As an update, I found out that this issue is not confined to just zkCli.sh. If I launch my java applications that create zookeeper clients without the JVM argument "-Djava.security.auth.login.config=<my-client-jaas.conf>", then my client can log in to my zookeeper server. Why is it that my zookeeper client is rejected if I have the wrong password in my client jaas.conf file, but if I fail to specify my client as using any security, it just connects to the server? Surely I am missing something on my server side to block these client connections right?
On Tue, Aug 25, 2015 at 5:37 PM, Daniel Kashtan <[email protected]> wrote: > I am using SASL with Digest-MD5 and I have the flag > "-Dzookeeper.allowSaslFailedClients=false" set so that your connection is > dropped from the Zookeeper Server if your SASL authentication fails. This > is great! This only works for the Zookeeper clients created in java code > though. > > If I do a zkCli.sh -server 127.0.0.1:2181 then I can connect to my > Zookeeper server with no issues. This is unexpected behavior to me. It even > says in the output from zkCli.sh, "Will not attempt to authenticate using > SASL." How does this still work? I configured the Zookeeper server to drop > those connection attempts. > > After much searching I turned up this link > <https://groups.google.com/a/cloudera.org/forum/#!topic/cdh-user/Hxqv7b2957w>, > but it is just some forum post for CDH. Is this true? The thought of > setting ACLs on all my znodes is daunting and verbose. Please let me know > if setting ACL nodes using SASL is my best and/or only option for securing > zkCli.sh and my Zookeeper server in general. > -- > -Daniel > -- -Daniel
