Hi,
I've added "-Dzookeeper.allowSaslFailedClients=false" to the startup arguments
of my three zookeepers servers (version 3.4.10 from Confluent 4.0 bundle) as I
want them to drop connections if Kerberos authentication fails. Yet, it seems
that it just doesn't work. If I just don't put any "Client" section in our
Kafka brokers JAAS file, The brokers logs show that the authentication fails
but the connection to zookeepers doesn't end.
Also, if I try the kafka-acls command without a JAAS file, it also work even if
it shouldn't:
[root@server ~]# kafka-acls --authorizer-properties
zookeeper.connect=zookeeper-server:2181 --add --allow-principal User:CLIENT
--consumer --topic test1 --group test
[2018-02-01 10:25:41,730] WARN SASL configuration failed:
javax.security.auth.login.LoginException: No JAAS configuration section named
'Client' was found in specified JAAS configuration file: '/root/jaas.conf'.
Will continue connection to Zookeeper server without SASL authentication, if
Zookeeper server allows it. (org.apache.zookeeper.ClientCnxn)
Adding ACLs for resource `Topic:test1`:
User:CLIENT has Allow permission for operations: Read from hosts: *
User:CLIENT has Allow permission for operations: Describe from hosts: *
Adding ACLs for resource `Group:test`:
User:CLIENT has Allow permission for operations: Read from hosts: *
...
I've read that this property only applies to Java clients but Kafka brokers and
kafka-acls command are Java clients..!
Thanks,
Dominique Gagnon
