Re: zookeeper digest authentication

2021-12-15 Thread Szalay-Bekő Máté 
maybe using "sessionRequireClientSASLAuth" instead of
"requireClientAuthScheme"?

I don't see in the documentation any config with the name
"requireClientAuthScheme".

Also I think the "zookeeper.allowSaslFailedClients" needs to be specified
as a system property and not as a zoo.cfg parameter. But according to the
documentation, "When enforce.auth.enabled=true and
enforce.auth.schemes=sasl then zookeeper.allowSaslFailedClients
configuration is overruled", and also: "sessionRequireClientSASLAuth: (...)
This configuration is short hand for enforce.auth.enabled=true and
enforce.auth.scheme=sasl", so I think you don't need to
specify zookeeper.allowSaslFailedClients is you
set sessionRequireClientSASLAuth=true in the zoo.cfg.

I hope sessionRequireClientSASLAuth=true will do the trick. But I'm not
sure. These configs are not very intuitive to follow - they more like
evolved instead of being designed :)

On Wed, Dec 15, 2021 at 11:49 AM Andrzej Trzeciak <
andrzej.trzec...@exelaonline.com> wrote:

> Hi,
> first of all thank you Máté and Chris for coming back to me with support.
> I wanted to inform you that I did use the documentation from the link
> provided by Máté and I did use the option 'enforce.auth.enabled=true', yet
> I was still being authenticated. After Chris wrote about
> 'zookeeper.allowSaslFailedClients' I found a Jira issue on that subject
> https://issues.apache.org/jira/browse/ZOOKEEPER-1736
> However I copied the configuration as described in that issue and I am
> still successfully authenticating with the wrong credentials.
> The config I am now using is (copied from Jira issue)
> zoo.cfg:
> requireClientAuthScheme=sasl
> authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
> jaasLoginRenew=360
> zookeeper.allowSaslFailedClients=false
>
> jaasFile.conf
>
> Server {
> org.apache.zookeeper.server.auth.DigestLoginModule required
> user_admin="admin";
> };
> Client {
> org.apache.zookeeper.server.auth.DigestLoginModule required
> username="admin"
> password="admin";
> };
>
> Do you maybe have an example config for that handy?
> Kind regards,
> Andrzej
>
> -Original Message-
> From: Chris T. 
> Sent: Wednesday, December 15, 2021 8:19 AM
> To: user@zookeeper.apache.org
> Subject: Re: zookeeper digest authentication
>
> CAUTION: This email originated from outside of the organization. Do not
> click links or open attachments unless you recognize the sender and know
> the content is safe. Please contact suspicious.ema...@exelaonline.com
> with any concerns.
>
>
> Hi,
> I think you are referring to
>  zookeeper.allowSaslFailedClients
> This is casually mentioned in the link you provided but not explained as a
> standalone option.
> Regards
> Chris
>
>
>
> On 15 December 2021 08:14:19 Szalay-Bekő Máté 
> wrote:
>
> > Hello Andrzej,
> >
> > In ZooKeeper, the authentication is not enforced by default, meaning
> > that even if you fail to authenticate (or don't even provide any
> > credentials) you can still connect to ZooKeeper, but your session
> > won't have any user attached to it. So you will be able to see/modify
> > only the ZNodes that are granting permission to the "world" user.
> > There are several server side options to change this behaviour. I
> > think you are looking for the "enforce.auth.enabled=true" option, see
> here:
> > https://urldefense.com/v3/__https://zookeeper.apache.org/doc/r3.7.0/zo
> > okeeperAdmin.html*sc_authOptions__;Iw!!NCEDZeEw!u7G2JZg8FqgI70GySY1GFH
> > 2nZr8CpzzXIQgzyzIn7HUwTNrmLNj9u2Szwehx8YVZBF8Fsc-jvw$
> >
> > (I remember there is some other option, which will disable the
> > "fallback to world user" behaviour (so terminating the session if you
> > connect with wrong credentials, but still let you connect without
> providing any credentials).
> > I remember seeing this in the code, but don't see it in the
> documentation.
> > If you would need this one, I can dig deeper.
> >
> > Kind regards,
> > Máté
> >
> > On Tue, Dec 14, 2021 at 2:20 PM Andrzej Trzeciak <
> > andrzej.trzec...@exelaonline.com> wrote:
> >
> >> Hi,
> >>
> >> I’m having trouble implementing the simplest zookeeper (v 3.7.0)
> >> authentication using just username and password and the ‘digest’
> mechanism.
> >>
> >> I tried various config properties, but none of them worked.
> >>
> >> The problem is, that when I connect giving the wrong credentials I am
> >> still being successfully authenticated instead of being rejected.
> >>
> >> My setup below (including oprions I have tried, but didn’t work, so I
> >> commented them:
> >>
> >> *Zoo.cfg:*
> >>
> >>
> >> #SASL
> >> 
> >>
> >>
> >>
> >>
> >> #authProvider.sasl=org.apache.zookeeper.server.auth.SASLAuthenticatio
> >> nProvider
> >>
> >> #authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationPr
> >> ovider
> >>
> >> #requireClientAuthScheme=sasl
> >>
> >> #sessionRequireClientSASLAuth=true
> >>
> >> #set.acl=true
> >>
> >>

RE: zookeeper digest authentication

2021-12-15 Thread Andrzej Trzeciak 
Hi,
first of all thank you Máté and Chris for coming back to me with support.
I wanted to inform you that I did use the documentation from the link provided 
by Máté and I did use the option 'enforce.auth.enabled=true', yet I was still 
being authenticated. After Chris wrote about 'zookeeper.allowSaslFailedClients' 
I found a Jira issue on that subject 
https://issues.apache.org/jira/browse/ZOOKEEPER-1736
However I copied the configuration as described in that issue and I am still 
successfully authenticating with the wrong credentials.
The config I am now using is (copied from Jira issue)
zoo.cfg:
requireClientAuthScheme=sasl
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
jaasLoginRenew=360
zookeeper.allowSaslFailedClients=false

jaasFile.conf

Server {
org.apache.zookeeper.server.auth.DigestLoginModule required
user_admin="admin";
};
Client {
org.apache.zookeeper.server.auth.DigestLoginModule required
username="admin"
password="admin";
};

Do you maybe have an example config for that handy?
Kind regards,
Andrzej

-Original Message-
From: Chris T. 
Sent: Wednesday, December 15, 2021 8:19 AM
To: user@zookeeper.apache.org
Subject: Re: zookeeper digest authentication

CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe. Please contact suspicious.ema...@exelaonline.com with any concerns.


Hi,
I think you are referring to
 zookeeper.allowSaslFailedClients
This is casually mentioned in the link you provided but not explained as a 
standalone option.
Regards
Chris



On 15 December 2021 08:14:19 Szalay-Bekő Máté 
wrote:

> Hello Andrzej,
>
> In ZooKeeper, the authentication is not enforced by default, meaning
> that even if you fail to authenticate (or don't even provide any
> credentials) you can still connect to ZooKeeper, but your session
> won't have any user attached to it. So you will be able to see/modify
> only the ZNodes that are granting permission to the "world" user.
> There are several server side options to change this behaviour. I
> think you are looking for the "enforce.auth.enabled=true" option, see here:
> https://urldefense.com/v3/__https://zookeeper.apache.org/doc/r3.7.0/zo
> okeeperAdmin.html*sc_authOptions__;Iw!!NCEDZeEw!u7G2JZg8FqgI70GySY1GFH
> 2nZr8CpzzXIQgzyzIn7HUwTNrmLNj9u2Szwehx8YVZBF8Fsc-jvw$
>
> (I remember there is some other option, which will disable the
> "fallback to world user" behaviour (so terminating the session if you
> connect with wrong credentials, but still let you connect without providing 
> any credentials).
> I remember seeing this in the code, but don't see it in the documentation.
> If you would need this one, I can dig deeper.
>
> Kind regards,
> Máté
>
> On Tue, Dec 14, 2021 at 2:20 PM Andrzej Trzeciak <
> andrzej.trzec...@exelaonline.com> wrote:
>
>> Hi,
>>
>> I’m having trouble implementing the simplest zookeeper (v 3.7.0)
>> authentication using just username and password and the ‘digest’ mechanism.
>>
>> I tried various config properties, but none of them worked.
>>
>> The problem is, that when I connect giving the wrong credentials I am
>> still being successfully authenticated instead of being rejected.
>>
>> My setup below (including oprions I have tried, but didn’t work, so I
>> commented them:
>>
>> *Zoo.cfg:*
>>
>>
>> #SASL
>> 
>>
>>
>>
>>
>> #authProvider.sasl=org.apache.zookeeper.server.auth.SASLAuthenticatio
>> nProvider
>>
>> #authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationPr
>> ovider
>>
>> #requireClientAuthScheme=sasl
>>
>> #sessionRequireClientSASLAuth=true
>>
>> #set.acl=true
>>
>> DigestAuthenticationProvider.enabled=true
>>
>> enforce.auth.enabled=true
>>
>> enforce.auth.schemes=digest
>>
>> #SASL
>> END--
>> 
>>
>>
>>
>> *Jaas_config:*
>>
>> Server {
>>
>>org.apache.zookeeper.server.auth.DigestLoginModule required
>>
>>user_super="adminsecret"
>>
>>user_bob="bobsecret";
>>
>> };
>>
>> *Client code:*
>>
>> CuratorFrameworkFactory.Builder builder =
>> CuratorFrameworkFactory.builder()
>>
>> .connectString(connectUris(zookeeper,
>> "zookeeper:2181"))
>>
>>
>> .connectionStateErrorPolicy(connectionStateErrorPolicy)
>>
>> .retryPolicy(retryPolicy)
>>
>> .aclProvider(aclProvider)
>>
>> .connectionTimeoutMs(1)
>>
>> .sessionTimeoutMs(sessionTimeout);
>>
>> if(zookeeperAuthEnabled){
>>
>> builder.authorization("digest",
>> "kuku:adminsecret4".getBytes());
>>
>> }
>>
>> curatorClient = builder.build();
>>
>> curatorClient.getConnectionStateListenable().addListener((c,
>> s) -> {
>>
>> connectionState = s;
>>
>> log.info(MessageFormat.format("CuratorState
>>