> > > Srikant
> > >
> > > Sent from my iPhone
> > >
> > > > On 30 Dec 2019, at 8:11 PM, Arpit Jain
> wrote:
> > > >
> > > > Hi,
> > > >
> > > > I have configured Zookeeper 3.5.5 to use SASL authentication using
> > > > Kerberos. I am able to authenticate ZK with Kerberos server but I
> don't
> > > see
> > > > any authentication happening between Zookeeper client (curator) and
> ZK
> > > > server. I have put the following setting in zoo.cfg and followed this
> > > guide
> > > >
> > >
> >
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication
> > > > .
> > > >
> > > >
> > >
> >
> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> > > > requireClientAuthScheme=sasl
> > > >
> > > > What additional setting I need to provide so that only authenticated
> > > > clients (for which principals are present in Kerberos server) can
> > connect
> > > > to ZK server ?
> > > > I also found this link
> > > > https://github.com/apache/zookeeper/pull/118/commits which
> > > > mentions that it will be strict only from ZK 3.6 onwards and
> currently
> > ZK
> > > > does not enforce it even if we have the configuration.
> > > >
> > > > Thanks
> > >
> >
>
Re: Zookeeper server and client authentication
Just to confirm the settings I have in my environment:
1. On ZK side, my JAAS file looks like this:
Server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/conf/zoo1.keytab"
storeKey=true
useTicketCache=false
principal="zookeeper/z...@example.com";
};
The principal "*zookeeper/z...@example.com "* has been
created in Kerberos server running locally. I am able to start ZK with this
principal and I can see ticket exchange between ZK and Kerberos for this
principal.
2. On client (Curator) side, JAAS file looks like below. Principal
"*zkcli...@example.com
"* is present in Kerberos server. The curator is able
to connect properly to ZK (with or without principal) even though SASL is
enabled. May be I should use ZK 3.6 as you pointed out to enforce
authentication.
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="/tmp/zkclient.keytab"
storeKey=true
useTicketCache=false
principal="zkcli...@example.com";
};
Just want to make sure my settings are correct.
Thanks
On Mon, Dec 30, 2019 at 12:47 PM Enrico Olivelli
wrote:
> Arpit,
> Up to 3.5.x you can only leverage auth only in conjunction with ACLs.
>
> I hope we are able to release 3.6.0 within a couple of weeks.
>
> If you have time you can build from branch-3.6 and run the server enabling
> that feature tha you are pointing to.
> It is a server side change only so you can use 3.5 in your application
>
>
> Enrico
>
> Il lun 30 dic 2019, 13:23 shrikant kalani ha
> scritto:
>
> > Couple of things which you can check -
> > 1) if your Zookeeper server is not running with Zookeeper I’d then you
> > need to set Zookeeper.sasl.client.username
> > 2) set java.security.auth.login.config
> >
> > And I also faced the same issue that there is no strict enforcement to
> > allow only authenticated client. Unless someone is aware of the way I
> doubt
> > we may need to wait for 3.6
> >
> > Thanks
> > Srikant
> >
> > Sent from my iPhone
> >
> > > On 30 Dec 2019, at 8:11 PM, Arpit Jain wrote:
> > >
> > > Hi,
> > >
> > > I have configured Zookeeper 3.5.5 to use SASL authentication using
> > > Kerberos. I am able to authenticate ZK with Kerberos server but I don't
> > see
> > > any authentication happening between Zookeeper client (curator) and ZK
> > > server. I have put the following setting in zoo.cfg and followed this
> > guide
> > >
> >
> https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication
> > > .
> > >
> > >
> >
> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> > > requireClientAuthScheme=sasl
> > >
> > > What additional setting I need to provide so that only authenticated
> > > clients (for which principals are present in Kerberos server) can
> connect
> > > to ZK server ?
> > > I also found this link
> > > https://github.com/apache/zookeeper/pull/118/commits which
> > > mentions that it will be strict only from ZK 3.6 onwards and currently
> ZK
> > > does not enforce it even if we have the configuration.
> > >
> > > Thanks
> >
>
RE: java.lang.NullPointerException on some commands (stats, conf)
Hey guys, Happy Holidays and thanks again for the fix!
I've noticed that ruok in only secure mode gives no answer back at all...
That's what I get back:
{
"command" : "ruok",
"error" : null
}
Thanks and Regards,
Mike
-Original Message-
From: Mate Szalay-Beko [mailto:msza...@cloudera.com.INVALID]
Sent: Friday, December 06, 2019 5:06 AM
To: user@zookeeper.apache.org
Subject: Re: java.lang.NullPointerException on some commands (stats, conf)
yep, in general I think it makes sense to try / get used to build ZooKeeper
(or any other OpenSource product you use), one can never know when he
needs a security patch or bugfix. :)
Anyway, as I already have my environment ready, I did a quick build and
shared it with Mike.
Cheers,
Mate
On Thu, Dec 5, 2019 at 4:35 PM Enrico Olivelli wrote:
> Just run these commands:
>
> git clone https://github.com/apache/zookeeper
> git checkout branch-3.5
> mvn clean install -DskipTests
>
> you will find binaries for 3.5.7-SNAPSHOT inside
> "zookeeper-assembly/target"
>
> if you want to run unit tests run the command without '-DskipTests':
> mvn clean install
>
> you need "git", "Apache Maven" and a Java JDK 8.x (or greater), like the
> one from AdoptOpenJDK or which one you prefer
>
> Hope that helps
>
> Enrico
>
> Il giorno gio 5 dic 2019 alle ore 16:19 Mike Smotritsky <
> mikesmotrit...@ongov.net> ha scritto:
>
> > Hey Enrico,
> > If Mate can help to cut it - it would be great, if not - I'll need more
> > detailed instructions on how to cut it please.
> >
> > Thanks and Regards,
> > Mike
> >
> > -Original Message-
> > From: Enrico Olivelli [mailto:eolive...@gmail.com]
> > Sent: Thursday, December 05, 2019 10:08 AM
> > To: UserZooKeeper
> > Subject: Re: java.lang.NullPointerException on some commands (stats,
> conf)
> >
> > Mike
> >
> > Il giorno gio 5 dic 2019 alle ore 15:55 Mike Smotritsky <
> > mikesmotrit...@ongov.net> ha scritto:
> >
> > > Hey Mate, thank you very much for a very quick action on this issue.
> > > If it's not very difficult can you please cut me a patched 3.5.6?
> > >
> >
> > I think the best procedure is that you build your own patched version by
> > yourself.
> > Just "mvn clean install -DskipTests" on branch-3.5
> >
> > Please be aware that the binaries you are going to use are not an
> official
> > Apache release.
> > I think it is fine, many companies run their own patched version of Open
> > Source software
> >
> > Just my 2 cents
> >
> > Enrico
> >
> >
> >
> >
> > > Again I very much appreciate your help!
> > >
> > > You guys have a very dedicated team on this project!
> > >
> > > Thanks and Regards,
> > > Mike
> > >
> > > -Original Message-
> > > From: Mate Szalay-Beko [mailto:msza...@cloudera.com.INVALID]
> > > Sent: Thursday, December 05, 2019 3:48 AM
> > > To: user@zookeeper.apache.org
> > > Subject: Re: java.lang.NullPointerException on some commands (stats,
> > conf)
> > >
> > > Hi Mike,
> > >
> > > 3.5.6 was already released a couple of weeks ago. Norbert cherry-picked
> > the
> > > NPE fix to branch 3.5, so the question is if we will have a 3.5.7 or
> not.
> > > BTW if it is a blocker for you, I can create you a personal /
> unofficial
> > > patched version of 3.5.6 which contains this fix and then you can use
> it
> > > until you would have 3.6 or 3.5.7 later.
> > >
> > > You can do this for yourself as well, by cloning the 3.5 branch (
> > > https://github.com/apache/zookeeper/tree/branch-3.5) and executing
> 'mvn
> > > clean install -DskipTests'. If you also need the C-client, then 'mvn
> > clean
> > > install -DskipTests -Pfull-build'. It will not be an official release,
> > but
> > > in this case it is actually safe to use it, as the branch 3.5 now only
> > > contains two small bugfixes on top of the stable 3.5.6.
> > >
> > > Cheers,
> > > Mate
> > >
> > > On Tue, Dec 3, 2019 at 5:09 PM Mike Smotritsky <
> mikesmotrit...@ongov.net
> > >
> > > wrote:
> > >
> > > > Hi Enrico, I'd really love to have 3.5.6 released with this fix in.
> > > > (Thanks to Mate for the very quick fix!)
> > > > Cause my my Solr cluster keeps complaining about the Zookeeper state.
> > > >
> > > > Thanks and Regards,
> > > > Mike
> > > >
> > > >
> > > >
> > > > -Original Message-
> > > > From: Enrico Olivelli [mailto:eolive...@gmail.com]
> > > > Sent: Tuesday, December 03, 2019 10:07 AM
> > > > To: UserZooKeeper
> > > > Subject: Re: java.lang.NullPointerException on some commands (stats,
> > > conf)
> > > >
> > > > Mike,
> > > > just to be clear: 'we can cut new releases from 3.5 branch' means
> that
> > > we
> > > > are able to do it.
> > > >
> > > > But there are no plans to do it right now.
> > > >
> > > > If you need a release please let us know, we have just cut 3.5.6,
> there
> > > > aren't so many changes cherry picked to branch-3.5
> > > >
> > > > Enrico
> > > >
> > > >
> > > > Il giorno lun 2 dic 2019 alle ore 18:45 Mike Smotritsky <
> > > > mikesmotrit...@ongov.net> ha scritto:
> > > >
> > > > > Hi Enrico,
> > >
Re: Zookeeper server and client authentication
Arpit, Up to 3.5.x you can only leverage auth only in conjunction with ACLs. I hope we are able to release 3.6.0 within a couple of weeks. If you have time you can build from branch-3.6 and run the server enabling that feature tha you are pointing to. It is a server side change only so you can use 3.5 in your application Enrico Il lun 30 dic 2019, 13:23 shrikant kalani ha scritto: > Couple of things which you can check - > 1) if your Zookeeper server is not running with Zookeeper I’d then you > need to set Zookeeper.sasl.client.username > 2) set java.security.auth.login.config > > And I also faced the same issue that there is no strict enforcement to > allow only authenticated client. Unless someone is aware of the way I doubt > we may need to wait for 3.6 > > Thanks > Srikant > > Sent from my iPhone > > > On 30 Dec 2019, at 8:11 PM, Arpit Jain wrote: > > > > Hi, > > > > I have configured Zookeeper 3.5.5 to use SASL authentication using > > Kerberos. I am able to authenticate ZK with Kerberos server but I don't > see > > any authentication happening between Zookeeper client (curator) and ZK > > server. I have put the following setting in zoo.cfg and followed this > guide > > > https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication > > . > > > > > authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider > > requireClientAuthScheme=sasl > > > > What additional setting I need to provide so that only authenticated > > clients (for which principals are present in Kerberos server) can connect > > to ZK server ? > > I also found this link > > https://github.com/apache/zookeeper/pull/118/commits which > > mentions that it will be strict only from ZK 3.6 onwards and currently ZK > > does not enforce it even if we have the configuration. > > > > Thanks >
Re: Zookeeper server and client authentication
Couple of things which you can check - 1) if your Zookeeper server is not running with Zookeeper I’d then you need to set Zookeeper.sasl.client.username 2) set java.security.auth.login.config And I also faced the same issue that there is no strict enforcement to allow only authenticated client. Unless someone is aware of the way I doubt we may need to wait for 3.6 Thanks Srikant Sent from my iPhone > On 30 Dec 2019, at 8:11 PM, Arpit Jain wrote: > > Hi, > > I have configured Zookeeper 3.5.5 to use SASL authentication using > Kerberos. I am able to authenticate ZK with Kerberos server but I don't see > any authentication happening between Zookeeper client (curator) and ZK > server. I have put the following setting in zoo.cfg and followed this guide > https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication > . > > authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider > requireClientAuthScheme=sasl > > What additional setting I need to provide so that only authenticated > clients (for which principals are present in Kerberos server) can connect > to ZK server ? > I also found this link > https://github.com/apache/zookeeper/pull/118/commits which > mentions that it will be strict only from ZK 3.6 onwards and currently ZK > does not enforce it even if we have the configuration. > > Thanks
Zookeeper server and client authentication
Hi, I have configured Zookeeper 3.5.5 to use SASL authentication using Kerberos. I am able to authenticate ZK with Kerberos server but I don't see any authentication happening between Zookeeper client (curator) and ZK server. I have put the following setting in zoo.cfg and followed this guide https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication . authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider requireClientAuthScheme=sasl What additional setting I need to provide so that only authenticated clients (for which principals are present in Kerberos server) can connect to ZK server ? I also found this link https://github.com/apache/zookeeper/pull/118/commits which mentions that it will be strict only from ZK 3.6 onwards and currently ZK does not enforce it even if we have the configuration. Thanks
