Just to confirm the settings I have in my environment: 1. On ZK side, my JAAS file looks like this: Server { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/conf/zoo1.keytab" storeKey=true useTicketCache=false principal="zookeeper/z...@example.com"; }; The principal "*zookeeper/z...@example.com <z...@example.com>"* has been created in Kerberos server running locally. I am able to start ZK with this principal and I can see ticket exchange between ZK and Kerberos for this principal.
2. On client (Curator) side, JAAS file looks like below. Principal "*zkcli...@example.com <zkcli...@example.com>"* is present in Kerberos server. The curator is able to connect properly to ZK (with or without principal) even though SASL is enabled. May be I should use ZK 3.6 as you pointed out to enforce authentication. Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/tmp/zkclient.keytab" storeKey=true useTicketCache=false principal="zkcli...@example.com"; }; Just want to make sure my settings are correct. Thanks On Mon, Dec 30, 2019 at 12:47 PM Enrico Olivelli <eolive...@gmail.com> wrote: > Arpit, > Up to 3.5.x you can only leverage auth only in conjunction with ACLs. > > I hope we are able to release 3.6.0 within a couple of weeks. > > If you have time you can build from branch-3.6 and run the server enabling > that feature tha you are pointing to. > It is a server side change only so you can use 3.5 in your application > > > Enrico > > Il lun 30 dic 2019, 13:23 shrikant kalani <shrikantkal...@gmail.com> ha > scritto: > > > Couple of things which you can check - > > 1) if your Zookeeper server is not running with Zookeeper I’d then you > > need to set Zookeeper.sasl.client.username > > 2) set java.security.auth.login.config > > > > And I also faced the same issue that there is no strict enforcement to > > allow only authenticated client. Unless someone is aware of the way I > doubt > > we may need to wait for 3.6 > > > > Thanks > > Srikant > > > > Sent from my iPhone > > > > > On 30 Dec 2019, at 8:11 PM, Arpit Jain <jain.arp...@gmail.com> wrote: > > > > > > Hi, > > > > > > I have configured Zookeeper 3.5.5 to use SASL authentication using > > > Kerberos. I am able to authenticate ZK with Kerberos server but I don't > > see > > > any authentication happening between Zookeeper client (curator) and ZK > > > server. I have put the following setting in zoo.cfg and followed this > > guide > > > > > > https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication > > > . > > > > > > > > > authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider > > > requireClientAuthScheme=sasl > > > > > > What additional setting I need to provide so that only authenticated > > > clients (for which principals are present in Kerberos server) can > connect > > > to ZK server ? > > > I also found this link > > > https://github.com/apache/zookeeper/pull/118/commits which > > > mentions that it will be strict only from ZK 3.6 onwards and currently > ZK > > > does not enforce it even if we have the configuration. > > > > > > Thanks > > >