This is related to a long standing bug in our documentation (see: ZOOKEEPER-2668). requireClientAuthScheme does not actually do anything. It is never read by the code.
On Thu, Mar 8, 2018, at 21:40, Ray Chaudhuri, Shirsha (Nokia - IN/Bangalore) wrote: > Hi Abe, > > We are trying to understand the difference between setting > requireClientAuthScheme=sasl > and > requireClientAuthScheme=all > When a client does not have a valid Kerberos ticket, the behaviour is > the same for either of the above settings. Whereas we'd've expected the > client to not be able to connect when requireClientAuthScheme=sasl. > To restrict such connections, should we also set > zookeeper.allowSaslFailedClients=false? > > Regards > Shirsha > > -----Original Message----- > From: Abraham Fine [mailto:af...@apache.org] > Sent: Friday, March 9, 2018 12:31 AM > To: user@zookeeper.apache.org > Subject: Re: SASL for Client connections > > Hi Harish- > > Currently there is no way to restrict ALL incoming client connections > when using SASL. > > In ZooKeeper, SASL works on a node by node basis. > > Thanks, > Abe > > On Thu, Mar 8, 2018, at 03:58, Harish kumar wrote: > > Hi, > > > > I have enabled SASL on my Zookeeper, with below configuration. > > > > *requireClientAuthScheme=sasl* > > *authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationPro > > vider* > > > > But still I see that, I am able to connect to zookeeper even without a > > valid kerberos ticket. > > Is there a way to restrict all client connections only with valid > > kerberos ticket. > > > > Zookeeper Version - 3.4.8 > > > > > > Thanks, > > Harish