Re: ZooKeeper in secure mode
Thanks Mate. May I know the version of zookeeper you are using? Regards, Praveen Kumar K S +91-9986855625 On Thu, Jan 16, 2020 at 8:45 PM Szalay-Bekő Máté wrote: > Hi Praveen, > > Regarding SASL, some useful links: > - > > https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication > (I > just updated this page today) > - I was also checking the Kerberos JAAS configs when I tried these things > locally: > > https://docs.oracle.com/javase/8/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html > - this is a good howto as well: https://github.com/ekoontz/zookeeper/wiki > - > > https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication > > In this Jira case you can see some zoo.cfg and client configs that we used > to test SASL + SSL: > > https://issues.apache.org/jira/browse/ZOOKEEPER-3482?focusedCommentId=16998033=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16998033 > > With these configs we were managed to use ZooKeeper SASL + SSL on a real > Hadoop cluster using MIT Kerberos. > > Mate > > On Thu, Jan 16, 2020 at 10:39 AM Praveen Kumar K S < > prav...@securelyshare.com> wrote: > > > Thanks Enrico. I was also looking at > > https://issues.apache.org/jira/browse/ZOOKEEPER-2220 who is facing same > > issue. > > > > I will try with your suggestion. My requirement is to enable SASL based > > authentication between server-server and client-server. > > > > Please advise if I'm looking at the right place or is there any better > > documentation. > > > > Regards, > > Praveen Kumar K S > > +91-9986855625 > > > > > > On Thu, Jan 16, 2020 at 3:01 PM Enrico Olivelli - Diennea < > > enrico.olive...@diennea.com> wrote: > > > > > Praveen > > > In order to use Netty it is better for you to use 3.5.6 that contains > > > Netty 4, ZooKeeper 3.4.x uses the deprecated Netty 3. For TSL, and it > is > > > known to have security flaws and it is no more maintained > > > > > > Btw your problem looks like there is a missing class and it is weird > > > > > > Enrico > > > > > > Il giorno 16/01/20, 10:25 "Praveen Kumar K S" < > > prav...@securelyshare.com> > > > ha scritto: > > > > > > Hello, > > > > > > I'm looking for help on enabling authentication in zookeeper. > Please > > > note > > > below approach I have tried. > > > > > > 1. I followed > > > > > > > > > https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide > > > 2. I'm deploying zookeeper as single node using docker > > > 3. Zookeeper version is 3.4.13 > > > 4. Below are some important environmental variables in zookeeper > > > container > > > > > > > > > > > > CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > > > -Dzookeeper.client.secure=true > > > > > -Dzookeeper.ssl.keyStore.location=/opt/vault/zookeeper/ssl/KeyStore.jks > > > -Dzookeeper.ssl.keyStore.password=XX@123 > > > > > > > > > -Dzookeeper.ssl.trustStore.location=/opt/vault/zookeeper/ssl/truststore.jks > > > -Dzookeeper.ssl.trustStore.password=XX@123 > > > > > > > > > > > > SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > > > > > -Dzookeeper.ssl.keyStore.location=/opt/vault/zookeeper/ssl/KeyStore.jks > > > -Dzookeeper.ssl.keyStore.password=XX@123 > > > > > > > > > -Dzookeeper.ssl.trustStore.location=/opt/vault/zookeeper/ssl/truststore.jks > > > -Dzookeeper.ssl.trustStore.password=XX@123 > > > > > > > > > > > > zookeeper.serverCnxnFactory="org.apache.zookeeper.server.NettyServerCnxnFactory" > > > > > > 5. Below is conf file > > > server.1=0.0.0.0:2888:3888 > > > secureClientPort=2281 > > > initLimit=5 > > > syncLimit=2 > > > tickTime=2000 > > > clientPort=2181 > > > clientPortAddress=zookeeper > > > dataLogDir=/opt/vault/zookeeper/logs > > > dataDir=/opt/vault/zookeeper/data > > > > > > 6. Zookeeper is healthy > > > 7. I tried connecting to Zookeeper server from my machine using > > > zkCli.sh. > > > But getting below error > > > > > > 2020-01-16 14:21:27,798 [myid:] - INFO [main:ZooKeeper@442] - > > > Initiating > > > client connection, connectString=zookeeper:2281 > sessionTimeout=3 > > > watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@531d72ca > > > Exception in thread "main" java.io.IOException: Couldn't > instantiate > > > org.apache.zookeeper.ClientCnxnSocketNetty > > > at > > > org.apache.zookeeper.ZooKeeper.getClientCnxnSocket(ZooKeeper.java:1851) > > > at org.apache.zookeeper.ZooKeeper.(ZooKeeper.java:453) > > > at > > > org.apache.zookeeper.ZooKeeperMain.connectToZK(ZooKeeperMain.java:283) > > > at > org.apache.zookeeper.ZooKeeperMain.(ZooKeeperMain.java:297) > > > at org.apache.zookeeper.ZooKeeperMain.main(ZooKeeperMain.java:290) > > > Caused by: java.lang.ClassNotFoundException: > > >
Re: ZooKeeper in secure mode
Hi Praveen, Regarding SASL, some useful links: - https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication (I just updated this page today) - I was also checking the Kerberos JAAS configs when I tried these things locally: https://docs.oracle.com/javase/8/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html - this is a good howto as well: https://github.com/ekoontz/zookeeper/wiki - https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication In this Jira case you can see some zoo.cfg and client configs that we used to test SASL + SSL: https://issues.apache.org/jira/browse/ZOOKEEPER-3482?focusedCommentId=16998033=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16998033 With these configs we were managed to use ZooKeeper SASL + SSL on a real Hadoop cluster using MIT Kerberos. Mate On Thu, Jan 16, 2020 at 10:39 AM Praveen Kumar K S < prav...@securelyshare.com> wrote: > Thanks Enrico. I was also looking at > https://issues.apache.org/jira/browse/ZOOKEEPER-2220 who is facing same > issue. > > I will try with your suggestion. My requirement is to enable SASL based > authentication between server-server and client-server. > > Please advise if I'm looking at the right place or is there any better > documentation. > > Regards, > Praveen Kumar K S > +91-9986855625 > > > On Thu, Jan 16, 2020 at 3:01 PM Enrico Olivelli - Diennea < > enrico.olive...@diennea.com> wrote: > > > Praveen > > In order to use Netty it is better for you to use 3.5.6 that contains > > Netty 4, ZooKeeper 3.4.x uses the deprecated Netty 3. For TSL, and it is > > known to have security flaws and it is no more maintained > > > > Btw your problem looks like there is a missing class and it is weird > > > > Enrico > > > > Il giorno 16/01/20, 10:25 "Praveen Kumar K S" < > prav...@securelyshare.com> > > ha scritto: > > > > Hello, > > > > I'm looking for help on enabling authentication in zookeeper. Please > > note > > below approach I have tried. > > > > 1. I followed > > > > > https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide > > 2. I'm deploying zookeeper as single node using docker > > 3. Zookeeper version is 3.4.13 > > 4. Below are some important environmental variables in zookeeper > > container > > > > > > > CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > > -Dzookeeper.client.secure=true > > > -Dzookeeper.ssl.keyStore.location=/opt/vault/zookeeper/ssl/KeyStore.jks > > -Dzookeeper.ssl.keyStore.password=XX@123 > > > > > -Dzookeeper.ssl.trustStore.location=/opt/vault/zookeeper/ssl/truststore.jks > > -Dzookeeper.ssl.trustStore.password=XX@123 > > > > > > > SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > > > -Dzookeeper.ssl.keyStore.location=/opt/vault/zookeeper/ssl/KeyStore.jks > > -Dzookeeper.ssl.keyStore.password=XX@123 > > > > > -Dzookeeper.ssl.trustStore.location=/opt/vault/zookeeper/ssl/truststore.jks > > -Dzookeeper.ssl.trustStore.password=XX@123 > > > > > > > zookeeper.serverCnxnFactory="org.apache.zookeeper.server.NettyServerCnxnFactory" > > > > 5. Below is conf file > > server.1=0.0.0.0:2888:3888 > > secureClientPort=2281 > > initLimit=5 > > syncLimit=2 > > tickTime=2000 > > clientPort=2181 > > clientPortAddress=zookeeper > > dataLogDir=/opt/vault/zookeeper/logs > > dataDir=/opt/vault/zookeeper/data > > > > 6. Zookeeper is healthy > > 7. I tried connecting to Zookeeper server from my machine using > > zkCli.sh. > > But getting below error > > > > 2020-01-16 14:21:27,798 [myid:] - INFO [main:ZooKeeper@442] - > > Initiating > > client connection, connectString=zookeeper:2281 sessionTimeout=3 > > watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@531d72ca > > Exception in thread "main" java.io.IOException: Couldn't instantiate > > org.apache.zookeeper.ClientCnxnSocketNetty > > at > > org.apache.zookeeper.ZooKeeper.getClientCnxnSocket(ZooKeeper.java:1851) > > at org.apache.zookeeper.ZooKeeper.(ZooKeeper.java:453) > > at > > org.apache.zookeeper.ZooKeeperMain.connectToZK(ZooKeeperMain.java:283) > > at org.apache.zookeeper.ZooKeeperMain.(ZooKeeperMain.java:297) > > at org.apache.zookeeper.ZooKeeperMain.main(ZooKeeperMain.java:290) > > Caused by: java.lang.ClassNotFoundException: > > org.apache.zookeeper.ClientCnxnSocketNetty > > at java.net.URLClassLoader.findClass(URLClassLoader.java:382) > > at java.lang.ClassLoader.loadClass(ClassLoader.java:424) > > at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:349) > > at java.lang.ClassLoader.loadClass(ClassLoader.java:357) > > at java.lang.Class.forName0(Native Method) > > at java.lang.Class.forName(Class.java:264) > > at > >
Re: Zookeeper and curator SASL authentication
great! :) On Wed, Jan 15, 2020 at 6:38 PM Arpit Jain wrote: > I managed to create ACL with authenticated client principal using below > lines of code in client: > > curator > .create().creatingParentContainersIfNeeded().withACL(ZooDefs.Ids. > CREATOR_ALL_ACL).forPath("/mynode"); > > > ZooDefs.Ids.CREATOR_ALL_ACL gives permissions to the client which is > authenticated. > > To test this, I logged in using zkCli.sh on ZK server and ran getAcl > /mynode and able to browse the znodes and can see that node has all (CDRWA) > permission for authenticated uses. If I log in with a unauthenticated > principal, I am not able to see the znodes tree even though I manage to > connect to ZK server. > > On Wed, Jan 15, 2020 at 12:19 PM Enrico Olivelli - Diennea < > enrico.olive...@diennea.com> wrote: > >> Yes, they are system properties >> >> You can take this guide (about Kafka) as example >> >> https://docs.confluent.io/current/kafka/authentication_sasl/authentication_sasl_gssapi.html >> >> >> >> Il giorno 15/01/20, 13:17 "Arpit Jain" ha >> scritto: >> >> I have not passed those parameters. Is this something I need to set in >> Zookeeper (zoo.cfg) ? >> >> On Wed, Jan 15, 2020 at 12:12 PM Enrico Olivelli - Diennea < >> enrico.olive...@diennea.com> wrote: >> >> > Usually with SASL auth you are using: >> > kerberos.removeHostFromPrincipal=true >> > kerberos.removeRealmFromPrincipal=true >> > >> > is this the case for you ? >> > >> > Enrico >> > >> > Il giorno 15/01/20, 13:01 "Arpit Jain" ha >> > scritto: >> > >> > I have asked in Curator mailing list as well but not much help. >> I am >> > able >> > to set ACL with sasl scheme by using zkCli.sh client in >> Zookeeper >> > server. >> > The idea is to use Curator to set the ACLs so that only my >> client >> > application can access its Znodes. >> > >> > >> > On Wed, Jan 15, 2020 at 9:21 AM Szalay-Bekő Máté < >> > szalay.beko.m...@gmail.com> >> > wrote: >> > >> > > I am not sure what is wrong with the code... I am not >> familiar with >> > > Curator. I can try to google / reproduce this and see what is >> wrong, >> > but it >> > > will take a while for me. So first I would ask the others, >> maybe >> > there is >> > > someone who knows both ZooKeeper SASL and Curator and can >> help you >> > more in >> > > this mailing list. If noone replies, then I will try to setup >> a dummy >> > > project with Curator to test this. >> > > >> > > Did you also ask around the Curator mailing list maybe? Would >> it >> > help if I >> > > send you code about setting the ACLs using plain ZooKeeper >> (and no >> > Curator)? >> > > >> > > On Tue, Jan 14, 2020 at 2:48 PM Arpit Jain < >> jain.arp...@gmail.com> >> > wrote: >> > > >> > >> Thanks for the clarification. >> > >> I am able to authenticate client with Zookeeper. However, >> when I >> > started >> > >> to set ACLs with the same client, I get error messages. This >> is how >> > I am >> > >> creating curator client for setting ACLs >> > >> >> > >> CuratorFrameworkFactory.Builder builder = >> > >> >> > >> CuratorFrameworkFactory.builder().connectString( >> > >> coordinatorHosts).retryPolicy(retryPolicy) >> > >> >> > >> .connectionTimeoutMs(coordinatorConnectionTimeout >> > >> ).sessionTimeoutMs(coordinatorSessionTimeout); >> > >> >> > >> final CuratorFramework curatorFramework = >> > >> >> > >> builder.authorization("sasl", "zkclient/ >> > z...@example.com" >> > >> .getBytes()).aclProvider(new ACLProvider() { >> > >> >> > >> @Override >> > >> >> > >> public List getDefaultAcl() { >> > >> >> > >> return ZooDefs.Ids.CREATOR_ALL_ACL; >> > >> >> > >> } >> > >> >> > >> >> > >> @Override >> > >> >> > >> public List getAclForPath(String path) { >> > >> >> > >> return ZooDefs.Ids.CREATOR_ALL_ACL; >> > >> >> > >> } >> > >> >> > >> }).build(); >> > >> >> > >> >> > >> I see below logs in Zookeeper node: >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> *2020-01-14 13:27:53,174 [myid:1] - INFO >> > >> [NIOWorkerThread-3:SaslServerCallbackHandler@120] - >> Successfully >> > >> authenticated client: authenticationID=zkclient/ >> z...@example.com >> > >> ; authorizationID=zkclient/ >> z...@example.com >> > >> .2020-01-14 13:27:53,175
Re: ZooKeeper in secure mode
Thanks Enrico. I was also looking at https://issues.apache.org/jira/browse/ZOOKEEPER-2220 who is facing same issue. I will try with your suggestion. My requirement is to enable SASL based authentication between server-server and client-server. Please advise if I'm looking at the right place or is there any better documentation. Regards, Praveen Kumar K S +91-9986855625 On Thu, Jan 16, 2020 at 3:01 PM Enrico Olivelli - Diennea < enrico.olive...@diennea.com> wrote: > Praveen > In order to use Netty it is better for you to use 3.5.6 that contains > Netty 4, ZooKeeper 3.4.x uses the deprecated Netty 3. For TSL, and it is > known to have security flaws and it is no more maintained > > Btw your problem looks like there is a missing class and it is weird > > Enrico > > Il giorno 16/01/20, 10:25 "Praveen Kumar K S" > ha scritto: > > Hello, > > I'm looking for help on enabling authentication in zookeeper. Please > note > below approach I have tried. > > 1. I followed > > https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide > 2. I'm deploying zookeeper as single node using docker > 3. Zookeeper version is 3.4.13 > 4. Below are some important environmental variables in zookeeper > container > > > CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty > -Dzookeeper.client.secure=true > -Dzookeeper.ssl.keyStore.location=/opt/vault/zookeeper/ssl/KeyStore.jks > -Dzookeeper.ssl.keyStore.password=XX@123 > > -Dzookeeper.ssl.trustStore.location=/opt/vault/zookeeper/ssl/truststore.jks > -Dzookeeper.ssl.trustStore.password=XX@123 > > > SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory > -Dzookeeper.ssl.keyStore.location=/opt/vault/zookeeper/ssl/KeyStore.jks > -Dzookeeper.ssl.keyStore.password=XX@123 > > -Dzookeeper.ssl.trustStore.location=/opt/vault/zookeeper/ssl/truststore.jks > -Dzookeeper.ssl.trustStore.password=XX@123 > > > zookeeper.serverCnxnFactory="org.apache.zookeeper.server.NettyServerCnxnFactory" > > 5. Below is conf file > server.1=0.0.0.0:2888:3888 > secureClientPort=2281 > initLimit=5 > syncLimit=2 > tickTime=2000 > clientPort=2181 > clientPortAddress=zookeeper > dataLogDir=/opt/vault/zookeeper/logs > dataDir=/opt/vault/zookeeper/data > > 6. Zookeeper is healthy > 7. I tried connecting to Zookeeper server from my machine using > zkCli.sh. > But getting below error > > 2020-01-16 14:21:27,798 [myid:] - INFO [main:ZooKeeper@442] - > Initiating > client connection, connectString=zookeeper:2281 sessionTimeout=3 > watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@531d72ca > Exception in thread "main" java.io.IOException: Couldn't instantiate > org.apache.zookeeper.ClientCnxnSocketNetty > at > org.apache.zookeeper.ZooKeeper.getClientCnxnSocket(ZooKeeper.java:1851) > at org.apache.zookeeper.ZooKeeper.(ZooKeeper.java:453) > at > org.apache.zookeeper.ZooKeeperMain.connectToZK(ZooKeeperMain.java:283) > at org.apache.zookeeper.ZooKeeperMain.(ZooKeeperMain.java:297) > at org.apache.zookeeper.ZooKeeperMain.main(ZooKeeperMain.java:290) > Caused by: java.lang.ClassNotFoundException: > org.apache.zookeeper.ClientCnxnSocketNetty > at java.net.URLClassLoader.findClass(URLClassLoader.java:382) > at java.lang.ClassLoader.loadClass(ClassLoader.java:424) > at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:349) > at java.lang.ClassLoader.loadClass(ClassLoader.java:357) > at java.lang.Class.forName0(Native Method) > at java.lang.Class.forName(Class.java:264) > at > org.apache.zookeeper.ZooKeeper.getClientCnxnSocket(ZooKeeper.java:1848) > ... 4 more > > 8.Zookeeper is working fine on 2181 > 9.I tried to connect Kafka to Zookeeper on port 2281. Getting below > error > > [2020-01-16 09:12:07,477] INFO Initiating client connection, > connectString=zookeeper:2281 sessionTimeout=6000 > > watcher=kafka.zookeeper.ZooKeeperClient$ZooKeeperClientWatcher$@5c33f1a9 > (org.apache.zookeeper.ZooKeeper) > [2020-01-16 09:12:07,488] INFO [ZooKeeperClient] Waiting until > connected. > (kafka.zookeeper.ZooKeeperClient) > [2020-01-16 09:12:07,489] INFO Opening socket connection to server > zookeeper/172.16.13.2:2281. Will not attempt to authenticate using > SASL > (unknown error) (org.apache.zookeeper.ClientCnxn) > [2020-01-16 09:12:07,493] INFO Socket error occurred: zookeeper/ > 172.16.13.2:2281: Connection refused (org.apache.zookeeper.ClientCnxn) > [2020-01-16 09:12:08,599] INFO Opening socket connection to server > zookeeper/172.16.13.2:2281. Will not attempt to authenticate using > SASL > (unknown error) (org.apache.zookeeper.ClientCnxn) > > Please help and advice. > > Regards, > Praveen Kumar K S > +91-9986855625 > > > > > >
Re: ZooKeeper in secure mode
Praveen In order to use Netty it is better for you to use 3.5.6 that contains Netty 4, ZooKeeper 3.4.x uses the deprecated Netty 3. For TSL, and it is known to have security flaws and it is no more maintained Btw your problem looks like there is a missing class and it is weird Enrico Il giorno 16/01/20, 10:25 "Praveen Kumar K S" ha scritto: Hello, I'm looking for help on enabling authentication in zookeeper. Please note below approach I have tried. 1. I followed https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide 2. I'm deploying zookeeper as single node using docker 3. Zookeeper version is 3.4.13 4. Below are some important environmental variables in zookeeper container CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.ssl.keyStore.location=/opt/vault/zookeeper/ssl/KeyStore.jks -Dzookeeper.ssl.keyStore.password=XX@123 -Dzookeeper.ssl.trustStore.location=/opt/vault/zookeeper/ssl/truststore.jks -Dzookeeper.ssl.trustStore.password=XX@123 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory -Dzookeeper.ssl.keyStore.location=/opt/vault/zookeeper/ssl/KeyStore.jks -Dzookeeper.ssl.keyStore.password=XX@123 -Dzookeeper.ssl.trustStore.location=/opt/vault/zookeeper/ssl/truststore.jks -Dzookeeper.ssl.trustStore.password=XX@123 zookeeper.serverCnxnFactory="org.apache.zookeeper.server.NettyServerCnxnFactory" 5. Below is conf file server.1=0.0.0.0:2888:3888 secureClientPort=2281 initLimit=5 syncLimit=2 tickTime=2000 clientPort=2181 clientPortAddress=zookeeper dataLogDir=/opt/vault/zookeeper/logs dataDir=/opt/vault/zookeeper/data 6. Zookeeper is healthy 7. I tried connecting to Zookeeper server from my machine using zkCli.sh. But getting below error 2020-01-16 14:21:27,798 [myid:] - INFO [main:ZooKeeper@442] - Initiating client connection, connectString=zookeeper:2281 sessionTimeout=3 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@531d72ca Exception in thread "main" java.io.IOException: Couldn't instantiate org.apache.zookeeper.ClientCnxnSocketNetty at org.apache.zookeeper.ZooKeeper.getClientCnxnSocket(ZooKeeper.java:1851) at org.apache.zookeeper.ZooKeeper.(ZooKeeper.java:453) at org.apache.zookeeper.ZooKeeperMain.connectToZK(ZooKeeperMain.java:283) at org.apache.zookeeper.ZooKeeperMain.(ZooKeeperMain.java:297) at org.apache.zookeeper.ZooKeeperMain.main(ZooKeeperMain.java:290) Caused by: java.lang.ClassNotFoundException: org.apache.zookeeper.ClientCnxnSocketNetty at java.net.URLClassLoader.findClass(URLClassLoader.java:382) at java.lang.ClassLoader.loadClass(ClassLoader.java:424) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:349) at java.lang.ClassLoader.loadClass(ClassLoader.java:357) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:264) at org.apache.zookeeper.ZooKeeper.getClientCnxnSocket(ZooKeeper.java:1848) ... 4 more 8.Zookeeper is working fine on 2181 9.I tried to connect Kafka to Zookeeper on port 2281. Getting below error [2020-01-16 09:12:07,477] INFO Initiating client connection, connectString=zookeeper:2281 sessionTimeout=6000 watcher=kafka.zookeeper.ZooKeeperClient$ZooKeeperClientWatcher$@5c33f1a9 (org.apache.zookeeper.ZooKeeper) [2020-01-16 09:12:07,488] INFO [ZooKeeperClient] Waiting until connected. (kafka.zookeeper.ZooKeeperClient) [2020-01-16 09:12:07,489] INFO Opening socket connection to server zookeeper/172.16.13.2:2281. Will not attempt to authenticate using SASL (unknown error) (org.apache.zookeeper.ClientCnxn) [2020-01-16 09:12:07,493] INFO Socket error occurred: zookeeper/ 172.16.13.2:2281: Connection refused (org.apache.zookeeper.ClientCnxn) [2020-01-16 09:12:08,599] INFO Opening socket connection to server zookeeper/172.16.13.2:2281. Will not attempt to authenticate using SASL (unknown error) (org.apache.zookeeper.ClientCnxn) Please help and advice. Regards, Praveen Kumar K S +91-9986855625 CONFIDENTIALITY & PRIVACY NOTICE This e-mail (including any attachments) is strictly confidential and may also contain privileged information. If you are not the intended recipient you are not authorised to read, print, save, process or disclose this message. If you have received this message by mistake, please inform the sender immediately and destroy this e-mail, its attachments and any copies. Any use, distribution, reproduction or disclosure by any person other than the intended recipient is strictly prohibited and the person responsible may incur in penalties. The use of this e-mail is only for professional purposes; there is no guarantee that
ZooKeeper in secure mode
Hello, I'm looking for help on enabling authentication in zookeeper. Please note below approach I have tried. 1. I followed https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide 2. I'm deploying zookeeper as single node using docker 3. Zookeeper version is 3.4.13 4. Below are some important environmental variables in zookeeper container CLIENT_JVMFLAGS=-Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty -Dzookeeper.client.secure=true -Dzookeeper.ssl.keyStore.location=/opt/vault/zookeeper/ssl/KeyStore.jks -Dzookeeper.ssl.keyStore.password=XX@123 -Dzookeeper.ssl.trustStore.location=/opt/vault/zookeeper/ssl/truststore.jks -Dzookeeper.ssl.trustStore.password=XX@123 SERVER_JVMFLAGS=-Dzookeeper.serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory -Dzookeeper.ssl.keyStore.location=/opt/vault/zookeeper/ssl/KeyStore.jks -Dzookeeper.ssl.keyStore.password=XX@123 -Dzookeeper.ssl.trustStore.location=/opt/vault/zookeeper/ssl/truststore.jks -Dzookeeper.ssl.trustStore.password=XX@123 zookeeper.serverCnxnFactory="org.apache.zookeeper.server.NettyServerCnxnFactory" 5. Below is conf file server.1=0.0.0.0:2888:3888 secureClientPort=2281 initLimit=5 syncLimit=2 tickTime=2000 clientPort=2181 clientPortAddress=zookeeper dataLogDir=/opt/vault/zookeeper/logs dataDir=/opt/vault/zookeeper/data 6. Zookeeper is healthy 7. I tried connecting to Zookeeper server from my machine using zkCli.sh. But getting below error 2020-01-16 14:21:27,798 [myid:] - INFO [main:ZooKeeper@442] - Initiating client connection, connectString=zookeeper:2281 sessionTimeout=3 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@531d72ca Exception in thread "main" java.io.IOException: Couldn't instantiate org.apache.zookeeper.ClientCnxnSocketNetty at org.apache.zookeeper.ZooKeeper.getClientCnxnSocket(ZooKeeper.java:1851) at org.apache.zookeeper.ZooKeeper.(ZooKeeper.java:453) at org.apache.zookeeper.ZooKeeperMain.connectToZK(ZooKeeperMain.java:283) at org.apache.zookeeper.ZooKeeperMain.(ZooKeeperMain.java:297) at org.apache.zookeeper.ZooKeeperMain.main(ZooKeeperMain.java:290) Caused by: java.lang.ClassNotFoundException: org.apache.zookeeper.ClientCnxnSocketNetty at java.net.URLClassLoader.findClass(URLClassLoader.java:382) at java.lang.ClassLoader.loadClass(ClassLoader.java:424) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:349) at java.lang.ClassLoader.loadClass(ClassLoader.java:357) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:264) at org.apache.zookeeper.ZooKeeper.getClientCnxnSocket(ZooKeeper.java:1848) ... 4 more 8.Zookeeper is working fine on 2181 9.I tried to connect Kafka to Zookeeper on port 2281. Getting below error [2020-01-16 09:12:07,477] INFO Initiating client connection, connectString=zookeeper:2281 sessionTimeout=6000 watcher=kafka.zookeeper.ZooKeeperClient$ZooKeeperClientWatcher$@5c33f1a9 (org.apache.zookeeper.ZooKeeper) [2020-01-16 09:12:07,488] INFO [ZooKeeperClient] Waiting until connected. (kafka.zookeeper.ZooKeeperClient) [2020-01-16 09:12:07,489] INFO Opening socket connection to server zookeeper/172.16.13.2:2281. Will not attempt to authenticate using SASL (unknown error) (org.apache.zookeeper.ClientCnxn) [2020-01-16 09:12:07,493] INFO Socket error occurred: zookeeper/ 172.16.13.2:2281: Connection refused (org.apache.zookeeper.ClientCnxn) [2020-01-16 09:12:08,599] INFO Opening socket connection to server zookeeper/172.16.13.2:2281. Will not attempt to authenticate using SASL (unknown error) (org.apache.zookeeper.ClientCnxn) Please help and advice. Regards, Praveen Kumar K S +91-9986855625