Re: Zookeeper and curator SASL authentication
I managed to create ACL with authenticated client principal using below
lines of code in client:
curator
.create().creatingParentContainersIfNeeded().withACL(ZooDefs.Ids.
CREATOR_ALL_ACL).forPath("/mynode");
ZooDefs.Ids.CREATOR_ALL_ACL gives permissions to the client which is
authenticated.
To test this, I logged in using zkCli.sh on ZK server and ran getAcl
/mynode and able to browse the znodes and can see that node has all (CDRWA)
permission for authenticated uses. If I log in with a unauthenticated
principal, I am not able to see the znodes tree even though I manage to
connect to ZK server.
On Wed, Jan 15, 2020 at 12:19 PM Enrico Olivelli - Diennea <
enrico.olive...@diennea.com> wrote:
> Yes, they are system properties
>
> You can take this guide (about Kafka) as example
>
> https://docs.confluent.io/current/kafka/authentication_sasl/authentication_sasl_gssapi.html
>
>
>
> Il giorno 15/01/20, 13:17 "Arpit Jain" ha
> scritto:
>
> I have not passed those parameters. Is this something I need to set in
> Zookeeper (zoo.cfg) ?
>
> On Wed, Jan 15, 2020 at 12:12 PM Enrico Olivelli - Diennea <
> enrico.olive...@diennea.com> wrote:
>
> > Usually with SASL auth you are using:
> > kerberos.removeHostFromPrincipal=true
> > kerberos.removeRealmFromPrincipal=true
> >
> > is this the case for you ?
> >
> > Enrico
> >
> > Il giorno 15/01/20, 13:01 "Arpit Jain" ha
> > scritto:
> >
> > I have asked in Curator mailing list as well but not much help.
> I am
> > able
> > to set ACL with sasl scheme by using zkCli.sh client in Zookeeper
> > server.
> > The idea is to use Curator to set the ACLs so that only my client
> > application can access its Znodes.
> >
> >
> > On Wed, Jan 15, 2020 at 9:21 AM Szalay-Bekő Máté <
> > szalay.beko.m...@gmail.com>
> > wrote:
> >
> > > I am not sure what is wrong with the code... I am not familiar
> with
> > > Curator. I can try to google / reproduce this and see what is
> wrong,
> > but it
> > > will take a while for me. So first I would ask the others,
> maybe
> > there is
> > > someone who knows both ZooKeeper SASL and Curator and can help
> you
> > more in
> > > this mailing list. If noone replies, then I will try to setup
> a dummy
> > > project with Curator to test this.
> > >
> > > Did you also ask around the Curator mailing list maybe? Would
> it
> > help if I
> > > send you code about setting the ACLs using plain ZooKeeper
> (and no
> > Curator)?
> > >
> > > On Tue, Jan 14, 2020 at 2:48 PM Arpit Jain <
> jain.arp...@gmail.com>
> > wrote:
> > >
> > >> Thanks for the clarification.
> > >> I am able to authenticate client with Zookeeper. However,
> when I
> > started
> > >> to set ACLs with the same client, I get error messages. This
> is how
> > I am
> > >> creating curator client for setting ACLs
> > >>
> > >> CuratorFrameworkFactory.Builder builder =
> > >>
> > >> CuratorFrameworkFactory.builder().connectString(
> > >> coordinatorHosts).retryPolicy(retryPolicy)
> > >>
> > >> .connectionTimeoutMs(coordinatorConnectionTimeout
> > >> ).sessionTimeoutMs(coordinatorSessionTimeout);
> > >>
> > >> final CuratorFramework curatorFramework =
> > >>
> > >> builder.authorization("sasl", "zkclient/
> > z...@example.com"
> > >> .getBytes()).aclProvider(new ACLProvider() {
> > >>
> > >> @Override
> > >>
> > >> public List getDefaultAcl() {
> > >>
> > >> return ZooDefs.Ids.CREATOR_ALL_ACL;
> > >>
> > >> }
> > >>
> > >>
> > >> @Override
> > >>
> > >> public List getAclForPath(String path) {
> > >>
> > >> return ZooDefs.Ids.CREATOR_ALL_ACL;
> > >>
> > >> }
> > >>
> > >> }).build();
> > >>
> > >>
> > >> I see below logs in Zookeeper node:
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> *2020-01-14 13:27:53,174 [myid:1] - INFO
> > >> [NIOWorkerThread-3:SaslServerCallbackHandler@120] -
> Successfully
> > >> authenticated client: authenticationID=zkclient/
> z...@example.com
> > >> ; authorizationID=zkclient/
> z...@example.com
> > >> .2020-01-14 13:27:53,175 [myid:1] - INFO
> > >> [NIOWorkerThread-3:SaslServerCallbackHandler@136] - Setting
> > authorizedID:
> > >> zkclient/z...@example.com 2020-01-14
> 13:27:53,175
> > >> [myid:1] - INFO [NIOWorkerThre
Re: Zookeeper and curator SASL authentication
Yes, they are system properties
You can take this guide (about Kafka) as example
https://docs.confluent.io/current/kafka/authentication_sasl/authentication_sasl_gssapi.html
Il giorno 15/01/20, 13:17 "Arpit Jain" ha scritto:
I have not passed those parameters. Is this something I need to set in
Zookeeper (zoo.cfg) ?
On Wed, Jan 15, 2020 at 12:12 PM Enrico Olivelli - Diennea <
enrico.olive...@diennea.com> wrote:
> Usually with SASL auth you are using:
> kerberos.removeHostFromPrincipal=true
> kerberos.removeRealmFromPrincipal=true
>
> is this the case for you ?
>
> Enrico
>
> Il giorno 15/01/20, 13:01 "Arpit Jain" ha
> scritto:
>
> I have asked in Curator mailing list as well but not much help. I am
> able
> to set ACL with sasl scheme by using zkCli.sh client in Zookeeper
> server.
> The idea is to use Curator to set the ACLs so that only my client
> application can access its Znodes.
>
>
> On Wed, Jan 15, 2020 at 9:21 AM Szalay-Bekő Máté <
> szalay.beko.m...@gmail.com>
> wrote:
>
> > I am not sure what is wrong with the code... I am not familiar with
> > Curator. I can try to google / reproduce this and see what is wrong,
> but it
> > will take a while for me. So first I would ask the others, maybe
> there is
> > someone who knows both ZooKeeper SASL and Curator and can help you
> more in
> > this mailing list. If noone replies, then I will try to setup a
dummy
> > project with Curator to test this.
> >
> > Did you also ask around the Curator mailing list maybe? Would it
> help if I
> > send you code about setting the ACLs using plain ZooKeeper (and no
> Curator)?
> >
> > On Tue, Jan 14, 2020 at 2:48 PM Arpit Jain
> wrote:
> >
> >> Thanks for the clarification.
> >> I am able to authenticate client with Zookeeper. However, when I
> started
> >> to set ACLs with the same client, I get error messages. This is how
> I am
> >> creating curator client for setting ACLs
> >>
> >> CuratorFrameworkFactory.Builder builder =
> >>
> >> CuratorFrameworkFactory.builder().connectString(
> >> coordinatorHosts).retryPolicy(retryPolicy)
> >>
> >> .connectionTimeoutMs(coordinatorConnectionTimeout
> >> ).sessionTimeoutMs(coordinatorSessionTimeout);
> >>
> >> final CuratorFramework curatorFramework =
> >>
> >> builder.authorization("sasl", "zkclient/
> z...@example.com"
> >> .getBytes()).aclProvider(new ACLProvider() {
> >>
> >> @Override
> >>
> >> public List getDefaultAcl() {
> >>
> >> return ZooDefs.Ids.CREATOR_ALL_ACL;
> >>
> >> }
> >>
> >>
> >> @Override
> >>
> >> public List getAclForPath(String path) {
> >>
> >> return ZooDefs.Ids.CREATOR_ALL_ACL;
> >>
> >> }
> >>
> >> }).build();
> >>
> >>
> >> I see below logs in Zookeeper node:
> >>
> >>
> >>
> >>
> >>
> >> *2020-01-14 13:27:53,174 [myid:1] - INFO
> >> [NIOWorkerThread-3:SaslServerCallbackHandler@120] - Successfully
> >> authenticated client: authenticationID=zkclient/z...@example.com
> >> ; authorizationID=zkclient/z...@example.com
> >> .2020-01-14 13:27:53,175 [myid:1] - INFO
> >> [NIOWorkerThread-3:SaslServerCallbackHandler@136] - Setting
> authorizedID:
> >> zkclient/z...@example.com 2020-01-14 13:27:53,175
> >> [myid:1] - INFO [NIOWorkerThread-3:ZooKeeperServer@1170] - adding
> SASL
> >> authorization for authorizationID: zkclient/z...@example.com
> >> 2020-01-14 13:27:53,182 [myid:1] - INFO
> >> [NIOWorkerThread-7:ZooKeeperServer@1095] - got auth packet
> >> /172.30.0.6:36658 2020-01-14 13:27:53,183
> [myid:1]
> >> - WARN [NIOWorkerThread-7:ZooKeeperServer@1123] - Authentication
> failed
> >> for scheme: sasl*
> >>
> >> Is this not the correct way to do it ?
> >>
> >>
> >>
> >> On Tue, Jan 14, 2020 at 11:52 AM Szalay-Bekő Máté <
> >> szalay.beko.m...@gmail.com> wrote:
> >>
> >>> The system property name is a bit misleading... this parameter is
> >>> actually specifies the username used in the ZooKeeper server
> principal.
> >>> (in your case the server principal is: zookeeper/z...@example.com)
> >>> AFAIK the ZooKeeper client (af
Re: Zookeeper and curator SASL authentication
I have not passed those parameters. Is this something I need to set in
Zookeeper (zoo.cfg) ?
On Wed, Jan 15, 2020 at 12:12 PM Enrico Olivelli - Diennea <
enrico.olive...@diennea.com> wrote:
> Usually with SASL auth you are using:
> kerberos.removeHostFromPrincipal=true
> kerberos.removeRealmFromPrincipal=true
>
> is this the case for you ?
>
> Enrico
>
> Il giorno 15/01/20, 13:01 "Arpit Jain" ha
> scritto:
>
> I have asked in Curator mailing list as well but not much help. I am
> able
> to set ACL with sasl scheme by using zkCli.sh client in Zookeeper
> server.
> The idea is to use Curator to set the ACLs so that only my client
> application can access its Znodes.
>
>
> On Wed, Jan 15, 2020 at 9:21 AM Szalay-Bekő Máté <
> szalay.beko.m...@gmail.com>
> wrote:
>
> > I am not sure what is wrong with the code... I am not familiar with
> > Curator. I can try to google / reproduce this and see what is wrong,
> but it
> > will take a while for me. So first I would ask the others, maybe
> there is
> > someone who knows both ZooKeeper SASL and Curator and can help you
> more in
> > this mailing list. If noone replies, then I will try to setup a dummy
> > project with Curator to test this.
> >
> > Did you also ask around the Curator mailing list maybe? Would it
> help if I
> > send you code about setting the ACLs using plain ZooKeeper (and no
> Curator)?
> >
> > On Tue, Jan 14, 2020 at 2:48 PM Arpit Jain
> wrote:
> >
> >> Thanks for the clarification.
> >> I am able to authenticate client with Zookeeper. However, when I
> started
> >> to set ACLs with the same client, I get error messages. This is how
> I am
> >> creating curator client for setting ACLs
> >>
> >> CuratorFrameworkFactory.Builder builder =
> >>
> >> CuratorFrameworkFactory.builder().connectString(
> >> coordinatorHosts).retryPolicy(retryPolicy)
> >>
> >> .connectionTimeoutMs(coordinatorConnectionTimeout
> >> ).sessionTimeoutMs(coordinatorSessionTimeout);
> >>
> >> final CuratorFramework curatorFramework =
> >>
> >> builder.authorization("sasl", "zkclient/
> z...@example.com"
> >> .getBytes()).aclProvider(new ACLProvider() {
> >>
> >> @Override
> >>
> >> public List getDefaultAcl() {
> >>
> >> return ZooDefs.Ids.CREATOR_ALL_ACL;
> >>
> >> }
> >>
> >>
> >> @Override
> >>
> >> public List getAclForPath(String path) {
> >>
> >> return ZooDefs.Ids.CREATOR_ALL_ACL;
> >>
> >> }
> >>
> >> }).build();
> >>
> >>
> >> I see below logs in Zookeeper node:
> >>
> >>
> >>
> >>
> >>
> >> *2020-01-14 13:27:53,174 [myid:1] - INFO
> >> [NIOWorkerThread-3:SaslServerCallbackHandler@120] - Successfully
> >> authenticated client: authenticationID=zkclient/z...@example.com
> >> ; authorizationID=zkclient/z...@example.com
> >> .2020-01-14 13:27:53,175 [myid:1] - INFO
> >> [NIOWorkerThread-3:SaslServerCallbackHandler@136] - Setting
> authorizedID:
> >> zkclient/z...@example.com 2020-01-14 13:27:53,175
> >> [myid:1] - INFO [NIOWorkerThread-3:ZooKeeperServer@1170] - adding
> SASL
> >> authorization for authorizationID: zkclient/z...@example.com
> >> 2020-01-14 13:27:53,182 [myid:1] - INFO
> >> [NIOWorkerThread-7:ZooKeeperServer@1095] - got auth packet
> >> /172.30.0.6:36658 2020-01-14 13:27:53,183
> [myid:1]
> >> - WARN [NIOWorkerThread-7:ZooKeeperServer@1123] - Authentication
> failed
> >> for scheme: sasl*
> >>
> >> Is this not the correct way to do it ?
> >>
> >>
> >>
> >> On Tue, Jan 14, 2020 at 11:52 AM Szalay-Bekő Máté <
> >> szalay.beko.m...@gmail.com> wrote:
> >>
> >>> The system property name is a bit misleading... this parameter is
> >>> actually specifies the username used in the ZooKeeper server
> principal.
> >>> (in your case the server principal is: zookeeper/z...@example.com)
> >>> AFAIK the ZooKeeper client (after authenticated as zkclient/
> >>> z...@example.com in Kerberos based on the jaas.conf file) needs
> to know
> >>> the ZooKeeper server principal in order to ask for a specific
> token from
> >>> kerberos which can be read by the ZooKeeper server.
> >>>
> >>> In 3.5.5 (or 3.5.6) you can use the zookeeper.sasl.client.username
> >>> parameter (plus some other parameters) to configure how the server
> >>> principal will be determined by the client.
> >>> See:
> >>>
> https://github.com/apache/zookeeper/blob/c11b7e26bc554b8523dc929761dd28808913f091/zookeeper-server/src/main/java/org/apache/zookeeper/SaslServerPrincipal.java#L48
> >>>
> >>> In future releases (3.5.7, 3.6,
Re: Zookeeper and curator SASL authentication
Usually with SASL auth you are using:
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true
is this the case for you ?
Enrico
Il giorno 15/01/20, 13:01 "Arpit Jain" ha scritto:
I have asked in Curator mailing list as well but not much help. I am able
to set ACL with sasl scheme by using zkCli.sh client in Zookeeper server.
The idea is to use Curator to set the ACLs so that only my client
application can access its Znodes.
On Wed, Jan 15, 2020 at 9:21 AM Szalay-Bekő Máté
wrote:
> I am not sure what is wrong with the code... I am not familiar with
> Curator. I can try to google / reproduce this and see what is wrong, but
it
> will take a while for me. So first I would ask the others, maybe there is
> someone who knows both ZooKeeper SASL and Curator and can help you more in
> this mailing list. If noone replies, then I will try to setup a dummy
> project with Curator to test this.
>
> Did you also ask around the Curator mailing list maybe? Would it help if I
> send you code about setting the ACLs using plain ZooKeeper (and no
Curator)?
>
> On Tue, Jan 14, 2020 at 2:48 PM Arpit Jain wrote:
>
>> Thanks for the clarification.
>> I am able to authenticate client with Zookeeper. However, when I started
>> to set ACLs with the same client, I get error messages. This is how I am
>> creating curator client for setting ACLs
>>
>> CuratorFrameworkFactory.Builder builder =
>>
>> CuratorFrameworkFactory.builder().connectString(
>> coordinatorHosts).retryPolicy(retryPolicy)
>>
>> .connectionTimeoutMs(coordinatorConnectionTimeout
>> ).sessionTimeoutMs(coordinatorSessionTimeout);
>>
>> final CuratorFramework curatorFramework =
>>
>> builder.authorization("sasl", "zkclient/z...@example.com"
>> .getBytes()).aclProvider(new ACLProvider() {
>>
>> @Override
>>
>> public List getDefaultAcl() {
>>
>> return ZooDefs.Ids.CREATOR_ALL_ACL;
>>
>> }
>>
>>
>> @Override
>>
>> public List getAclForPath(String path) {
>>
>> return ZooDefs.Ids.CREATOR_ALL_ACL;
>>
>> }
>>
>> }).build();
>>
>>
>> I see below logs in Zookeeper node:
>>
>>
>>
>>
>>
>> *2020-01-14 13:27:53,174 [myid:1] - INFO
>> [NIOWorkerThread-3:SaslServerCallbackHandler@120] - Successfully
>> authenticated client: authenticationID=zkclient/z...@example.com
>> ; authorizationID=zkclient/z...@example.com
>> .2020-01-14 13:27:53,175 [myid:1] - INFO
>> [NIOWorkerThread-3:SaslServerCallbackHandler@136] - Setting
authorizedID:
>> zkclient/z...@example.com 2020-01-14 13:27:53,175
>> [myid:1] - INFO [NIOWorkerThread-3:ZooKeeperServer@1170] - adding SASL
>> authorization for authorizationID: zkclient/z...@example.com
>> 2020-01-14 13:27:53,182 [myid:1] - INFO
>> [NIOWorkerThread-7:ZooKeeperServer@1095] - got auth packet
>> /172.30.0.6:36658 2020-01-14 13:27:53,183
[myid:1]
>> - WARN [NIOWorkerThread-7:ZooKeeperServer@1123] - Authentication failed
>> for scheme: sasl*
>>
>> Is this not the correct way to do it ?
>>
>>
>>
>> On Tue, Jan 14, 2020 at 11:52 AM Szalay-Bekő Máté <
>> szalay.beko.m...@gmail.com> wrote:
>>
>>> The system property name is a bit misleading... this parameter is
>>> actually specifies the username used in the ZooKeeper server principal.
>>> (in your case the server principal is: zookeeper/z...@example.com)
>>> AFAIK the ZooKeeper client (after authenticated as zkclient/
>>> z...@example.com in Kerberos based on the jaas.conf file) needs to know
>>> the ZooKeeper server principal in order to ask for a specific token from
>>> kerberos which can be read by the ZooKeeper server.
>>>
>>> In 3.5.5 (or 3.5.6) you can use the zookeeper.sasl.client.username
>>> parameter (plus some other parameters) to configure how the server
>>> principal will be determined by the client.
>>> See:
>>>
https://github.com/apache/zookeeper/blob/c11b7e26bc554b8523dc929761dd28808913f091/zookeeper-server/src/main/java/org/apache/zookeeper/SaslServerPrincipal.java#L48
>>>
>>> In future releases (3.5.7, 3.6, ...) you can also use
>>> the zookeeper.server.principal parameter (a much better name I think) to
>>> use a fix server principal name in the client.
>>> See:
>>>
https://github.com/apache/zookeeper/blob/1c5d135d74f16275876c024401dc2de92909b20a/zookeeper-server/src/main/java/org/apache/zookeeper/SaslServerPrincipal.java#L50
>>>
>>> On Mon, Jan 13, 2020 at 6:03 PM Arpit Jain
>>> wrote:
>>>
Does this user name have to be "Zookeepe
Re: Zookeeper and curator SASL authentication
I have asked in Curator mailing list as well but not much help. I am able
to set ACL with sasl scheme by using zkCli.sh client in Zookeeper server.
The idea is to use Curator to set the ACLs so that only my client
application can access its Znodes.
On Wed, Jan 15, 2020 at 9:21 AM Szalay-Bekő Máté
wrote:
> I am not sure what is wrong with the code... I am not familiar with
> Curator. I can try to google / reproduce this and see what is wrong, but it
> will take a while for me. So first I would ask the others, maybe there is
> someone who knows both ZooKeeper SASL and Curator and can help you more in
> this mailing list. If noone replies, then I will try to setup a dummy
> project with Curator to test this.
>
> Did you also ask around the Curator mailing list maybe? Would it help if I
> send you code about setting the ACLs using plain ZooKeeper (and no Curator)?
>
> On Tue, Jan 14, 2020 at 2:48 PM Arpit Jain wrote:
>
>> Thanks for the clarification.
>> I am able to authenticate client with Zookeeper. However, when I started
>> to set ACLs with the same client, I get error messages. This is how I am
>> creating curator client for setting ACLs
>>
>> CuratorFrameworkFactory.Builder builder =
>>
>> CuratorFrameworkFactory.builder().connectString(
>> coordinatorHosts).retryPolicy(retryPolicy)
>>
>> .connectionTimeoutMs(coordinatorConnectionTimeout
>> ).sessionTimeoutMs(coordinatorSessionTimeout);
>>
>> final CuratorFramework curatorFramework =
>>
>> builder.authorization("sasl", "zkclient/z...@example.com"
>> .getBytes()).aclProvider(new ACLProvider() {
>>
>> @Override
>>
>> public List getDefaultAcl() {
>>
>> return ZooDefs.Ids.CREATOR_ALL_ACL;
>>
>> }
>>
>>
>> @Override
>>
>> public List getAclForPath(String path) {
>>
>> return ZooDefs.Ids.CREATOR_ALL_ACL;
>>
>> }
>>
>> }).build();
>>
>>
>> I see below logs in Zookeeper node:
>>
>>
>>
>>
>>
>> *2020-01-14 13:27:53,174 [myid:1] - INFO
>> [NIOWorkerThread-3:SaslServerCallbackHandler@120] - Successfully
>> authenticated client: authenticationID=zkclient/z...@example.com
>> ; authorizationID=zkclient/z...@example.com
>> .2020-01-14 13:27:53,175 [myid:1] - INFO
>> [NIOWorkerThread-3:SaslServerCallbackHandler@136] - Setting authorizedID:
>> zkclient/z...@example.com 2020-01-14 13:27:53,175
>> [myid:1] - INFO [NIOWorkerThread-3:ZooKeeperServer@1170] - adding SASL
>> authorization for authorizationID: zkclient/z...@example.com
>> 2020-01-14 13:27:53,182 [myid:1] - INFO
>> [NIOWorkerThread-7:ZooKeeperServer@1095] - got auth packet
>> /172.30.0.6:36658 2020-01-14 13:27:53,183 [myid:1]
>> - WARN [NIOWorkerThread-7:ZooKeeperServer@1123] - Authentication failed
>> for scheme: sasl*
>>
>> Is this not the correct way to do it ?
>>
>>
>>
>> On Tue, Jan 14, 2020 at 11:52 AM Szalay-Bekő Máté <
>> szalay.beko.m...@gmail.com> wrote:
>>
>>> The system property name is a bit misleading... this parameter is
>>> actually specifies the username used in the ZooKeeper server principal.
>>> (in your case the server principal is: zookeeper/z...@example.com)
>>> AFAIK the ZooKeeper client (after authenticated as zkclient/
>>> z...@example.com in Kerberos based on the jaas.conf file) needs to know
>>> the ZooKeeper server principal in order to ask for a specific token from
>>> kerberos which can be read by the ZooKeeper server.
>>>
>>> In 3.5.5 (or 3.5.6) you can use the zookeeper.sasl.client.username
>>> parameter (plus some other parameters) to configure how the server
>>> principal will be determined by the client.
>>> See:
>>> https://github.com/apache/zookeeper/blob/c11b7e26bc554b8523dc929761dd28808913f091/zookeeper-server/src/main/java/org/apache/zookeeper/SaslServerPrincipal.java#L48
>>>
>>> In future releases (3.5.7, 3.6, ...) you can also use
>>> the zookeeper.server.principal parameter (a much better name I think) to
>>> use a fix server principal name in the client.
>>> See:
>>> https://github.com/apache/zookeeper/blob/1c5d135d74f16275876c024401dc2de92909b20a/zookeeper-server/src/main/java/org/apache/zookeeper/SaslServerPrincipal.java#L50
>>>
>>> On Mon, Jan 13, 2020 at 6:03 PM Arpit Jain
>>> wrote:
>>>
Does this user name have to be "Zookeeper"
(-Dzookeeper.sasl.client.username=zookeeper) always ?
And the client principal name is different than this username..Correct
me if I am wrong ?
On Mon, Jan 13, 2020 at 4:58 PM Arpit Jain
wrote:
> Thanks you so much !
> It worked finally. I had to change
> -Dzookeeper.sasl.client.username=zookeeper parameter.
>
> On Mon, Jan 13, 2020 at 4:40 PM Szalay-Bekő Máté <
> szalay.beko.m...@gmail.com> wrote:
>
>> You are using 3.5.5 or 3.5.6, right?
>> I think you need to specify:
>> -Dzookeeper.sasl.client.username=zookeeper
>> can you give it a try? If it doesn't
Re: Zookeeper and curator SASL authentication
I am not sure what is wrong with the code... I am not familiar with
Curator. I can try to google / reproduce this and see what is wrong, but it
will take a while for me. So first I would ask the others, maybe there is
someone who knows both ZooKeeper SASL and Curator and can help you more in
this mailing list. If noone replies, then I will try to setup a dummy
project with Curator to test this.
Did you also ask around the Curator mailing list maybe? Would it help if I
send you code about setting the ACLs using plain ZooKeeper (and no Curator)?
On Tue, Jan 14, 2020 at 2:48 PM Arpit Jain wrote:
> Thanks for the clarification.
> I am able to authenticate client with Zookeeper. However, when I started
> to set ACLs with the same client, I get error messages. This is how I am
> creating curator client for setting ACLs
>
> CuratorFrameworkFactory.Builder builder =
>
> CuratorFrameworkFactory.builder().connectString(
> coordinatorHosts).retryPolicy(retryPolicy)
>
> .connectionTimeoutMs(coordinatorConnectionTimeout
> ).sessionTimeoutMs(coordinatorSessionTimeout);
>
> final CuratorFramework curatorFramework =
>
> builder.authorization("sasl", "zkclient/z...@example.com"
> .getBytes()).aclProvider(new ACLProvider() {
>
> @Override
>
> public List getDefaultAcl() {
>
> return ZooDefs.Ids.CREATOR_ALL_ACL;
>
> }
>
>
> @Override
>
> public List getAclForPath(String path) {
>
> return ZooDefs.Ids.CREATOR_ALL_ACL;
>
> }
>
> }).build();
>
>
> I see below logs in Zookeeper node:
>
>
>
>
>
> *2020-01-14 13:27:53,174 [myid:1] - INFO
> [NIOWorkerThread-3:SaslServerCallbackHandler@120] - Successfully
> authenticated client: authenticationID=zkclient/z...@example.com
> ; authorizationID=zkclient/z...@example.com
> .2020-01-14 13:27:53,175 [myid:1] - INFO
> [NIOWorkerThread-3:SaslServerCallbackHandler@136] - Setting authorizedID:
> zkclient/z...@example.com 2020-01-14 13:27:53,175
> [myid:1] - INFO [NIOWorkerThread-3:ZooKeeperServer@1170] - adding SASL
> authorization for authorizationID: zkclient/z...@example.com
> 2020-01-14 13:27:53,182 [myid:1] - INFO
> [NIOWorkerThread-7:ZooKeeperServer@1095] - got auth packet
> /172.30.0.6:36658 2020-01-14 13:27:53,183 [myid:1]
> - WARN [NIOWorkerThread-7:ZooKeeperServer@1123] - Authentication failed
> for scheme: sasl*
>
> Is this not the correct way to do it ?
>
>
>
> On Tue, Jan 14, 2020 at 11:52 AM Szalay-Bekő Máté <
> szalay.beko.m...@gmail.com> wrote:
>
>> The system property name is a bit misleading... this parameter is
>> actually specifies the username used in the ZooKeeper server principal.
>> (in your case the server principal is: zookeeper/z...@example.com)
>> AFAIK the ZooKeeper client (after authenticated as zkclient/
>> z...@example.com in Kerberos based on the jaas.conf file) needs to know
>> the ZooKeeper server principal in order to ask for a specific token from
>> kerberos which can be read by the ZooKeeper server.
>>
>> In 3.5.5 (or 3.5.6) you can use the zookeeper.sasl.client.username
>> parameter (plus some other parameters) to configure how the server
>> principal will be determined by the client.
>> See:
>> https://github.com/apache/zookeeper/blob/c11b7e26bc554b8523dc929761dd28808913f091/zookeeper-server/src/main/java/org/apache/zookeeper/SaslServerPrincipal.java#L48
>>
>> In future releases (3.5.7, 3.6, ...) you can also use
>> the zookeeper.server.principal parameter (a much better name I think) to
>> use a fix server principal name in the client.
>> See:
>> https://github.com/apache/zookeeper/blob/1c5d135d74f16275876c024401dc2de92909b20a/zookeeper-server/src/main/java/org/apache/zookeeper/SaslServerPrincipal.java#L50
>>
>> On Mon, Jan 13, 2020 at 6:03 PM Arpit Jain wrote:
>>
>>> Does this user name have to be "Zookeeper"
>>> (-Dzookeeper.sasl.client.username=zookeeper) always ?
>>> And the client principal name is different than this username..Correct
>>> me if I am wrong ?
>>>
>>> On Mon, Jan 13, 2020 at 4:58 PM Arpit Jain
>>> wrote:
>>>
Thanks you so much !
It worked finally. I had to change
-Dzookeeper.sasl.client.username=zookeeper parameter.
On Mon, Jan 13, 2020 at 4:40 PM Szalay-Bekő Máté <
szalay.beko.m...@gmail.com> wrote:
> You are using 3.5.5 or 3.5.6, right?
> I think you need to specify: -Dzookeeper.sasl.client.username=zookeeper
> can you give it a try? If it doesn't work then I can take a deeper
> look (also we can enable some debug logging)
>
> On Mon, Jan 13, 2020 at 5:31 PM Arpit Jain
> wrote:
>
>> Hi
>>
>> I have Kerberos, Zookeeper and my application (using curator) running
>> in 3 docker containers with ZK SASL authentication enabled. The ZK can
>> login to Kerberos and starts successfully.
>>
>> The ZK server principal is zookeeper/z...@example.com
>
