I am using SASL with Digest-MD5 and I have the flag "-Dzookeeper.allowSaslFailedClients=false" set so that your connection is dropped from the Zookeeper Server if your SASL authentication fails. This is great! This only works for the Zookeeper clients created in java code though.
If I do a zkCli.sh -server 127.0.0.1:2181 then I can connect to my Zookeeper server with no issues. This is unexpected behavior to me. It even says in the output from zkCli.sh, "Will not attempt to authenticate using SASL." How does this still work? I configured the Zookeeper server to drop those connection attempts. After much searching I turned up this link <https://groups.google.com/a/cloudera.org/forum/#!topic/cdh-user/Hxqv7b2957w>, but it is just some forum post for CDH. Is this true? The thought of setting ACLs on all my znodes is daunting and verbose. Please let me know if setting ACL nodes using SASL is my best and/or only option for securing zkCli.sh and my Zookeeper server in general. -- -Daniel
