Il lun 30 dic 2019, 14:55 shrikant kalani <shrikantkal...@gmail.com> ha scritto:
> Enrico, > > Is 3.6 going to be available soon ? Within 1 month ? > I can't make promises. It is up to the community. I can say we are actively preparing the release. You will see, hopefully next week, a VOTE email thread on d...@zookeeper.apache.org mailing list. If you try it and report that it is working for you, this will be a good contribution to the community Cheers Enrico > > Thanks > Srikant Kalani > > Sent from my iPhone > > > On 30 Dec 2019, at 9:23 PM, Enrico Olivelli <eolive...@gmail.com> wrote: > > > > If you try to use wrong credentials, corrupted keytab...you won't be > able > > to read/write. > > Connection maybe is allowed > > > > Enrico > > > > Il lun 30 dic 2019, 14:19 Arpit Jain <jain.arp...@gmail.com> ha scritto: > > > >> Just to confirm the settings I have in my environment: > >> > >> 1. On ZK side, my JAAS file looks like this: > >> Server { > >> com.sun.security.auth.module.Krb5LoginModule required > >> useKeyTab=true > >> keyTab="/conf/zoo1.keytab" > >> storeKey=true > >> useTicketCache=false > >> principal="zookeeper/z...@example.com"; > >> }; > >> The principal "*zookeeper/z...@example.com <z...@example.com>"* has > been > >> created in Kerberos server running locally. I am able to start ZK with > this > >> principal and I can see ticket exchange between ZK and Kerberos for this > >> principal. > >> > >> 2. On client (Curator) side, JAAS file looks like below. Principal > >> "*zkcli...@example.com > >> <zkcli...@example.com>"* is present in Kerberos server. The curator is > >> able > >> to connect properly to ZK (with or without principal) even though SASL > is > >> enabled. May be I should use ZK 3.6 as you pointed out to enforce > >> authentication. > >> Client { > >> com.sun.security.auth.module.Krb5LoginModule required > >> useKeyTab=true > >> keyTab="/tmp/zkclient.keytab" > >> storeKey=true > >> useTicketCache=false > >> principal="zkcli...@example.com"; > >> }; > >> > >> Just want to make sure my settings are correct. > >> > >> Thanks > >> > >>> On Mon, Dec 30, 2019 at 12:47 PM Enrico Olivelli <eolive...@gmail.com> > >>> wrote: > >>> > >>> Arpit, > >>> Up to 3.5.x you can only leverage auth only in conjunction with ACLs. > >>> > >>> I hope we are able to release 3.6.0 within a couple of weeks. > >>> > >>> If you have time you can build from branch-3.6 and run the server > >> enabling > >>> that feature tha you are pointing to. > >>> It is a server side change only so you can use 3.5 in your application > >>> > >>> > >>> Enrico > >>> > >>> Il lun 30 dic 2019, 13:23 shrikant kalani <shrikantkal...@gmail.com> > ha > >>> scritto: > >>> > >>>> Couple of things which you can check - > >>>> 1) if your Zookeeper server is not running with Zookeeper I’d then you > >>>> need to set Zookeeper.sasl.client.username > >>>> 2) set java.security.auth.login.config > >>>> > >>>> And I also faced the same issue that there is no strict enforcement to > >>>> allow only authenticated client. Unless someone is aware of the way I > >>> doubt > >>>> we may need to wait for 3.6 > >>>> > >>>> Thanks > >>>> Srikant > >>>> > >>>> Sent from my iPhone > >>>> > >>>>> On 30 Dec 2019, at 8:11 PM, Arpit Jain <jain.arp...@gmail.com> > >> wrote: > >>>>> > >>>>> Hi, > >>>>> > >>>>> I have configured Zookeeper 3.5.5 to use SASL authentication using > >>>>> Kerberos. I am able to authenticate ZK with Kerberos server but I > >> don't > >>>> see > >>>>> any authentication happening between Zookeeper client (curator) and > >> ZK > >>>>> server. I have put the following setting in zoo.cfg and followed this > >>>> guide > >>>>> > >>>> > >>> > >> > https://cwiki.apache.org/confluence/display/ZOOKEEPER/Client-Server+mutual+authentication > >>>>> . > >>>>> > >>>>> > >>>> > >>> > >> > authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider > >>>>> requireClientAuthScheme=sasl > >>>>> > >>>>> What additional setting I need to provide so that only authenticated > >>>>> clients (for which principals are present in Kerberos server) can > >>> connect > >>>>> to ZK server ? > >>>>> I also found this link > >>>>> https://github.com/apache/zookeeper/pull/118/commits which > >>>>> mentions that it will be strict only from ZK 3.6 onwards and > >> currently > >>> ZK > >>>>> does not enforce it even if we have the configuration. > >>>>> > >>>>> Thanks > >>>> > >>> > >> >