maybe using "sessionRequireClientSASLAuth" instead of
"requireClientAuthScheme"?
I don't see in the documentation any config with the name
"requireClientAuthScheme".
Also I think the "zookeeper.allowSaslFailedClients" needs to be specified
as a system property and not as a zoo.cfg parameter. But according to the
documentation, "When enforce.auth.enabled=true and
enforce.auth.schemes=sasl then zookeeper.allowSaslFailedClients
configuration is overruled", and also: "sessionRequireClientSASLAuth: (...)
This configuration is short hand for enforce.auth.enabled=true and
enforce.auth.scheme=sasl", so I think you don't need to
specify zookeeper.allowSaslFailedClients is you
set sessionRequireClientSASLAuth=true in the zoo.cfg.
I hope sessionRequireClientSASLAuth=true will do the trick. But I'm not
sure. These configs are not very intuitive to follow - they more like
evolved instead of being designed :)
On Wed, Dec 15, 2021 at 11:49 AM Andrzej Trzeciak <
andrzej.trzec...@exelaonline.com> wrote:
> Hi,
> first of all thank you Máté and Chris for coming back to me with support.
> I wanted to inform you that I did use the documentation from the link
> provided by Máté and I did use the option 'enforce.auth.enabled=true', yet
> I was still being authenticated. After Chris wrote about
> 'zookeeper.allowSaslFailedClients' I found a Jira issue on that subject
> https://issues.apache.org/jira/browse/ZOOKEEPER-1736
> However I copied the configuration as described in that issue and I am
> still successfully authenticating with the wrong credentials.
> The config I am now using is (copied from Jira issue)
> zoo.cfg:
> requireClientAuthScheme=sasl
> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> jaasLoginRenew=360
> zookeeper.allowSaslFailedClients=false
>
> jaasFile.conf
>
> Server {
> org.apache.zookeeper.server.auth.DigestLoginModule required
> user_admin="admin";
> };
> Client {
> org.apache.zookeeper.server.auth.DigestLoginModule required
> username="admin"
> password="admin";
> };
>
> Do you maybe have an example config for that handy?
> Kind regards,
> Andrzej
>
> -Original Message-
> From: Chris T.
> Sent: Wednesday, December 15, 2021 8:19 AM
> To: user@zookeeper.apache.org
> Subject: Re: zookeeper digest authentication
>
> CAUTION: This email originated from outside of the organization. Do not
> click links or open attachments unless you recognize the sender and know
> the content is safe. Please contact suspicious.ema...@exelaonline.com
> with any concerns.
>
>
> Hi,
> I think you are referring to
> zookeeper.allowSaslFailedClients
> This is casually mentioned in the link you provided but not explained as a
> standalone option.
> Regards
> Chris
>
>
>
> On 15 December 2021 08:14:19 Szalay-Bekő Máté
> wrote:
>
> > Hello Andrzej,
> >
> > In ZooKeeper, the authentication is not enforced by default, meaning
> > that even if you fail to authenticate (or don't even provide any
> > credentials) you can still connect to ZooKeeper, but your session
> > won't have any user attached to it. So you will be able to see/modify
> > only the ZNodes that are granting permission to the "world" user.
> > There are several server side options to change this behaviour. I
> > think you are looking for the "enforce.auth.enabled=true" option, see
> here:
> > https://urldefense.com/v3/__https://zookeeper.apache.org/doc/r3.7.0/zo
> > okeeperAdmin.html*sc_authOptions__;Iw!!NCEDZeEw!u7G2JZg8FqgI70GySY1GFH
> > 2nZr8CpzzXIQgzyzIn7HUwTNrmLNj9u2Szwehx8YVZBF8Fsc-jvw$
> >
> > (I remember there is some other option, which will disable the
> > "fallback to world user" behaviour (so terminating the session if you
> > connect with wrong credentials, but still let you connect without
> providing any credentials).
> > I remember seeing this in the code, but don't see it in the
> documentation.
> > If you would need this one, I can dig deeper.
> >
> > Kind regards,
> > Máté
> >
> > On Tue, Dec 14, 2021 at 2:20 PM Andrzej Trzeciak <
> > andrzej.trzec...@exelaonline.com> wrote:
> >
> >> Hi,
> >>
> >> I’m having trouble implementing the simplest zookeeper (v 3.7.0)
> >> authentication using just username and password and the ‘digest’
> mechanism.
> >>
> >> I tried various config properties, but none of them worked.
> >>
> >> The problem is, that when I connect giving the wrong credentials I am
> >> still being successfully authenticated instead of being rejected.
> >>
> >> My setup below (including oprions I have tried, but didn’t work, so I
> >> commented them:
> >>
> >> *Zoo.cfg:*
> >>
> >>
> >> #SASL
> >>
> >>
> >>
> >>
> >>
> >> #authProvider.sasl=org.apache.zookeeper.server.auth.SASLAuthenticatio
> >> nProvider
> >>
> >> #authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationPr
> >> ovider
> >>
> >> #requireClientAuthScheme=sasl
> >>
> >> #sessionRequireClientSASLAuth=true
> >>
> >> #set.acl=true
> >>
> >>