Hi, I've added "-Dzookeeper.allowSaslFailedClients=false" to the startup arguments of my three zookeepers servers (version 3.4.10 from Confluent 4.0 bundle) as I want them to drop connections if Kerberos authentication fails. Yet, it seems that it just doesn't work. If I just don't put any "Client" section in our Kafka brokers JAAS file, The brokers logs show that the authentication fails but the connection to zookeepers doesn't end.
Also, if I try the kafka-acls command without a JAAS file, it also work even if it shouldn't: [root@server ~]# kafka-acls --authorizer-properties zookeeper.connect=zookeeper-server:2181 --add --allow-principal User:CLIENT --consumer --topic test1 --group test [2018-02-01 10:25:41,730] WARN SASL configuration failed: javax.security.auth.login.LoginException: No JAAS configuration section named 'Client' was found in specified JAAS configuration file: '/root/jaas.conf'. Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it. (org.apache.zookeeper.ClientCnxn) Adding ACLs for resource `Topic:test1`: User:CLIENT has Allow permission for operations: Read from hosts: * User:CLIENT has Allow permission for operations: Describe from hosts: * Adding ACLs for resource `Group:test`: User:CLIENT has Allow permission for operations: Read from hosts: * ... I've read that this property only applies to Java clients but Kafka brokers and kafka-acls command are Java clients..! Thanks, Dominique Gagnon