Re: Issues building and running Zookeeper Inspector

[Enrico Olivelli - Diennea]

Brent
Please go ahead and send a PR

You can also subscribe to d...@zookeeper.apache.org for discussions related to 
patches.

Thank you very much
Enrico

Il giorno 22/09/20, 19:52 "Brent"  ha scritto:

Hi everyone,

I just filed a Jira related to the Zookeeper Inspector contrib project here:

https://issues.apache.org/jira/browse/ZOOKEEPER-3943

I just wanted to reach out and make sure I'm going about attempting to use
it correctly.  I just ran "mvn clean install -DskipTests" at all levels of
the code tree and then attempted to use both the "zooInspector.sh" script
and invoke the Java directly (with all the CLASSPATH set up properly).

It seems like the core of my issue was that the icons for the UI couldn't
be found (they don't seem to get built into the JAR by default) and
resulted in a bunch of NullPointerExceptions.  I put a proposal to fix this
in the Jira, but wanted to make sure it seems like an acceptable approach
and double-check that I'm not just doing something incorrectly.

If this seems OK and nobody is actively working on this already, I'd be
happy to submit a PR if it would help.

Thanks!




CONFIDENTIALITY & PRIVACY NOTICE
This e-mail (including any attachments) is strictly confidential and may also 
contain privileged information. If you are not the intended recipient you are 
not authorised to read, print, save, process or disclose this message. If you 
have received this message by mistake, please inform the sender immediately and 
destroy this e-mail, its attachments and any copies. Any use, distribution, 
reproduction or disclosure by any person other than the intended recipient is 
strictly prohibited and the person responsible may incur in penalties.
The use of this e-mail is only for professional purposes; there is no guarantee 
that the correspondence towards this e-mail will be read only by the recipient, 
because, under certain circumstances, there may be a need to access this email 
by third subjects belonging to the Company.

Re: upgrade from 3.4.5 to 3.5.6

[Enrico Olivelli - Diennea]

le?
>>> > >>> > Also can you please send the zkCli command you execute? (you
>>> need to
>>> > >>> > connect to the secure ZooKeeper port, unless portUnification is
>>> > >>> enabled)
>>> > >>> >
>>> > >>> > Kind regards,
>>> > >>> > Mate
>>> > >>> >
>>> > >>> > On Wed, Jul 1, 2020 at 9:48 AM kuldeep singh <
>>> > >>> kuldeep.sing...@gmail.com>
>>> > >>> > wrote:
>>> > >>> >
>>> > >>> >> Hi,
>>> > >>> >>
>>> > >>> >> we have done below changes in java.env file
>>> > >>> >>
>>> > >>> >> export SERVER_JVMFLAGS="
>>> > >>> >>
>>> > >>> >>
>>> > >>>
>>> -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
>>> > >>> >>
>>> > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks
>>> > >>> >> -Dzookeeper.ssl.keyStore.password=testpass
>>> > >>> >>
>>> > >>>
>>> >
>>> 
-Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks
>>> > >>> >> -Dzookeeper.ssl.trustStore.password=testpass"
>>> > >>> >>
>>> > >>> >>
>>> > >>> >>
>>> > >>> >> export CLIENT_JVMFLAGS="
>>> > >>> >>
>>> > >>> >>
>>> > >>>
>>> -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
>>> > >>> >> -Dzookeeper.client.secure=true
>>> > >>> >>
>>> > -Dzookeeper.ssl.keyStore.location=/root/zookeeper/ssl/testKeyStore.jks
>>> > >>> >> -Dzookeeper.ssl.keyStore.password=testpass
>>> > >>> >>
>>> > >>>
>>> >
>>> 
-Dzookeeper.ssl.trustStore.location=/root/zookeeper/ssl/testTrustStore.jks
>>> > >>> >> -Dzookeeper.ssl.trustStore.password=testpass"
>>> > >>> >>
>>> > >>> >> I have started the ZK server and it is up without any issue.
>>> > >>> >>
>>> > >>> >> But now when I login to ZkCli then it gives the below error.
>>> > >>> >>
>>> > >>> >> WatchedEvent state:AuthFailed type:None path:null
>>> > >>> >>
>>> > >>> >>
>>> > >>> >> Zookeeper logs :- *2020-07-01 07:38:09,342 - WARN
>>> > >>> >> [nioEventLoopGroup-4-2:ZooKeeperServer@1119] - No
>>> authentication
>>> > >>> provider
>>> > >>> >> for scheme: ztpasswd has x509 ip digest*
>>> > >>> >>
>>> > >>> >> Please help me on this issue
>>> > >>> >>
>>> > >>> >> Thanks,
>>> > >>> >> -
>>> > >>> >> Kuldeep Singh Budania
>>> > >>> >> Software Architect
>>> > >>> >>
>>> > >>> >>
>>> > >>> >> On Wed, Jul 1, 2020 at 12:05 PM kuldeep singh <
>>> > >>> kuldeep.sing...@gmail.com>
>>> > >>> >> wrote:
>>> > >>> >>
>>> > >>> >> > Hi,
>>> > >>> >> >
>>> > >>> >> > My ZK server  is up and running in secure mode, But When I am
>>> > >>> trying to
>>> > >>> >> > connect to the ZK server using ZKCli, it gives the below
>>> error.
>>> > >>> >> >
>>> > >>> >> > WatchedEvent state:AuthFailed type:None path:null
>>> > >>> >> >
>>> > >>> >>

Re: upgrade from 3.4.5 to 3.5.6

[Enrico Olivelli - Diennea]

I mean in zoo.cfg
Not as a system property

Enrico

Il giorno 25/06/20, 08:19 "Enrico Olivelli - Diennea" 
 ha scritto:

Hi
You have to enable Netty on the server side

Something like:
serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory

Hope that helps
Enrico

Il giorno 24/06/20, 19:17 "kuldeep singh"  ha 
scritto:

Hi,

I got below error while setting SSL properties in zkEnv.sh




==

2020-06-24 15:49:35,864 - INFO  [main:QuorumPeerConfig@133] - Reading
configuration from: /etc/zookeeper/zoo.cfg

2020-06-24 15:49:35,874 - INFO  [main:QuorumPeerConfig@385] -
clientPortAddress is 0.0.0.0/0.0.0.0:10181

2020-06-24 15:49:35,874 - INFO  [main:QuorumPeerConfig@399] -
secureClientPortAddress is 0.0.0.0/0.0.0.0:2281

2020-06-24 15:49:35,878 - INFO  [main:X509Util@79] - Setting -D
jdk.tls.rejectClientInitiatedRenegotiation=true to disable 
client-initiated
TLS renegotiation

2020-06-24 15:49:35,897 - INFO  [main:DatadirCleanupManager@78] -
autopurge.snapRetainCount set to 3

2020-06-24 15:49:35,897 - INFO  [main:DatadirCleanupManager@79] -
autopurge.purgeInterval set to 1

2020-06-24 15:49:35,898 - INFO  [
PurgeTask:DatadirCleanupManager$PurgeTask@138] - Purge task started.

2020-06-24 15:49:35,899 - INFO  [main:ManagedUtil@46] - Log4j found with
jmx enabled.

2020-06-24 15:49:35,903 - INFO  [PurgeTask:FileTxnSnapLog@103] -
zookeeper.snapshot.trust.empty : false

2020-06-24 15:49:35,910 - INFO  [
PurgeTask:DatadirCleanupManager$PurgeTask@144] - Purge task completed.

2020-06-24 15:49:35,975 - INFO  [main:QuorumPeerMain@141] - Starting 
quorum
peer

2020-06-24 15:49:35,983 - INFO  [main:ServerCnxnFactory@135] - Using
org.apache.zookeeper.server.NIOServerCnxnFactory as server connection
factory

2020-06-24 15:49:35,986 - INFO  [main:NIOServerCnxnFactory@673] -
Configuring NIO connection handler with 10s sessionless connection 
timeout,
2 selector thread(s), 16 worker threads, and 64 kB direct buffers.

2020-06-24 15:49:35,992 - INFO  [main:NIOServerCnxnFactory@686] - 
binding
to port 0.0.0.0/0.0.0.0:10181

2020-06-24 15:49:35,994 - INFO  [main:ServerCnxnFactory@135] - Using
org.apache.zookeeper.server.NIOServerCnxnFactory as server connection
factory

2020-06-24 15:49:35,995 - ERROR [main:QuorumPeerMain@101] - Unexpected
exception, exiting abnormally

java.lang.UnsupportedOperationException: SSL isn't supported in
NIOServerCnxn

at

org.apache.zookeeper.server.NIOServerCnxnFactory.configure(NIOServerCnxnFactory.java:644)

at

org.apache.zookeeper.server.quorum.QuorumPeerMain.runFromConfig(QuorumPeerMain.java:155)

at

org.apache.zookeeper.server.quorum.QuorumPeerMain.initializeAndRun(QuorumPeerMain.java:123)

at

org.apache.zookeeper.server.quorum.QuorumPeerMain.main(QuorumPeerMain.java:82)





I have set the following properties in SERVER_JVMFLAGS in zkEnv.sh file 
 :

"-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory

-Dzookeeper.ssl.keyStore.location=/var/opt/vs/SecureInterface/keystore/CassSpkkeystore.p12
-Dzookeeper.ssl.keyStore.password=EvaiKiO1@123456

-Dzookeeper.ssl.trustStore.location=/var/opt/vs/SecureInterface/keystore/CassSpkTrustStore.jks
-Dzookeeper.ssl.trustStore.password=EvaiKiO1@123456"

Thanks,
-
Kuldeep Singh Budania



On Mon, Jun 22, 2020 at 8:08 PM Jordan Zimmerman 

wrote:

> It's the same as the normal ZooKeeper client:
> 
https://zookeeper.apache.org/doc/r3.6.1/zookeeperAdmin.html#sc_authOptions
> <
> 
https://zookeeper.apache.org/doc/r3.6.1/zookeeperAdmin.html#sc_authOptions
> >
>
> -Jordan
>
> > On Jun 22, 2020, at 5:50 AM, kuldeep singh 

> wrote:
> >
> > Hi Team,
> > How we will do secure communication between the Curator framework 
and
> > zookeeper 3.5.6 ?
> > I didn't get any solution right now.
> > I appreciate it if someone could help me with the same.
> >
> > Thanks,
> > -
> > Kuldeep Singh Budania
> > Software Architect
> >
> >
> > On Fri, Apr 17, 2020 at 4:53 PM Szalay-Bekő Máté <
> szalay.beko.m...@gmail.co

Re: upgrade from 3.4.5 to 3.5.6

[Enrico Olivelli - Diennea]

Hi
You have to enable Netty on the server side

Something like:
serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory

Hope that helps
Enrico

Il giorno 24/06/20, 19:17 "kuldeep singh"  ha 
scritto:

Hi,

I got below error while setting SSL properties in zkEnv.sh




==

2020-06-24 15:49:35,864 - INFO  [main:QuorumPeerConfig@133] - Reading
configuration from: /etc/zookeeper/zoo.cfg

2020-06-24 15:49:35,874 - INFO  [main:QuorumPeerConfig@385] -
clientPortAddress is 0.0.0.0/0.0.0.0:10181

2020-06-24 15:49:35,874 - INFO  [main:QuorumPeerConfig@399] -
secureClientPortAddress is 0.0.0.0/0.0.0.0:2281

2020-06-24 15:49:35,878 - INFO  [main:X509Util@79] - Setting -D
jdk.tls.rejectClientInitiatedRenegotiation=true to disable client-initiated
TLS renegotiation

2020-06-24 15:49:35,897 - INFO  [main:DatadirCleanupManager@78] -
autopurge.snapRetainCount set to 3

2020-06-24 15:49:35,897 - INFO  [main:DatadirCleanupManager@79] -
autopurge.purgeInterval set to 1

2020-06-24 15:49:35,898 - INFO  [
PurgeTask:DatadirCleanupManager$PurgeTask@138] - Purge task started.

2020-06-24 15:49:35,899 - INFO  [main:ManagedUtil@46] - Log4j found with
jmx enabled.

2020-06-24 15:49:35,903 - INFO  [PurgeTask:FileTxnSnapLog@103] -
zookeeper.snapshot.trust.empty : false

2020-06-24 15:49:35,910 - INFO  [
PurgeTask:DatadirCleanupManager$PurgeTask@144] - Purge task completed.

2020-06-24 15:49:35,975 - INFO  [main:QuorumPeerMain@141] - Starting quorum
peer

2020-06-24 15:49:35,983 - INFO  [main:ServerCnxnFactory@135] - Using
org.apache.zookeeper.server.NIOServerCnxnFactory as server connection
factory

2020-06-24 15:49:35,986 - INFO  [main:NIOServerCnxnFactory@673] -
Configuring NIO connection handler with 10s sessionless connection timeout,
2 selector thread(s), 16 worker threads, and 64 kB direct buffers.

2020-06-24 15:49:35,992 - INFO  [main:NIOServerCnxnFactory@686] - binding
to port 0.0.0.0/0.0.0.0:10181

2020-06-24 15:49:35,994 - INFO  [main:ServerCnxnFactory@135] - Using
org.apache.zookeeper.server.NIOServerCnxnFactory as server connection
factory

2020-06-24 15:49:35,995 - ERROR [main:QuorumPeerMain@101] - Unexpected
exception, exiting abnormally

java.lang.UnsupportedOperationException: SSL isn't supported in
NIOServerCnxn

at

org.apache.zookeeper.server.NIOServerCnxnFactory.configure(NIOServerCnxnFactory.java:644)

at

org.apache.zookeeper.server.quorum.QuorumPeerMain.runFromConfig(QuorumPeerMain.java:155)

at

org.apache.zookeeper.server.quorum.QuorumPeerMain.initializeAndRun(QuorumPeerMain.java:123)

at

org.apache.zookeeper.server.quorum.QuorumPeerMain.main(QuorumPeerMain.java:82)





I have set the following properties in SERVER_JVMFLAGS in zkEnv.sh file  :

"-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory

-Dzookeeper.ssl.keyStore.location=/var/opt/vs/SecureInterface/keystore/CassSpkkeystore.p12
-Dzookeeper.ssl.keyStore.password=EvaiKiO1@123456

-Dzookeeper.ssl.trustStore.location=/var/opt/vs/SecureInterface/keystore/CassSpkTrustStore.jks
-Dzookeeper.ssl.trustStore.password=EvaiKiO1@123456"

Thanks,
-
Kuldeep Singh Budania



On Mon, Jun 22, 2020 at 8:08 PM Jordan Zimmerman 

wrote:

> It's the same as the normal ZooKeeper client:
> https://zookeeper.apache.org/doc/r3.6.1/zookeeperAdmin.html#sc_authOptions
> <
> https://zookeeper.apache.org/doc/r3.6.1/zookeeperAdmin.html#sc_authOptions
> >
>
> -Jordan
>
> > On Jun 22, 2020, at 5:50 AM, kuldeep singh 
> wrote:
> >
> > Hi Team,
> > How we will do secure communication between the Curator framework and
> > zookeeper 3.5.6 ?
> > I didn't get any solution right now.
> > I appreciate it if someone could help me with the same.
> >
> > Thanks,
> > -
> > Kuldeep Singh Budania
> > Software Architect
> >
> >
> > On Fri, Apr 17, 2020 at 4:53 PM Szalay-Bekő Máté <
> szalay.beko.m...@gmail.com>
> > wrote:
> >
> >> Hello Kuldeep,
> >>
> >> did you download the source from the ZooKeeper webpage, or checked out
> from
> >> git?
> >> Anyway, the following commands should work:
> >>
> >> wget
> >>
> >>
> 
https://downloads.apache.org/zookeeper/zookeeper-3.5.7/apache-zookeeper-3.5.7.tar.gz
> >> tar xzvf ./apache-zookeeper-3.5.7.tar.gz
> >> cd apache-zookeeper-3.5.7
> >> mvn clean install -DskipTests
> >>
> >> I tested it with OpenJDK 8u424 and maven 3.6.0.
> >>
> >> Kind regards,
> >> Mate
> >>
> >>
> >> On Fri, Apr 17, 2020 at 12:51 PM kuldeep singh <
> 

Re: [ANNOUNCE] Apache Curator 5.0.0 released

[Enrico Olivelli - Diennea]

Congrats
Enrico

Il giorno 29/05/20, 09:45 "tison"  ha scritto:

Congrats!

Best,
tison.


Szalay-Bekő Máté  于2020年5月29日周五 下午3:14写道：

> congratulations for the Curator community, seems to be a nice release! :)
>
> On Fri, May 29, 2020 at 1:48 AM Cameron McKenzie 
> wrote:
>
> > Hello,
> >
> > The Apache Curator team is pleased to announce the  release of version
> > 5.0.0. Apache  Curator is a Java/JVM client library for Apache
> > ZooKeeper[1], a distributed coordination service. Apache Curator
> includes a
> > high-level API framework and utilities to make using Apache ZooKeeper
> much
> > easier and more reliable. It also includes recipes for common use cases
> and
> >  extensions such as service discovery and a Java 8 asynchronous DSL. For
> > more details, please visit the project website:
> http://curator.apache.org/
> >
> > The download page for Apache Curator is here:
> > https://cwiki.apache.org/confluence/display/CURATOR/Releases
> >
> > The binary artifacts for Curator are available from Maven Central and 
its
> > mirrors.
> >
> > For general information on Apache Curator, please visit the project
> > website:
> > http://curator.apache.org
> >
> > Release Notes - Apache Curator - Version 5.0.0
> >
> > ** Bug
> > * [CURATOR-440] - curator-framework is unable to load in OSGi
> > * [CURATOR-464] - Unable to instantiate client in OSGi
> > * [CURATOR-525] - There is a race condition in Curator which might
> lead
> > to fake SUSPENDED event and ruin CuratorFrameworkImpl inner state
> > * [CURATOR-559] - Inconsistent ZK timeouts
> >
> > ** New Feature
> > * [CURATOR-544] - Implement SessionFailedRetryPolicy
> >
> > ** Improvement
> > * [CURATOR-549] - ZooKeeper 3.6 will add support for Persistent
> > Recursive Watchers - Add Curator support
> > * [CURATOR-558] - ZooKeeper 3.6.0 has many API changes - bring
> Curator
> > up to date
> > * [CURATOR-562] - Remove ConnectionHandlingPolicy
> > * [CURATOR-564] - Changes to retry failed TestingServer starts 
should
> > be applied to TestingCluster
> > * [CURATOR-568] - New option allowing CuratorFramework skip ZK
> ensemble
> > tracking
> >
> > Regards,
> >
> > The Curator Team
> >
> > [1] Apache ZooKeeper https://zookeeper.apache.org/
> >
>




CONFIDENTIALITY & PRIVACY NOTICE
This e-mail (including any attachments) is strictly confidential and may also 
contain privileged information. If you are not the intended recipient you are 
not authorised to read, print, save, process or disclose this message. If you 
have received this message by mistake, please inform the sender immediately and 
destroy this e-mail, its attachments and any copies. Any use, distribution, 
reproduction or disclosure by any person other than the intended recipient is 
strictly prohibited and the person responsible may incur in penalties.
The use of this e-mail is only for professional purposes; there is no guarantee 
that the correspondence towards this e-mail will be read only by the recipient, 
because, under certain circumstances, there may be a need to access this email 
by third subjects belonging to the Company.

Re: Issue starting zookeeper using QuickStart

[Enrico Olivelli - Diennea]

Dave,
are you running on Windows ?
I am not sure ZooKeeper server is able to run on Windows.
Are you using "Git bash" or "cygwin" ?

Which version are you using ?

Enrico

Il giorno 21/04/20, 17:15 "David Cleary"  ha scritto:

Following the QuickStart instructions, I am running into the following 
exception when executing

zkServer start

2020-04-21 09:13:35,005 [myid:] - ERROR [main:ZooKeeperServerMain@69] - 
Invalid arguments, exiting abnormally
java.lang.NumberFormatException: For input string: 
"C:\OpenEdge\WRK\zootest1\zookeeper\bin\..\conf\zoo.cfg"
at 
java.base/java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
at java.base/java.lang.Integer.parseInt(Integer.java:652)
at java.base/java.lang.Integer.parseInt(Integer.java:770)
at 
org.apache.zookeeper.server.ServerConfig.parse(ServerConfig.java:78)
at 
org.apache.zookeeper.server.ZooKeeperServerMain.initializeAndRun(ZooKeeperServerMain.java:109)
at 
org.apache.zookeeper.server.ZooKeeperServerMain.main(ZooKeeperServerMain.java:67)
at 
org.apache.zookeeper.server.quorum.QuorumPeerMain.initializeAndRun(QuorumPeerMain.java:140)
at 
org.apache.zookeeper.server.quorum.QuorumPeerMain.main(QuorumPeerMain.java:90)
2020-04-21 09:13:35,007 [myid:] - INFO  [main:ZooKeeperServerMain@70] - 
Usage: ZooKeeperServerMain configfile | port datadir [ticktime] [maxcnxns]
Usage: ZooKeeperServerMain configfile | port datadir [ticktime] [maxcnxns]
2020-04-21 09:13:35,012 [myid:] - INFO  [main:ZKAuditProvider@42] - 
ZooKeeper audit is disabled.
2020-04-21 09:13:35,015 [myid:] - ERROR [main:ServiceUtils@42] - Exiting 
JVM with code 2

Code is trying to parse the path to config file for some reason.

clientPortAddress = new InetSocketAddress(Integer.parseInt(args[0]));

I can start the server by not including the start command. However, I have 
no idea how to shut it down.

Any ideas how to get around this issue?

Thanks
Dave




CONFIDENTIALITY & PRIVACY NOTICE
This e-mail (including any attachments) is strictly confidential and may also 
contain privileged information. If you are not the intended recipient you are 
not authorised to read, print, save, process or disclose this message. If you 
have received this message by mistake, please inform the sender immediately and 
destroy this e-mail, its attachments and any copies. Any use, distribution, 
reproduction or disclosure by any person other than the intended recipient is 
strictly prohibited and the person responsible may incur in penalties.
The use of this e-mail is only for professional purposes; there is no guarantee 
that the correspondence towards this e-mail will be read only by the recipient, 
because, under certain circumstances, there may be a need to access this email 
by third subjects belonging to the Company.

Re: Debian/Ubuntu package of version 3.5?

[Enrico Olivelli - Diennea]

Reynald
You can try to check at BigTop
http://bigtop.apache.org/

As ZooKeeper community we are not providing packaging other than bare tar.gz

Enrico

Il giorno 31/03/20, 08:34 "Reynald Borer"  ha scritto:

Hello everyone,

Is there any Debian/Ubuntu package of zookeeper 3.5 available?

I have tried to find one without success so far.

Thanks and best regards,
Reynald





CONFIDENTIALITY & PRIVACY NOTICE
This e-mail (including any attachments) is strictly confidential and may also 
contain privileged information. If you are not the intended recipient you are 
not authorised to read, print, save, process or disclose this message. If you 
have received this message by mistake, please inform the sender immediately and 
destroy this e-mail, its attachments and any copies. Any use, distribution, 
reproduction or disclosure by any person other than the intended recipient is 
strictly prohibited and the person responsible may incur in penalties.
The use of this e-mail is only for professional purposes; there is no guarantee 
that the correspondence towards this e-mail will be read only by the recipient, 
because, under certain circumstances, there may be a need to access this email 
by third subjects belonging to the Company.

Re: Admin server deadlocks?

[Enrico Olivelli - Diennea]

Il giorno 12/02/20, 01:21 "gdgenz"  ha scritto:

Andor Molnar-3 wrote
> Enrico, I think I'll step up for RM of 3.5.7 this week. Hope I can find
> some free cycles. Stay tuned.
>
> Andor

We just upgraded several zookeeper clusters (Kafka and ClickHouse) to 3.5.6
and are seeing hangs on the AdminServer, which we are using for some
critical monitoring.  We're not experts at hacking Java builds, so we are
hoping that this fix will be in an official release soon.

On dev@ list we are VOTING 3.5.7, you can test the release


 In the meantime,
can we just update the /lib folder with the new Jetty jars and modify the
java command line accordingly?


Yes


Enrico


Thanks,

Geoff Genz
Principal Engineer, Comcast




--
Sent from: http://zookeeper-user.578899.n2.nabble.com/





CONFIDENTIALITY & PRIVACY NOTICE
This e-mail (including any attachments) is strictly confidential and may also 
contain privileged information. If you are not the intended recipient you are 
not authorised to read, print, save, process or disclose this message. If you 
have received this message by mistake, please inform the sender immediately and 
destroy this e-mail, its attachments and any copies. Any use, distribution, 
reproduction or disclosure by any person other than the intended recipient is 
strictly prohibited and the person responsible may incur in penalties.
The use of this e-mail is only for professional purposes; there is no guarantee 
that the correspondence towards this e-mail will be read only by the recipient, 
because, under certain circumstances, there may be a need to access this email 
by third subjects belonging to the Company.

Re: ZooKeeper in secure mode

[Enrico Olivelli - Diennea]

Praveen
In order to use Netty it is better for you to use 3.5.6 that contains Netty 4, 
ZooKeeper 3.4.x uses the deprecated Netty 3. For TSL, and it is known to have 
security flaws and it is no more maintained

Btw your problem looks like there is a missing class and it is weird

Enrico

Il giorno 16/01/20, 10:25 "Praveen Kumar K S"  ha 
scritto:

Hello,

I'm looking for help on enabling authentication in zookeeper. Please note
below approach I have tried.

1. I followed

https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide
2. I'm deploying zookeeper as single node using docker
3. Zookeeper version is 3.4.13
4. Below are some important environmental variables in zookeeper container


CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
-Dzookeeper.client.secure=true
-Dzookeeper.ssl.keyStore.location=/opt/vault/zookeeper/ssl/KeyStore.jks
-Dzookeeper.ssl.keyStore.password=XX@123
-Dzookeeper.ssl.trustStore.location=/opt/vault/zookeeper/ssl/truststore.jks
-Dzookeeper.ssl.trustStore.password=XX@123


SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
-Dzookeeper.ssl.keyStore.location=/opt/vault/zookeeper/ssl/KeyStore.jks
-Dzookeeper.ssl.keyStore.password=XX@123
-Dzookeeper.ssl.trustStore.location=/opt/vault/zookeeper/ssl/truststore.jks
-Dzookeeper.ssl.trustStore.password=XX@123


zookeeper.serverCnxnFactory="org.apache.zookeeper.server.NettyServerCnxnFactory"

5. Below is conf file
server.1=0.0.0.0:2888:3888
secureClientPort=2281
initLimit=5
syncLimit=2
tickTime=2000
clientPort=2181
clientPortAddress=zookeeper
dataLogDir=/opt/vault/zookeeper/logs
dataDir=/opt/vault/zookeeper/data

6. Zookeeper is healthy
7. I tried connecting to Zookeeper server from my machine using zkCli.sh.
But getting below error

2020-01-16 14:21:27,798 [myid:] - INFO  [main:ZooKeeper@442] - Initiating
client connection, connectString=zookeeper:2281 sessionTimeout=3
watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@531d72ca
Exception in thread "main" java.io.IOException: Couldn't instantiate
org.apache.zookeeper.ClientCnxnSocketNetty
at org.apache.zookeeper.ZooKeeper.getClientCnxnSocket(ZooKeeper.java:1851)
at org.apache.zookeeper.ZooKeeper.(ZooKeeper.java:453)
at org.apache.zookeeper.ZooKeeperMain.connectToZK(ZooKeeperMain.java:283)
at org.apache.zookeeper.ZooKeeperMain.(ZooKeeperMain.java:297)
at org.apache.zookeeper.ZooKeeperMain.main(ZooKeeperMain.java:290)
Caused by: java.lang.ClassNotFoundException:
org.apache.zookeeper.ClientCnxnSocketNetty
at java.net.URLClassLoader.findClass(URLClassLoader.java:382)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:349)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:264)
at org.apache.zookeeper.ZooKeeper.getClientCnxnSocket(ZooKeeper.java:1848)
... 4 more

8.Zookeeper is working fine on 2181
9.I tried to connect Kafka to Zookeeper on port 2281. Getting below error

[2020-01-16 09:12:07,477] INFO Initiating client connection,
connectString=zookeeper:2281 sessionTimeout=6000
watcher=kafka.zookeeper.ZooKeeperClient$ZooKeeperClientWatcher$@5c33f1a9
(org.apache.zookeeper.ZooKeeper)
[2020-01-16 09:12:07,488] INFO [ZooKeeperClient] Waiting until connected.
(kafka.zookeeper.ZooKeeperClient)
[2020-01-16 09:12:07,489] INFO Opening socket connection to server
zookeeper/172.16.13.2:2281. Will not attempt to authenticate using SASL
(unknown error) (org.apache.zookeeper.ClientCnxn)
[2020-01-16 09:12:07,493] INFO Socket error occurred: zookeeper/
172.16.13.2:2281: Connection refused (org.apache.zookeeper.ClientCnxn)
[2020-01-16 09:12:08,599] INFO Opening socket connection to server
zookeeper/172.16.13.2:2281. Will not attempt to authenticate using SASL
(unknown error) (org.apache.zookeeper.ClientCnxn)

Please help and advice.

Regards,
Praveen Kumar K S
+91-9986855625





CONFIDENTIALITY & PRIVACY NOTICE
This e-mail (including any attachments) is strictly confidential and may also 
contain privileged information. If you are not the intended recipient you are 
not authorised to read, print, save, process or disclose this message. If you 
have received this message by mistake, please inform the sender immediately and 
destroy this e-mail, its attachments and any copies. Any use, distribution, 
reproduction or disclosure by any person other than the intended recipient is 
strictly prohibited and the person responsible may incur in penalties.
The use of this e-mail is only for professional purposes; there is no guarantee 
that 

Re: Zookeeper and curator SASL authentication

[Enrico Olivelli - Diennea]

Yes, they are system properties

You can take this guide (about Kafka) as example
https://docs.confluent.io/current/kafka/authentication_sasl/authentication_sasl_gssapi.html



Il giorno 15/01/20, 13:17 "Arpit Jain"  ha scritto:

I have not passed those parameters. Is this something I need to set in
Zookeeper (zoo.cfg) ?

On Wed, Jan 15, 2020 at 12:12 PM Enrico Olivelli - Diennea <
enrico.olive...@diennea.com> wrote:

> Usually with SASL auth you are using:
> kerberos.removeHostFromPrincipal=true
> kerberos.removeRealmFromPrincipal=true
>
> is this the case for you ?
>
> Enrico
>
> Il giorno 15/01/20, 13:01 "Arpit Jain"  ha
> scritto:
>
> I have asked in Curator mailing list as well but not much help. I am
> able
> to set ACL with sasl scheme by using zkCli.sh client in Zookeeper
> server.
> The idea is to use Curator to set the ACLs so that only my client
> application can access its Znodes.
>
>
> On Wed, Jan 15, 2020 at 9:21 AM Szalay-Bekő Máté <
> szalay.beko.m...@gmail.com>
> wrote:
>
> > I am not sure what is wrong with the code... I am not familiar with
> > Curator. I can try to google / reproduce this and see what is wrong,
> but it
> > will take a while for me. So first I would ask the others, maybe
> there is
> > someone who knows both ZooKeeper SASL and Curator and can help you
> more in
> > this mailing list. If noone replies, then I will try to setup a 
dummy
> > project with Curator to test this.
> >
> > Did you also ask around the Curator mailing list maybe? Would it
> help if I
> > send you code about setting the ACLs using plain ZooKeeper (and no
> Curator)?
> >
> > On Tue, Jan 14, 2020 at 2:48 PM Arpit Jain 
> wrote:
> >
> >> Thanks for the clarification.
> >> I am able to authenticate client with Zookeeper. However, when I
> started
> >> to set ACLs with the same client, I get error messages. This is how
> I am
> >> creating curator client for setting ACLs
> >>
> >> CuratorFrameworkFactory.Builder builder =
> >>
> >> CuratorFrameworkFactory.builder().connectString(
> >> coordinatorHosts).retryPolicy(retryPolicy)
> >>
> >> .connectionTimeoutMs(coordinatorConnectionTimeout
> >> ).sessionTimeoutMs(coordinatorSessionTimeout);
> >>
> >> final CuratorFramework curatorFramework =
> >>
> >> builder.authorization("sasl", "zkclient/
> z...@example.com"
> >> .getBytes()).aclProvider(new ACLProvider() {
> >>
> >> @Override
> >>
> >> public List getDefaultAcl() {
> >>
> >> return ZooDefs.Ids.CREATOR_ALL_ACL;
> >>
> >> }
> >>
> >>
> >> @Override
> >>
> >> public List getAclForPath(String path) {
> >>
> >> return ZooDefs.Ids.CREATOR_ALL_ACL;
> >>
> >> }
> >>
> >> }).build();
> >>
> >>
> >>  I see below logs in Zookeeper node:
> >>
> >>
> >>
> >>
> >>
> >> *2020-01-14 13:27:53,174 [myid:1] - INFO
> >>  [NIOWorkerThread-3:SaslServerCallbackHandler@120] - Successfully
> >> authenticated client: authenticationID=zkclient/z...@example.com
> >> ;  authorizationID=zkclient/z...@example.com
> >> .2020-01-14 13:27:53,175 [myid:1] - INFO
> >>  [NIOWorkerThread-3:SaslServerCallbackHandler@136] - Setting
> authorizedID:
> >> zkclient/z...@example.com 2020-01-14 13:27:53,175
> >> [myid:1] - INFO  [NIOWorkerThread-3:ZooKeeperServer@1170] - adding
> SASL
> >> authorization for authorizationID: zkclient/z...@example.com
> >> 2020-01-14 13:27:53,182 [myid:1] - INFO
> >>  [NIOWorkerThread-7:ZooKeeperServer@1095] - got auth packet
> >>

Re: Kerberos login error: Message stream modified (41)

[Enrico Olivelli - Diennea]

I would try to shrink the file to the minimum and add one line at a time.

With JDK8 we also had problems with Unlimited Strength policy stuff

Hope that helps

Enrico Olivelli
MagNews Platform Development Manager @ Diennea – MagNews
Tel.: (+39) 0546 066100 - Int. 125
Viale G.Marconi 30/14 - 48018 Faenza (RA)


www.diennea.com/en 
<https://www.diennea.com/en?utm_source=Firma_medium=Web_campaign=Firma_Outlook>
 | www.magnews.com 
<https://www.magnews.com/?utm_source=Firma_medium=Web_campaign=Firma_Outlook>
 
<https://www.linkedin.com/company/diennea---magnews/?utm_source=Firma_medium=Web_campaign=Firma_Outlook>
 
<https://twitter.com/DienneaMagNews?utm_source=Firma_medium=Web_campaign=Firma_Outlook>
 
<https://www.facebook.com/DienneaMagNews/?utm_source=Firma_medium=Web_campaign=Firma_Outlook>



Il giorno 29/10/19, 10:55 "Andor Molnar"  ha scritto:

Thanks Enrico for the quick help.

Here’s my krb5.conf:

[libdefaults]
default_realm = STREAMANALYTICS
dns_lookup_kdc = false
dns_lookup_realm = false
ticket_lifetime = 86400
renew_lifetime = 604800
forwardable = true
default_tgs_enctypes = aes256-cts aes128-cts des3-hmac-sha1 arcfour-hmac 
des3-hmac-sha1 des-cbc-md5
default_tkt_enctypes = aes256-cts aes128-cts des3-hmac-sha1 arcfour-hmac 
des3-hmac-sha1 des-cbc-md5
permitted_enctypes = aes256-cts aes128-cts des3-hmac-sha1 arcfour-hmac 
des3-hmac-sha1 des-cbc-md5
udp_preference_limit = 1
kdc_timeout = 3000
[realms]
STREAMANALYTICS = {
  kdc = ldap0.mydomain.com
  admin_server = ldap0.mydomain.com
}
[domain_realm]

;

I wonder if the default encryption type settings could be the problem. I 
need to verify if it works with Java 8, because it might be a Java 11 or ZK 3.5 
thing. Or both.

Andor





> On 2019. Oct 29., at 8:42, Enrico Olivelli - Diennea 
 wrote:
>
> Andor,
> this is a minimal krb5.conf file that is working from jdk8 to jdk13 and 
ZooKeeper
>
> maybe you can compare to your one and start dropping configuration lines 
that are not needed.
>
> Java is adding more and more capabilities to GSSAPI support and this 
sometimes leads to behavior changes
>
>
> [libdefaults]
> default_realm = MYDOMAIN
>
> [realms]
> MYDOMAIN  = {
>  kdc = kerberos1.mydomain.com
>  kdc = kerberos2. mydomain.com
>  kdc = kerberos3. mydomain.com
> }
>
>
>
> Enrico Olivelli
> MagNews Platform Development Manager @ Diennea – MagNews
> Tel.: (+39) 0546 066100 - Int. 125
> Viale G.Marconi 30/14 - 48018 Faenza (RA)
>
>
>
> Il giorno 28/10/19, 17:56 "Enrico Olivelli"  ha 
scritto:
>
>Andor
>
>Il lun 28 ott 2019, 17:44 Andor Molnar  ha scritto:
>
>> Hi,
>>
>> I’m facing the following error message when trying to run ZooKeeper 3.5.5
>> on Java 11 with Kerberos authentication:
>>
>> 2019-10-28 16:30:04,811 INFO
>> org.apache.zookeeper.server.ServerCnxnFactory: Using
>> org.apache.zookeeper.server.NIOServerCnxnFactory as server connection
>> factory
>> 2019-10-28 16:30:04,823 INFO org.apache.zookeeper.common.X509Util: 
Setting
>> -D jdk.tls.rejectClientInitiatedRenegotiation=true to disable
>> client-initiated TLS renegotiation
>> 2019-10-28 16:30:05,012 ERROR
>> org.apache.zookeeper.server.quorum.QuorumPeerMain: Unexpected exception,
>> exiting abnormally
>> java.io.IOException: Could not configure server because SASL 
configuration
>> did not allow the  ZooKeeper server to authenticate itself properly:
>> javax.security.auth.login.LoginException: Message stream modified (41)
>>at
>> 
org.apache.zookeeper.server.ServerCnxnFactory.configureSaslLogin(ServerCnxnFactory.java:243)
>>at
>> 
org.apache.zookeeper.server.NIOServerCnxnFactory.configure(NIOServerCnxnFactory.java:646)
>>at
>> 
org.apache.zookeeper.server.quorum.QuorumPeerMain.runFromConfig(QuorumPeerMain.java:148)
>>at
>> 
org.apache.zookeeper.server.quorum.QuorumPeerMain.initializeAndRun(QuorumPeerMain.java:123)
>>at
>> 
org.apache.zookeeper.server.quorum.QuorumPeerMain.main(QuorumPeerMain.java:82)
>> …
>>
>> zoo.cfg:
>> 
>> tickTime=2000
>> initLimit=10
>> syncLimit=5
>>
>> 
4lw.commands.whitelist=conf,cons,crst,dirs,dump,envi,gtmk,ruok,stmk,srst,srvr,stat,wchs,mntr,isro
>> dataDir=/var/lib/zookeeper
>> dataLogDir=/var/lib/zookeeper
>> cl

Re: Kerberos login error: Message stream modified (41)

[Enrico Olivelli - Diennea]

Andor,
this is a minimal krb5.conf file that is working from jdk8 to jdk13 and 
ZooKeeper

maybe you can compare to your one and start dropping configuration lines that 
are not needed.

Java is adding more and more capabilities to GSSAPI support and this sometimes 
leads to behavior changes


[libdefaults]
 default_realm = MYDOMAIN

[realms]
 MYDOMAIN  = {
  kdc = kerberos1.mydomain.com
  kdc = kerberos2. mydomain.com
  kdc = kerberos3. mydomain.com
 }



Enrico Olivelli
MagNews Platform Development Manager @ Diennea – MagNews
Tel.: (+39) 0546 066100 - Int. 125
Viale G.Marconi 30/14 - 48018 Faenza (RA)



Il giorno 28/10/19, 17:56 "Enrico Olivelli"  ha scritto:

Andor

Il lun 28 ott 2019, 17:44 Andor Molnar  ha scritto:

> Hi,
>
> I’m facing the following error message when trying to run ZooKeeper 3.5.5
> on Java 11 with Kerberos authentication:
>
> 2019-10-28 16:30:04,811 INFO
> org.apache.zookeeper.server.ServerCnxnFactory: Using
> org.apache.zookeeper.server.NIOServerCnxnFactory as server connection
> factory
> 2019-10-28 16:30:04,823 INFO org.apache.zookeeper.common.X509Util: Setting
> -D jdk.tls.rejectClientInitiatedRenegotiation=true to disable
> client-initiated TLS renegotiation
> 2019-10-28 16:30:05,012 ERROR
> org.apache.zookeeper.server.quorum.QuorumPeerMain: Unexpected exception,
> exiting abnormally
> java.io.IOException: Could not configure server because SASL configuration
> did not allow the  ZooKeeper server to authenticate itself properly:
> javax.security.auth.login.LoginException: Message stream modified (41)
> at
> 
org.apache.zookeeper.server.ServerCnxnFactory.configureSaslLogin(ServerCnxnFactory.java:243)
> at
> 
org.apache.zookeeper.server.NIOServerCnxnFactory.configure(NIOServerCnxnFactory.java:646)
> at
> 
org.apache.zookeeper.server.quorum.QuorumPeerMain.runFromConfig(QuorumPeerMain.java:148)
> at
> 
org.apache.zookeeper.server.quorum.QuorumPeerMain.initializeAndRun(QuorumPeerMain.java:123)
> at
> 
org.apache.zookeeper.server.quorum.QuorumPeerMain.main(QuorumPeerMain.java:82)
> …
>
> zoo.cfg:
> 
> tickTime=2000
> initLimit=10
> syncLimit=5
>
> 
4lw.commands.whitelist=conf,cons,crst,dirs,dump,envi,gtmk,ruok,stmk,srst,srvr,stat,wchs,mntr,isro
> dataDir=/var/lib/zookeeper
> dataLogDir=/var/lib/zookeeper
> clientPort=2181
> maxClientCnxns=60
> minSessionTimeout=4000
> maxSessionTimeout=6
> autopurge.purgeInterval=24
> autopurge.snapRetainCount=5
> quorum.auth.enableSasl=true
> quorum.cnxn.threads.size=20
> admin.enableServer=false
> admin.serverPort=5181
> server.1=cdf1-dc1.mydomain.com:3181:4181
> server.2=cdf1-dc2.mydomain.com:3181:4181
> server.3=cdf1-dc3.mydomain.com:3181:4181
> leaderServes=yes
> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> kerberos.removeHostFromPrincipal=true
> kerberos.removeRealmFromPrincipal=true
> quorum.auth.kerberos.servicePrincipal=zookeeper/_HOST
> quorum.auth.learnerRequireSasl=true
> quorum.auth.serverRequireSasl=true
>
> java -version:
> ——
> openjdk version "11.0.4" 2019-07-16
> OpenJDK Runtime Environment AdoptOpenJDK (build 11.0.4+11)
> OpenJDK 64-Bit Server VM AdoptOpenJDK (build 11.0.4+11, mixed mode)
>
>
> Has anyone seen this problem before?
> What does the error message mean?
>
> Unfortunately we swallow the original exception in ServerCnxnFactory and
> only log the message without stacktrace.
>

Did you enable debug?

https://stackoverflow.com/questions/15382056/enable-detailed-logging-for-kerberos-in-java

I remember we had some issue while switching from jdk8 to jdk9

There were something in krb.conf that was not compatible due to some
stricter condig check but we didn't need that line and we dropped it.
I can check only tomorrow at work.
Unfortunately java Kerberos client is not so verbose.

Can you share your krb config files? Without hostnames

Enrico


> Thanks,
> Andor
>
>
>





CONFIDENTIALITY & PRIVACY NOTICE
This e-mail (including any attachments) is strictly confidential and may also 
contain privileged information. If you are not the intended recipient you are 
not authorised to read, print, save, process or disclose this message. If you 
have received this message by mistake, please inform the sender immediately and 
destroy this e-mail, its attachments and any copies. Any use, distribution, 
reproduction or disclosure by any person other than the intended recipient is 
strictly prohibited and the person responsible may incur in penalties.
The use of this e-mail is only for professional purposes; there is no guarantee 
that the correspondence towards this 

Re: NPE on ClientCnxnSocketNetty on 3.5.3-BETA

[Enrico Olivelli - Diennea]

Il giorno gio, 07/09/2017 alle 15.36 -0700, Abraham Fine ha scritto:

My fault, I should have read the subject. :)

I have an idea of what is causing this issue. Just out of curiosity,
besides the ugly stack trace, is this issue associated with any
unexpected behavior from zookeeper?


Thank you Abraham for your quick response,

Honestly I do not know, it came out on unit tests only once and I do not have 
logs on the server side, sorry.
The test is about dealing with an expired session, something like:
- start a session
- create a new ZooKeeper with the same sessionid and password and close it -> 
the session expires
- close the session -> boom!

I saw it only once, and I have upgraded my env to zookeeper 3.5.3-BETA 2 months 
ago
It is a unit test so ZK server is running in the same JVM

Anyway IMHO this is a bad error and the client should not ever crash in spite 
of weird server side behavior
Do you think it is related to another reported issue ?

I can help on fixing it

Cheers
Enrico




Thanks,
Abe

On Thu, Sep 7, 2017, at 12:47, Enrico Olivelli wrote:


3.5.3 Beta , my bad I have only written it in the subject
Thanks
Enrico

On gio 7 set 2017, 21:18 Abraham Fine 
> wrote:



Would you mind sharing which version of ZooKeeper you are using?

Thanks,
Abe

On Thu, Sep 7, 2017, at 06:59, Enrico Olivelli wrote:


Hi all,
I have hit this error during internal tests of my product. The problem is
not always reproducible

java.lang.NullPointerException
at



org.apache.zookeeper.ClientCnxnSocketNetty.onClosing(ClientCnxnSocketNetty.java:206)


at
org.apache.zookeeper.ClientCnxn$SendThread.close(ClientCnxn.java:1395)
at org.apache.zookeeper.ClientCnxn.disconnect(ClientCnxn.java:1440)
at org.apache.zookeeper.ClientCnxn.close(ClientCnxn.java:1467)
at org.apache.zookeeper.ZooKeeper.close(ZooKeeper.java:1319)

I did not find any issue in JIRA related to this stacktrace

Does anyone ever hit this problem ?
Otherwise I will create a JIRA and start looking at the cause

Thanks
Enrico Olivelli





--


-- Enrico Olivelli


--

Enrico Olivelli Software Development Manager @Diennea Tel.: (+39) 0546 066100 - 
Int. 925 Viale G.Marconi 30/14 - 48018 Faenza (RA) MagNews - E-mail Marketing 
Solutions http://www.magnews.it Diennea - Digital Marketing Solutions 
http://www.diennea.com



Iscriviti alla nostra newsletter per rimanere aggiornato su digital ed email 
marketing! http://www.magnews.it/newsletter/

The information in this email is confidential and may be legally privileged. If 
you are not the intended recipient please notify the sender immediately and 
destroy this email. Any unauthorized, direct or indirect, disclosure, copying, 
storage, distribution or other use is strictly forbidden.

Re: Undestanding the auth: scheme

[Enrico Olivelli - Diennea]

Thank you Arshad

Il giorno ven, 09/09/2016 alle 20.04 +0530, Arshad Mohammad ha scritto:

1) "every one can read" and "only authenticated users can write"
No it is not possible
a) Whe you set auth ACL, acls are set for the authorized users in current
session. Not for the future authorized users
auth scheme is replaced with the authetications shcemes the authrized users
b) For {world, anyone} ACLs  permissions are not checked. {world, anyone}
can not be limited to only read permission



It's clear. Thanks



2) Give access to user in pricipal user/HOST1@REALM
This you can do, not not the way you are doing right now
a) In All zookeeper server configure below peroperties to ignore the host
and realm part of the principal. These properties should be cofigred in
zoo.cfg
kerberos.removeHostFromPrincipal=true
kerberos.removeRealmFromPrincipal=true
a) Your permission should be ACL(ZooDefs.Perms.ALL, new Id("sasl", "user"))
instead of ACL(ZooDefs.Perms.ALL, new Id("sasl", "user/**@REALM"))



This solution is working for me.

Thank you very much



3) SASL Kerberos super user
zookeeper.superUser property works with sasl kerberos authentication scheme
as well.




- Arshad

On Fri, Sep 9, 2016 at 7:07 PM, Enrico Olivelli - Diennea <
enrico.olive...@diennea.com<mailto:enrico.olive...@diennea.com>> wrote:



Hi,
I would like to set an ACL that lets every client to read the content of a
node and list its children, and forces every write (setData, create
children...) to be done by any authenticated user.
Something like "every one can read" and "only authenticated users can
write"
I'm using SASL/Kerberos and Zookeeper 3.4.8, with the Java Client API

List myACL = Arrays.asList(
new ACL(ZooDefs.Perms.ALL, AUTH_IDS),
new ACL(ZooDefs.Perms.READ, ANYONE_ID_UNSAFE)
);

I'm trying to use the 'auth' scheme on setACL, but it is substituted by
the client ID

Another useful setup for me, with Kerberos, it would be to give access to
the nodes only to clients which as the same "user" in the pricipal
my principals look like
user/HOST1@REALM<mailto:user/HOST1@REALM>
user/HOST2@REALM<mailto:user/HOST2@REALM>
user/HOST3@REALM<mailto:user/HOST3@REALM>

My ACL would be ZooDefs.Perms.ALL to user/@REALM<mailto:user/**
**@REALM>

is it possible ?


Another secondary question
I see that for digest auth you can set up a "super user"
https://community.hortonworks.com/articles/29900/zookeeper-
using-superdigest-to-gain-full-access-to.html

I cannot get zookeeper.superUser system property to work with SASL/Kerberos

is it possible for SASL/Kerberos ?


Thank you



--
Enrico Olivelli
Software Development Manager @Diennea
Tel.: (+39) 0546 066100 - Int. 925
Viale G.Marconi 30/14 - 48018 Faenza (RA)

MagNews - E-mail Marketing Solutions
http://www.magnews.it
Diennea - Digital Marketing Solutions
http://www.diennea.com




Iscriviti alla nostra newsletter per rimanere aggiornato su digital ed
email marketing! http://www.magnews.it/newsletter/

The information in this email is confidential and may be legally
privileged. If you are not the intended recipient please notify the sender
immediately and destroy this email. Any unauthorized, direct or indirect,
disclosure, copying, storage, distribution or other use is strictly
forbidden.



--
Enrico Olivelli
Software Development Manager @Diennea
Tel.: (+39) 0546 066100 - Int. 925
Viale G.Marconi 30/14 - 48018 Faenza (RA)

MagNews - E-mail Marketing Solutions
http://www.magnews.it
Diennea - Digital Marketing Solutions
http://www.diennea.com




Iscriviti alla nostra newsletter per rimanere aggiornato su digital ed email 
marketing! http://www.magnews.it/newsletter/

The information in this email is confidential and may be legally privileged. If 
you are not the intended recipient please notify the sender immediately and 
destroy this email. Any unauthorized, direct or indirect, disclosure, copying, 
storage, distribution or other use is strictly forbidden.

Undestanding the auth: scheme

[Enrico Olivelli - Diennea]

Hi,
I would like to set an ACL that lets every client to read the content of a node 
and list its children, and forces every write (setData, create children...) to 
be done by any authenticated user.
Something like "every one can read" and "only authenticated users can write"
I'm using SASL/Kerberos and Zookeeper 3.4.8, with the Java Client API

List myACL = Arrays.asList(
new ACL(ZooDefs.Perms.ALL, AUTH_IDS),
new ACL(ZooDefs.Perms.READ, ANYONE_ID_UNSAFE)
);

I'm trying to use the 'auth' scheme on setACL, but it is substituted by the 
client ID

Another useful setup for me, with Kerberos, it would be to give access to the 
nodes only to clients which as the same "user" in the pricipal
my principals look like
user/HOST1@REALM
user/HOST2@REALM
user/HOST3@REALM

My ACL would be ZooDefs.Perms.ALL to user/@REALM

is it possible ?


Another secondary question
I see that for digest auth you can set up a "super user"
https://community.hortonworks.com/articles/29900/zookeeper-using-superdigest-to-gain-full-access-to.html

I cannot get zookeeper.superUser system property to work with SASL/Kerberos

is it possible for SASL/Kerberos ?


Thank you



--
Enrico Olivelli
Software Development Manager @Diennea
Tel.: (+39) 0546 066100 - Int. 925
Viale G.Marconi 30/14 - 48018 Faenza (RA)

MagNews - E-mail Marketing Solutions
http://www.magnews.it
Diennea - Digital Marketing Solutions
http://www.diennea.com




Iscriviti alla nostra newsletter per rimanere aggiornato su digital ed email 
marketing! http://www.magnews.it/newsletter/

The information in this email is confidential and may be legally privileged. If 
you are not the intended recipient please notify the sender immediately and 
destroy this email. Any unauthorized, direct or indirect, disclosure, copying, 
storage, distribution or other use is strictly forbidden.

Undestanding the auth: scheme

[Enrico Olivelli - Diennea]

Hi,
I would like to set an ACL that lets every client to read the content of a node 
and list its children, and forces every write (setData, create children...) to 
be done to any authenticated user.
Something like "every one can read" and "only authenticated users can write"
I'm using SASL/Kerberos and Zookeeper 3.4.8, with the Java Client API

List myACL = Arrays.asList(
new ACL(ZooDefs.Perms.ALL, AUTH_IDS),
new ACL(ZooDefs.Perms.READ, ANYONE_ID_UNSAFE)
);

I'm trying to use the 'auth' scheme on setACL, but it is substituted by the 
client ID

Another useful setup for me, with Kerberos, it would be to give access to the 
nodes only to clients which as the same "user" in the pricipal
my principals look like
user/HOST1@REALM
user/HOST2@REALM
user/HOST3@REALM

My ACL would be ZooDefs.Perms.ALL to user/@REALM

is it possible ?


Another secondary question
I see that for digest auth you can set up a "super user"
https://community.hortonworks.com/articles/29900/zookeeper-using-superdigest-to-gain-full-access-to.html

is it possible for SASL/Kerberos ?


Thank you



--
Enrico Olivelli
Software Development Manager @Diennea
Tel.: (+39) 0546 066100 - Int. 925
Viale G.Marconi 30/14 - 48018 Faenza (RA)

MagNews - E-mail Marketing Solutions
http://www.magnews.it
Diennea - Digital Marketing Solutions
http://www.diennea.com




Iscriviti alla nostra newsletter per rimanere aggiornato su digital ed email 
marketing! http://www.magnews.it/newsletter/

The information in this email is confidential and may be legally privileged. If 
you are not the intended recipient please notify the sender immediately and 
destroy this email. Any unauthorized, direct or indirect, disclosure, copying, 
storage, distribution or other use is strictly forbidden.