[jira] [Created] (ZOOKEEPER-4740) I want to use kerberos for Zookeeper, but my authentication has been unsuccessful

[LiJie2023 (Jira)]

LiJie2023 created ZOOKEEPER-4740:
------------------------------------

             Summary: I want to use kerberos for Zookeeper, but my 
authentication has been unsuccessful
                 Key: ZOOKEEPER-4740
                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4740
             Project: ZooKeeper
          Issue Type: Wish
          Components: kerberos
    Affects Versions: 3.5.9
            Reporter: LiJie2023
         Attachments: image-2023-09-01-16-37-20-848.png

zookeeper_jaas.conf
{code:java}
Server {
 com.sun.security.auth.module.Krb5LoginModule required
 useKeyTab=true
 storeKey=true
 useTicketCache=false
 keyTab="/opt/test2.keytab"
 principal="test2/bigdata.hadoop.master01";
};Client {
 com.sun.security.auth.module.Krb5LoginModule required
 useKeyTab=true
 keyTab="/opt/test2.keytab"
 principal="test2/bigdata.hadoop.master01"
 useTicketCache=false
 debug=true;
}; {code}
[root@bigdata conf]# cat java.env
{code:java}
export 
JVMFLAGS="-Djava.security.auth.login.config=/usr/lib/zookeeper/conf/zookeeper_jaas.conf"
 {code}
/etc/krb5.conf
{code:java}
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_realm = EXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}[realms]
 EXAMPLE.COM = {
  kdc = bigdata.hadoop.master01
  admin_server = bigdata.hadoop.master01
 }[domain_realm]
.bigdata.hadoop.master01 = EXAMPLE.COM
bigdata.hadoop.master01 = EXAMPLE.COM {code}
!image-2023-09-01-16-37-20-848.png!

 

 

When I use a client connection：
{code:java}
zookeeper-client -server localhost:12181 {code}
Connecting to localhost:12181 2023-09-01 16:38:05,528 - INFO  
[main:Environment@109] - Client 
environment:zookeeper.version=3.5.9-83df9301aa5c2a5d284a9940177808c01bc35cef, 
built on 10/25/2022 23:07 GMT 2023-09-01 16:38:05,530 - INFO  
[main:Environment@109] - Client environment:host.name=bigdata.hadoop.master01 
2023-09-01 16:38:05,530 - INFO  [main:Environment@109] - Client 
environment:java.version=1.8.0_351 2023-09-01 16:38:05,532 - INFO  
[main:Environment@109] - Client environment:java.vendor=Oracle Corporation 
2023-09-01 16:38:05,532 - INFO  [main:Environment@109] - Client 
environment:java.home=/usr/java/jdk1.8.0_351-amd64/jre 2023-09-01 16:38:05,532 
- INFO  [main:Environment@109] - Client 
environment:java.class.path=/usr/lib/zookeeper/bin/../zookeeper-server/target/classes:/usr/lib/zookeeper/bin/../build/classes:/usr/lib/zookeeper/bin/../zookeeper-server/target/lib/*.jar:/usr/lib/zookeeper/bin/../build/lib/*.jar:/usr/lib/zookeeper/bin/../lib/zookeeper-jute-3.5.9.jar:/usr/lib/zookeeper/bin/../lib/zookeeper-3.5.9.jar:/usr/lib/zookeeper/bin/../lib/slf4j-log4j12-1.7.25.jar:/usr/lib/zookeeper/bin/../lib/slf4j-api-1.7.25.jar:/usr/lib/zookeeper/bin/../lib/netty-transport-native-unix-common-4.1.50.Final.jar:/usr/lib/zookeeper/bin/../lib/netty-transport-native-epoll-4.1.50.Final.jar:/usr/lib/zookeeper/bin/../lib/netty-transport-4.1.50.Final.jar:/usr/lib/zookeeper/bin/../lib/netty-resolver-4.1.50.Final.jar:/usr/lib/zookeeper/bin/../lib/netty-handler-4.1.50.Final.jar:/usr/lib/zookeeper/bin/../lib/netty-common-4.1.50.Final.jar:/usr/lib/zookeeper/bin/../lib/netty-codec-4.1.50.Final.jar:/usr/lib/zookeeper/bin/../lib/netty-buffer-4.1.50.Final.jar:/usr/lib/zookeeper/bin/../lib/log4j-1.2.17.jar:/usr/lib/zookeeper/bin/../lib/json-simple-1.1.1.jar:/usr/lib/zookeeper/bin/../lib/jline-2.14.6.jar:/usr/lib/zookeeper/bin/../lib/jetty-util-ajax-9.4.35.v20201120.jar:/usr/lib/zookeeper/bin/../lib/jetty-util-9.4.35.v20201120.jar:/usr/lib/zookeeper/bin/../lib/jetty-servlet-9.4.35.v20201120.jar:/usr/lib/zookeeper/bin/../lib/jetty-server-9.4.35.v20201120.jar:/usr/lib/zookeeper/bin/../lib/jetty-security-9.4.35.v20201120.jar:/usr/lib/zookeeper/bin/../lib/jetty-io-9.4.35.v20201120.jar:/usr/lib/zookeeper/bin/../lib/jetty-http-9.4.35.v20201120.jar:/usr/lib/zookeeper/bin/../lib/javax.servlet-api-3.1.0.jar:/usr/lib/zookeeper/bin/../lib/jackson-databind-2.10.5.1.jar:/usr/lib/zookeeper/bin/../lib/jackson-core-2.10.5.jar:/usr/lib/zookeeper/bin/../lib/jackson-annotations-2.10.5.jar:/usr/lib/zookeeper/bin/../lib/commons-cli-1.2.jar:/usr/lib/zookeeper/bin/../lib/audience-annotations-0.5.0.jar:/usr/lib/zookeeper/bin/../zookeeper-jute.jar:/usr/lib/zookeeper/bin/../zookeeper-jute-3.5.9.jar:/usr/lib/zookeeper/bin/../zookeeper-3.5.9.jar:/usr/lib/zookeeper/bin/../zookeeper-server/src/main/resources/lib/*.jar:/etc/zookeeper/conf::/etc/zookeeper/conf:/usr/lib/zookeeper/zookeeper-3.5.9.jar:/usr/lib/zookeeper/zookeeper-jute-3.5.9.jar:/usr/lib/zookeeper/zookeeper-jute.jar:/usr/lib/zookeeper/zookeeper.jar:/usr/lib/zookeeper/lib/audience-annotations-0.5.0.jar:/usr/lib/zookeeper/lib/commons-cli-1.2.jar:/usr/lib/zookeeper/lib/jackson-annotations-2.10.5.jar:/usr/lib/zookeeper/lib/jackson-core-2.10.5.jar:/usr/lib/zookeeper/lib/jackson-databind-2.10.5.1.jar:/usr/lib/zookeeper/lib/javax.servlet-api-3.1.0.jar:/usr/lib/zookeeper/lib/jetty-http-9.4.35.v20201120.jar:/usr/lib/zookeeper/lib/jetty-io-9.4.35.v20201120.jar:/usr/lib/zookeeper/lib/jetty-security-9.4.35.v20201120.jar:/usr/lib/zookeeper/lib/jetty-server-9.4.35.v20201120.jar:/usr/lib/zookeeper/lib/jetty-servlet-9.4.35.v20201120.jar:/usr/lib/zookeeper/lib/jetty-util-9.4.35.v20201120.jar:/usr/lib/zookeeper/lib/jetty-util-ajax-9.4.35.v20201120.jar:/usr/lib/zookeeper/lib/jline-2.14.6.jar:/usr/lib/zookeeper/lib/json-simple-1.1.1.jar:/usr/lib/zookeeper/lib/log4j-1.2.17.jar:/usr/lib/zookeeper/lib/netty-buffer-4.1.50.Final.jar:/usr/lib/zookeeper/lib/netty-codec-4.1.50.Final.jar:/usr/lib/zookeeper/lib/netty-common-4.1.50.Final.jar:/usr/lib/zookeeper/lib/netty-handler-4.1.50.Final.jar:/usr/lib/zookeeper/lib/netty-resolver-4.1.50.Final.jar:/usr/lib/zookeeper/lib/netty-transport-4.1.50.Final.jar:/usr/lib/zookeeper/lib/netty-transport-native-epoll-4.1.50.Final.jar:/usr/lib/zookeeper/lib/netty-transport-native-unix-common-4.1.50.Final.jar:/usr/lib/zookeeper/lib/slf4j-api-1.7.25.jar:/usr/lib/zookeeper/lib/slf4j-log4j12-1.7.25.jar:/usr/lib/zookeeper/lib/zookeeper-3.5.9.jar:/usr/lib/zookeeper/lib/zookeeper-jute-3.5.9.jar:/usr/share/zookeeper/*
 2023-09-01 16:38:05,533 - INFO  [main:Environment@109] - Client 
environment:java.library.path=/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
 2023-09-01 16:38:05,533 - INFO  [main:Environment@109] - Client 
environment:java.io.tmpdir=/tmp 2023-09-01 16:38:05,533 - INFO  
[main:Environment@109] - Client environment:java.compiler=<NA> 2023-09-01 
16:38:05,533 - INFO  [main:Environment@109] - Client environment:os.name=Linux 
2023-09-01 16:38:05,533 - INFO  [main:Environment@109] - Client 
environment:os.arch=amd64 2023-09-01 16:38:05,533 - INFO  
[main:Environment@109] - Client environment:os.version=3.10.0-862.el7.x86_64 
2023-09-01 16:38:05,534 - INFO  [main:Environment@109] - Client 
environment:user.name=root 2023-09-01 16:38:05,534 - INFO  
[main:Environment@109] - Client environment:user.home=/root 2023-09-01 
16:38:05,534 - INFO  [main:Environment@109] - Client 
environment:user.dir=/etc/zookeeper/conf.dist 2023-09-01 16:38:05,534 - INFO  
[main:Environment@109] - Client environment:os.memory.free=236MB 2023-09-01 
16:38:05,536 - INFO  [main:Environment@109] - Client 
environment:os.memory.max=245MB 2023-09-01 16:38:05,536 - INFO  
[main:Environment@109] - Client environment:os.memory.total=245MB 2023-09-01 
16:38:05,539 - INFO  [main:ZooKeeper@868] - Initiating client connection, 
connectString=localhost:12181 sessionTimeout=30000 
watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@1c655221 2023-09-01 
16:38:05,544 - INFO  [main:X509Util@79] - Setting -D 
jdk.tls.rejectClientInitiatedRenegotiation=true to disable client-initiated TLS 
renegotiation 2023-09-01 16:38:05,550 - INFO  [main:ClientCnxnSocket@237] - 
jute.maxbuffer value is 4194304 Bytes 2023-09-01 16:38:05,557 - INFO  
[main:ClientCnxn@1653] - zookeeper.request.timeout value is 0. feature enabled= 
Welcome to ZooKeeper! JLine support is enabled Debug is  true storeKey false 
useTicketCache false useKeyTab true doNotPrompt false ticketCache is null 
isInitiator true KeyTab is /opt/test2.keytab refreshKrb5Config is false 
principal is test2/bigdata.hadoop.master01 tryFirstPass is false useFirstPass 
is false storePass is false clearPass is false [zk: localhost:12181(CONNECTING) 
0] principal is test2/bigdata.hadoop.maste...@example.com Will use keytab 
Commit Succeeded 2023-09-01 16:38:05,843 - INFO  
[main-SendThread(localhost:12181):Login@302] - Client successfully logged in. 
2023-09-01 16:38:05,845 - INFO  [Thread-1:Login$1@135] - TGT refresh thread 
started. 2023-09-01 16:38:05,848 - INFO  
[main-SendThread(localhost:12181):SecurityUtils$1@128] - Client will use GSSAPI 
as SASL mechanism. 2023-09-01 16:38:05,848 - INFO  [Thread-1:Login@320] - TGT 
valid starting at:        Fri Sep 01 16:38:05 CST 2023 2023-09-01 16:38:05,848 
- INFO  [Thread-1:Login@321] - TGT expires:                  Sun Feb 07 
14:28:15 CST 2106 2023-09-01 16:38:05,849 - INFO  [Thread-1:Login$1@193] - TGT 
refresh sleeping until: Mon Mar 17 14:49:28 CST 2092 2023-09-01 16:38:05,857 - 
INFO  [main-SendThread(localhost:12181):ClientCnxn$SendThread@1112] - Opening 
socket connection to server localhost/127.0.0.1:12181. Will attempt to 
SASL-authenticate using Login Context section 'Client' 2023-09-01 16:38:05,861 
- INFO  [main-SendThread(localhost:12181):ClientCnxn$SendThread@959] - Socket 
connection established, initiating session, client: /127.0.0.1:33722, server: 
localhost/127.0.0.1:12181 2023-09-01 16:38:05,870 - INFO  
[main-SendThread(localhost:12181):ClientCnxn$SendThread@1394] - Session 
establishment complete on server localhost/127.0.0.1:12181, sessionid = 
0x100001d3c2d0004, negotiated timeout = 30000WATCHER::WatchedEvent 
state:SyncConnected type:None path:null 2023-09-01 16:38:05,882 - ERROR 
[main-SendThread(localhost:12181):ZooKeeperSaslClient@341] - An error: 
(java.security.PrivilegedActionException: javax.security.sasl.SaslException: 
GSS initiate failed [Caused by GSSException: No valid credentials provided 
(Mechanism level: Ticket expired (32) - PROCESS_TGS)]) occurred when evaluating 
Zookeeper Quorum Member's  received SASL token. Zookeeper Client will go to 
AUTH_FAILED state. 2023-09-01 16:38:05,882 - ERROR 
[main-SendThread(localhost:12181):ClientCnxn$SendThread@1151] - SASL 
authentication with Zookeeper Quorum member failed: 
javax.security.sasl.SaslException: An error: 
(java.security.PrivilegedActionException: javax.security.sasl.SaslException: 
GSS initiate failed [Caused by GSSException: No valid credentials provided 
(Mechanism level: Ticket expired (32) - PROCESS_TGS)]) occurred when evaluating 
Zookeeper Quorum Member's  received SASL token. Zookeeper Client will go to 
AUTH_FAILED state. [Caused by java.security.PrivilegedActionException: 
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: 
No valid credentials provided (Mechanism level: Ticket expired (32) - 
PROCESS_TGS)]]WATCHER::WatchedEvent state:AuthFailed type:None path:null 
2023-09-01 16:38:05,883 - INFO  [main-EventThread:ClientCnxn$EventThread@524] - 
EventThread shut down for session: 0x100001d3c2d0004

 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)