Hi Dominique, Would you please check your ZooKeeper logs, because whenever Zk closes a client connection due to SASL authentication failure, it adds the following message to the logs:
LOG.warn("Closing client connection due to SASL authentication failure."); On the other hand, if the connection is accepted even if SASL auth failed, you should see the following message: LOG.warn("Maintaining client connection despite SASL authentication failure."); If neither of these messages can be seen in ZK logs, that you're probably facing to another problem. Regards, Andor On Thu, Feb 1, 2018 at 8:08 PM, Dominique Gagnon < dominique.gag...@dti.ulaval.ca> wrote: > Hi, > > I've added "-Dzookeeper.allowSaslFailedClients=false" to the startup > arguments of my three zookeepers servers (version 3.4.10 from Confluent 4.0 > bundle) as I want them to drop connections if Kerberos authentication > fails. Yet, it seems that it just doesn't work. If I just don't put any > "Client" section in our Kafka brokers JAAS file, The brokers logs show that > the authentication fails but the connection to zookeepers doesn't end. > > Also, if I try the kafka-acls command without a JAAS file, it also work > even if it shouldn't: > > [root@server ~]# kafka-acls --authorizer-properties > zookeeper.connect=zookeeper-server:2181 --add --allow-principal > User:CLIENT --consumer --topic test1 --group test > [2018-02-01 10:25:41,730] WARN SASL configuration failed: > javax.security.auth.login.LoginException: No JAAS configuration section > named 'Client' was found in specified JAAS configuration file: > '/root/jaas.conf'. Will continue connection to Zookeeper server without > SASL authentication, if Zookeeper server allows it. (org.apache.zookeeper. > ClientCnxn) > Adding ACLs for resource `Topic:test1`: > User:CLIENT has Allow permission for operations: Read from hosts: * > User:CLIENT has Allow permission for operations: Describe from > hosts: * > > Adding ACLs for resource `Group:test`: > User:CLIENT has Allow permission for operations: Read from hosts: * > ... > > I've read that this property only applies to Java clients but Kafka > brokers and kafka-acls command are Java clients..! > > Thanks, > > Dominique Gagnon >